08-06-2010 04:59 PM
A quick check to see of the port is open is to use telnet on the remote client.
telnet vpn.mydomain.com 1723
If this connects and shows a blank screen then the port forwarding is working. If it gets refused then the firewall is not setup correctly.
On the firewall by default the pptp alg is turned on, so all you need is to forward 1723 to the server and ping if you want to be able to test.
For the RRAS IP settings, I use a configured pool.
You should also confirm that you have enough PPTP ports on the RRAS.
08-07-2010 04:10 PM
I was able to telnet succesfully. I've also looked at the settings you have suggested. I have a IP pool and 128 PPTP ports. I am at a loss. The settings are identical to another VPN endpoint that in another location, including the one you helped me with earlier.
08-07-2010 04:16 PM
At the localtion I can connect to the VPN endpoint-meaning physically on the subnet in that physcial location. It is from the outside I continue to get error 800.
08-11-2010 03:07 AM
If you can access on the LAN but not outside than I think you are right there is a firewall configuration issue.
Check the following:
08-11-2010 10:02 AM
I am going back to the firewall and am going to recreate the MIP and associated policy. However the MIP shows a status of In Use and I have no visible way to edit or remove it. So 2 questions: what does In Use mean and how can I edit or remove it?
08-11-2010 05:14 PM
The policy is what has the mip in use. To rebuild you'll need to remove the policy first.
11-01-2010 03:09 PM
Finally getting back to this. After some further research I see that the NetScreen log shows entries for Close reason : Close - TCP Fin. On the client I get errors 800 and 721. Research indicates that this is the result of the firewall not allowing GRE protocoal traffic on 47 and TCP traffic on 1723.
For the record I spoke with a Juniper tech support rep earlier who helped me with this. It was not til after I hung up that I did some more research and suspect the firewall is the problem and the RRAS server. The ticket # is 201011010644.
Do I open those ports from the policy that relates to the MIP or do I it globally? How do I verify the correct ports are open?
11-01-2010 03:34 PM
I went into the Policy and ensured GRE, PPTP, and TCP all were allowed. I tried to connect again and instead a new close reason of Close - TCP RST from 2 different services, SQL*NET V2 and PPTP. Research on Juniper forums indicates that
Dsabling SQL ALG may solve the issue
FW> get alg ( to see the list of ALGs )
FW> unset alg SQL enable
FW > save
11-02-2010 03:55 AM
It does sound like you are hitting the alg by accident. The log message is saying that the traffic is being identified by the firewall as meeting that profile. If it is really not sql alg traffic this will cause problems so you can disable the alg to let the traffic pass unprocessed.
11-03-2010 03:48 PM
The actual problem was in the policy set up for the MIP that would allow VPN traffic for GRE and PPTP traffic. In the setting for the policy the Application field needed to be set to IGNORE.