cancel
Showing results for 
Search instead for 
Did you mean: 

VPN - is this F9's fault?

N/A

VPN - is this F9's fault?

HI guys - I'm just about to give up with Force 9 Sad

I have succesfully used a VPN connection to my employers network for well over 8 months. 4 weeks ago, the VPN stopped working - my attempts to log on do not even reach the server.

Nothing has changed on my machine, and I have taken the laptop and my broadband router to another ADSL enabled line (Non F9) and it worked again!!!

To me this surely must point towards a change on F9's servers, but am I wrong? Force 9 staff will not help out with this and suggested I come here!

So I'm here now, and wondered if any of you kind peeps could help a gal out and help me to sort this.

How can something that worked so well, go so wrong?? (Sounds like I going to burst into song, doesn't it? Cheesy )

Next stop BT!
40 REPLIES
slev
Grafter
Posts: 357
Registered: 30-07-2007

VPN - is this F9's fault?

Hi

I am not 100% sure how this works so I will start with the easiest part ,

Has your VPN connection at work banned your F9 IP address by any chance ?

This is the first thing I would check out as I would assume your employers VPN Network has a firewall either software based or hardware based.

Can you tell us abit more about your setup, eg what account do you have ( Home Surf or other type ) , what operating system is your computer using.

I am sure some of the others will help out as well when they come on.

Kind Regards

Ian
N/A

VPN - is this F9's fault?

Hi - spoken to our Network specialist and no - no VPN address are blocked as we have 800 people using the Cisco client and they are all public IP addresses!

I use the usual home f9 package and my OS is XP Pro.

just seems so strange to suddenly stop working after so long! :?:

thanks for the reply Ian
slev
Grafter
Posts: 357
Registered: 30-07-2007

VPN - is this F9's fault?

Hi

When you say the usual home f9 package which one is it you are on, the only reason I ask is it may be configured differently than the new Premier Packages.

Have a look in , My Account --> Account Details --> Account Summary

see what it says there.

Kind Regards

Ian
N/A

VPN - is this F9's fault?

is this it

"Force9 Broadband Premier - Up to 2Mb"
slev
Grafter
Posts: 357
Registered: 30-07-2007

VPN - is this F9's fault?

HI

Thats the one yes , there should be no problems then,

Do you connect via a specific port ?

have you tried doing a tracert to your employers VPN Network ?

More info on Tracert are Here

Kind Regards

Ian
N/A

VPN - is this F9's fault?

I think we've done the traceroute and added to the ticket, but I can't re run now as I'm now on the companys network - so much for home offices! Cry

I've had to come 122 miles to my employers office because VPN's stopped working Evil and obviously have to travel 122 miles back again later tonight! - even more Evil Evil

the sooner we sort it the better!

Will have another look once I get back home!

thanks
N/A

VPN - is this F9's fault?

Here is my penny's worth...

Did you reset your router and try again before going to the other persons line and ADSL, have you tried since then? The VPN passthrough on the router may have "crashed"?

Does the server at your office think that there is an active VPN session to your force9 IP address and so won't or can't allow another connection. You could get the people at your office to look into this and perhaps reset the VPN server. But of course this will disconnect everone so they may not want to do that. I don't know if this could be a problem or not?

Ping or tracert the server as already suggested.

Perhaps there is some odd traffic to your F9 IP, eg Denial of service like attacks to the VPN ports so the router or PC can't open the ports connect properly. This would be odd and unlikely but perhaps a possibility?


You could look at the traffic with a packet analyzer such as the free one http://www.analogx.com/contents/download/network/pmon.htm
and see if there is anything that resembles traffic to and from the VPN and what ports it is on.

When you took the router to the other house/adsl line did any settings get changed? (other than ADSL login).

At what point does the connection fail. I think with the cisco client there is some kind of group login and password then a user login and password. Does it say connection refused? Does the enter username box where you enter your name come up? I use the cisco client to a university service sometimes perhaps it is the same client? Ocassionally I get a failure on "negotiating security ..." this usually fixes it self on a second or third attempt.
If it doesn't connect at all this suggests some odd problem? Ping or tracert should show this up.

