Windows 7: Windows RRAS PPTP VPN Connection issues error 691

Hello and thanks in advance for any help.

I have a small office network with only a couple servers, and even fewer workstations. We have WiFi and cabled Ethernet, and are running a Verizon Fios internet connection. I have setup a RRAS (routing and remote access) server, and established the VPN.

I can connect to the VPN with no errors or problems via the internal network. When I attempt to connect to the VPN via an internet connection it fails with error 691.

I can see the traffic via the router logs. I can also see errors in the RRAS servers event viewer, so I know that the connection is being made, but for some reason authentication is failing.

All the settings are the same for both connections, and I am using the same user name and password for both connections as well.



How can the authentication fail connecting to the same VPN, using the same method, just having the data go two different directions? PLEASE HELP!

thanks again.

Hello,

Have you looked at the following:
"Error 691" or "Error 734" When You Attempt to Establish a Dial-Up Connection in Windows XP

Also, can you verify that the networks are on different IP Ranges, as this is required for VPN Connectivity to work correctly.

Can you give us some more information on the RRAS Errors?


Dave

I'm not sure if it makes a difference, but I suppose I should have mentioned: the RRAS server is a 2008 Datacenter machine, and I am connecting using a windows 7 64bit machine.

as far as different IP ranges, I'm not sure what you mean? The RRAS server is configured to assign IPs via DHCP, from about 10.11.12.245 - 10.11.12.250 for the VPN connections. All the machines running on the network are using 10.11.12.92 or lower.

When connecting via the internet the RRAS server sees a connection from our outside IP which is a totally different network. This is expected, and should be fine as far as I know.

The errors I am seeing in the RRAS server event viewer are:

WARNING: Event ID 20271 Source: RemoteAccess

The user Domain.Name\UserName connected from 108.38.87.252 but failed an authentication attempt due to the following reason: The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

AND

ERROR: Event ID 20255 Source:RemoteAccess

The following error occurred in the Point to Point Protocol module on port: VPN2-127, UserName: Domain.Name\UserName. The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.

The reason I am confused by these errors, is that I am using the exact same settings and user account to log in via our LAN, but I can not connect from outside the network. I know the port forwarding is working fine, because I see the traffic in the router Logs, and the connection is established, it just doesn't authenticate.

Thanks again for your help!

Hello,

Sorry I was getting confused with a site-to-site VPN, you can ignore my IP comment.

The errors do point to a configuration error within RRAS. Do you have any IP ACL's? Also, does the user account have the correct permissions on the "Dial-In" tab within Active Directory?


Dave

The errors definitely point to a configuration error, however I am using the EXACT same settings, minus the server name, to connect from inside the LAN.

I am able to connect to the VPN from inside the LAN.
It is only when trying to connect from outside the LAN, that I am having any trouble.
I am using the same User account and Password (which should work from outside the LAN, if it works from inside).
I am also using the EXACT same security/authentication settings.

The only reason I'm am using a different server name, is that our internal DNS is not public, so I am using DynDNS to send traffic to our outside router, and it is forwarded from there to the server. This is fine, the VPN traffic is getting to the server, and the server is responding, it's just not authenticating.

We are not using ACLs or any complicated Firewall settings (this is a very small office network), and since I can log in using my account from inside the LAN, the problem is not the account I am using. The problem is somewhere in RRAS, but I don't see how it can be a configuration error, if I can log in via the LAN using the exact same settings that I am trying to connect with Via an outside connection.

I Have Resolved The Issue!

All I did was leave the domain name blank for the outside connection.
I entered just the Username and Password, and clicked connect, and it finally connected. Don't know why the Domain Name would cause this, especially since it works with the domain entered for the LAN connection.

Thanks For your help Dave.

Hope this helps someone else someday...

Well done for resolving the issue (Y) and thank you for confirming the solution!


Dave