Is there another computer or computers at your house that also use VPNs, I think routers have a maximum number of VPN passthroughs that they can handle for some reason. I think this may be 3 or 4? Read that some where in some router specs. I don't really know why or exactly how this works or why it is necissary? I think it could be that VPNs are restricted strictly to certain incomming ports and so NAT routers have to use the right ports for incomming traffic when doing the NAT. This is why a router reset could have been the simple solution.

I'm sure you have tried all of this before but that is all I could think of.
N/A

VPN - is this F9's fault?

Blimey - more help in an afternoon than a month talking to F9!

I've done the traceroute to the ip of our Vpn server and it times out at row 9 through to row 30!

So what the bleeding 'eck does that mean :roll: :?:

TSWilding - we have restored the router defaults since the test on the other ADSL line - maybe we'll now try the packets thingy!

Thanks so much for your help guys! Cheesy
N/A

VPN - is this F9's fault?

These are not my words but an explaination of tracert I found elsewhere, explains it better than I can.

"Tracert works on the principle that if a router receives a packet but the hop count has decremented to zero, it responds with an ICMP error packet back to the originating address. So by pinging an address but starting with a hop count of one and adding one to the hop count after each iteration, the originator is able to "trace" the path chosen for packets from the origination to the destination.

Now, if a router is configured to not respond with the ICMP error packet, the tracert program marks that as a timeout (i.e. no ICMP packet received within the tracert timeout period). OK, so if the destination is configured to not respond, of course it doesn't matter what the hop count is, an ICMP response will never be sent. Therefore the originator sees nothing but timeouts once a nonresponding destination is reached."

Basically tracert can fail eg timeout if somewhere on the route the router is set not to respond to pings or packet errors. So basically tracert timeouts dont always mean that the host is unreachable or can not be connected to. Sometimes it helps though.

try doing a ping <ip address or name of vpn server>

BUT of course the server may also be set to not respond to a ping.

You need to determine the IP address for the server, if you don't know it. use nslookup <server name> and look for this IP address in the packet analyzer.

When I connect to the cisco VPN server I use the packet analyzer program I mentioned shows a connection from port 500 on my PC to port 500 on the server. You should see lots of traffic to and from the server on this port. Or perhaps another port? You can't actually see anything usefull in the packet data as the vpn is usually a secure (encrypted) link.

VPN-IPSEC is port 500
VPN-L2P2 is port 1701
VPN-PPTP is port 1723

If you see a load of stuff happening and you can not actually login to the VPN then something is probably wrong with the settings or indeed the server doesn't like your IP for some strange reason.

If you don't see anything happening to and from this IP then something very odd is going on and for some reason you can't connect to the server.

Remember to look for traffic TO and FROM the server so that you know that data is comming back from the server too!

It may be an idea to look at the traffic at the other place where the VPN did work so you know what ports it usually uses.

Have you got force9 P2P safe surf turned on? Goto the portal, check member settings, connection, look under SURF. If it is on this could be the problem? If it is on, switch it off and then disconnect and reconnect (power off and on the router).
I wonder if this breaks VPN? Since you say it suddenly stopped working this is unlikely to be the problem unless you know that you changed the surf option.
N/A

Replying Re VPN connection Ivan

Hi Karlmarsh,

Quote
I've done the traceroute to the ip of our Vpn server and it times out at row 9 through to row 30!
This basically means that your connection failed to reach its final destination i.e. your VPN server. Its failling at some point between your own router & your works VPN server IMO.

When this happens the tracert process (command) should also tell you which network or router or internet gateway where the connection failed. Its sounds like the problem ISNT with your own router at all, if the information you gave is correct. Where the failure occurrs depends upon the path the connection attempts to take trying to reach your VPN server (normally you would have no! control or little control over the actual route taken).

But if you can Identify the place where the connection fails then that would be a big step forwards IMO and would be half way towards resolving things?

PS If your trace route or tracert fails you should also find that a pinging of the VPN server might fail too?

Ivan
--------------------------------------------------
F9 FOL Forum Moderator
F9 Broadband Premier 2MB User
Your Forum Your Voice,Get Involved!
N/A

VPN - is this F9's fault?

Something I just don't understand, is that VPN is fine when I use dial up

The Tracerout gives just 3 lines, and the server replies from a ping test - all fine! :?

I've changed absolutely nothing, and my VPN user ID and password and all that must be fine if it's letting me in via dialup. What can suddenly change at 4pm on a Tuesday afternoon??

I appreciate your help and advice guys - wish I'd asked you in the first place Wink
N/A

VPN - is this F9's fault?

It depends on where hop 9 had got to. I have done tracerts to servers that I can actually connect to and got timeouts after a certain point. This may just mean that ALL the routers/servers after that point don't respond with ICMP packet errors or pings. So it looks like you can't reach the server from the tracert but actually you can when you try and connect to the server in an application type way (eg look at webpage etc)

Such an example is a web hosting server that I use, it has an IP address of 212.67.202.238. If I do a tracert to this server I get timeouts and nothing after hop 14 when the packets reach a pipex router which is the top level in for that company. After that point there is no response so it looks like I can not use that server. However I can most definitely can connect to this IP address for FTP uploading my pages and the webserver on this IP. So from the traceroute it looks like I can not get to the server but actually I can. tracert is only a useful tool if everone allows ICGP echo and error packets. Lots of companies block them as the tracert allows potential hackers or anyone else just interested information on IP addresses of the routers through their systems which you wouldn't necisarily want people to know.

It MAY still not be a problem with packets reaching the server. Of course it could be. It would indeed be very odd and unlikely that a server is not reachable from a particular IP address/ISP. Unless someone is deliberately blocking an IP address range somewhere, or something has gone very wrong somewhere with Force9 or one of force9s connection point routers or routeing tables. If this were the case it would most likely be a higher up problem and so more people would notice problems with lots of sites that connect through that point.

Basically the tracert doesn't really mean a lot either way unless you know for a fact that traceroutes work from other ISPs eg other peoples connections all the way to the server. Eg if doing a tracert from the other pesons ADSL connection (eg another house) doesn't show timeouts or doesn't show timeouts until a hop nearer to the server then the force9 connection would indeed be suspect..


.
N/A

VPN - is this F9's fault?

Quote
Something I just don't understand, is that VPN is fine when I use dial up

The Tracerout gives just 3 lines, and the server replies from a ping test - all fine! :?

I've changed absolutely nothing, and my VPN user ID and password and all that must be fine if it's letting me in via dialup. What can suddenly change at 4pm on a Tuesday afternoon??

I appreciate your help and advice guys - wish I'd asked you in the first place Wink


When you say dial up do you mean dial up into force9 or another ISP or dial up into the companies phone line?

A few thoughts on this:
1/ When you do dial up you are obviously not using the ADSL router.
2/ Norton internet security or other PC based firewall (different connection, different setting)?
3/ If the force9 dialup DOES work then this is VERY odd. I would then suspect the router or some odd firewall setting in the PC or something very odd or wrong with force9 routing tables! Or perhaps the SURF option is switched on in your F9 connection?
N/A

VPN - is this F9's fault?

Quote

............Eg if doing a tracert from the other pesons ADSL connection (eg another house) doesn't show timeouts or doesn't show timeouts until a hop nearer to the server then the force9 connection would indeed be suspect..
I really think it its a F9 thing - everythings else has been checked. I even took my router down to the office to make sure that wasn't playing up. Force 9 won't help me Evil . That's why I'm thinking of moving to BT to be honest. I just can't work on a 33k dial up link and when I have a 1 meg line sitting there doing jack, it just hacks me off!!!!

I'm self employed - no work - no pay Sad

You guys have been so helpful, but afraid that F9 just don't want to know............ :roll: