pingable first or work out port # first? 1

[ykfc]

I'm just a user of VPN. Our IT person at work installed VPN client onto my notebook running WinXP. I was also given a dial-up internet account from ISP-A, say. Back home I tested the connection, everything worked fine, and it is STILL working fine today.

I've a broadband internet account with ISP-B. With my notebook PC behind a broadband router, I tried the connection 10 days ago, it did work. From this week on, my VPN connection could never get established (with ISP-B). Error message is "either server unavailable or username/password incorrect". I tried pinging the server, it gives me time out error.

One of these might be the reasons:
1) I mess up settings in my PC (which I am 99.9% sure not)
2) last week our company has varied some setup at the vpn server side (could be)
3) connectivity issue: one of the servers of ISP-B is down
4) port blocking issue

Bypassing the home router and connect my notebook directly to the broadband modem didn't help. In all cases, web-surfing work normally.

I run a route trace (tracert ip-address) to the VPN server, it times out. I asked friends to run tracert, all get through except one. The one fails is also with ISP-B. I ring ISP-B. They said:"they block certain ports - that might be the reasons". They asked me what port # I am using for VPN.

Well, who should I ask for help? Our IT person is happy to know I can work with ISP-A. I'm still waiting for someone to look at my netstat data.

I thought ISP-A should help me to make tracert run (without time out) before asking me to find out what vpn port #s. Am I incorrect? I thought if tracert is not going to work, finding out the port # can't help VPN to connect from home. In other words, even if we re-configure VPN port # (so that ISP-B won't block them), it is not going to work neither ( because my PC couldn't reach the VPN sever for some reasons).

Your expert comment.

 

[John Lewis]

It is possible that your broadband ISP is blocking a port or protocol needed for your connection. Although the practice is becomming less common as more users demand that they be open. It does seem a bit odd that they would start blocking within the last ten days, as again the trend is toward opening those ports back up.

On that note, if ports or protocols are being blocked, it is generally not possible to switch to a different port. The VPN server will only use a specific port. There are some exceptions, but they are rather rare. Your only recourse would be to ask the broadband ISP to stop blocking the ports.

The tracert timeouts are not a sure sign of a problem either. It is possible that the broadband ISP is blocking this traffic as well. Do you get any replies from the tracert? How does a tracert from your broadband connection look compared to a tracert using your dialup connection? Inless the internet connection on the VPN server side is dialup (unlikely), the last hop should be the same (possibly two or three hops). If you do see some replies on the tracert using the broadband ISP, but you do not see the last hop that you see on the dialup side, it is possible that the broadband ISP has a problem with their routing table.

Another possiblity is that the VPN server is refusing traffic from your broadband ISP. This is a common practice. Most malicious activity originates from broadband connections, so addresses from broadband ISPs are often blocked. If changes were made to the VPN server or the company firewall recently, I would not be surprised to find that this is the problem. Your IT person should be able to confirm that this is or is not the case quickly, and should also be able to fix such a problem.

From your list, it sounds that #2 and #4 are possible, #3 possible but less likely.

The specific ports in use would depend upon the VPN client in use. Which VPN client are you using?

Also, it is not hard to find out which ports major broadband ISPs are blocking. Which broadband ISP are your using?

 

[ykfc]

Replying mhkwood:
a/
you wrote: "do not see the last hop that you see on the dialup side?"

I tracert ccX.ccY.ccZ.ccP (which is the IP of the vpn server). On the dial up side, the last few entries are:

hop 3: ...159 ms fqn-belonging-2-ispA [aaX.aaY.aaZ.aaP]
hop 4: ...159 ms ge-wan4-2.me1.optus.net.au [61.88.178.130]
hop 5: ...159 ms ccX.ccY.ccZ.ccP
Trace complete

On the broadband side, last few entries of tracert are:
hop 5.. 30 ms vlan101.sg4.optus.net.au [61.88.178.36]
hop 6 .. 30 ms pos7-1.mg4.optus.net.au [61.88.178.66]
hop 7 .. 40 ms ge-wan4-2.me1.optus.net.au [61.88.178.130]
.. then request time out

So I did see the same node on the last hop on both sides.

b/you wrote: "..Changes were made to the VPN server or firewall recently.."

I know changes were made to better have a more secured IT workplace but I do not know the exact change. But it is

c/ you wrote: "possiblity is that the VPN server is refusing traffic from your broadband ISP.."

Will be a surpise if the refuse my broadband isp, because my broadband isp and that of the company is actually same one.

d/you wrote:"specific ports in use depend upon VPN client."

Why? Isn't it MS winxp comes with its vpn client. I don't think the ip person installs a different one for my pc.

But some people said, one could re-configure the ports for the vpn client software. But I don't know how. As I couldn't pick up any screen function (under xp) allowing me to make the change, wouldn't it be a regedit thing?

e/"it is not hard to find out which ports major broadband ISPs are blocking"

This post came outside the States though.

 

[John Lewis]

So I did see the same node on the last hop on both sides.

Yes, indeed. This tells us that your broadband ISP is not blocking ICMP (the protocol used for ping & tracert). The fact that you can get a complete tracert through your dialup ISP indicates that the VPN server is not blocking all ICMP traffic. It does make me tend to think that traffic from specific ISPs may be blocked.

Will be a surpise if the refuse my broadband isp, because my broadband isp and that of the company is actually same one.

I would not be surprised at all. Again, most malicious activity originates from broadband connections. If your IT person thinks that everyone is connecting from a dialup ISP, it would be acceptable and perhaps even good practice to block traffic, even that originating on the same ISP. If everyone is using the same dialup ISP, it would be even better to block all traffic except for the traffic originating on that specific ISP.

Windows does come with a VPN client, but there are other VPN clients available. Many 'hardware' VPN solutions require their own VPN client. You would probably recognize if you had one of the VPN clients.

It is not possible to change the port that is used by the MS VPN client or server. You can switch to a different type of VPN which may use different ports, but of course a different VPN server would be required as well.

Not really important, in this case. Even though you are not in the US, there is more than enough information in your tracert paste to indicate that you are in Australia on an Optus connection. It would seem that Optus blocks ports 25 (used for mail servers) and 137-139 (MS networking). Neither of these is important, in this case -- your VPN ports should be open.

One more thing to try. Open a command prompt. Type 'telnet ccX.ccY.ccZ.ccP 1723' and press enter. The ccX.ccY.ccZ.ccP should of course be replaced by the actual IP of the VPN server.

If you get a "Connection refused" message, that is a sure sign that the VPN server is configured to block your traffic. If you receive any other error message in less than 5 seconds or so, that is a fairly good indication that you are being blocked.

If you get a "Connection failed" message after 5 seconds or so, it does not give any indication as to where the problem is. It could be a sign that the VPN server is dropping traffic, or could indicate a problem earlier in the connection.

If you get a "Connected to ccX.ccY.ccZ.ccP" then you are able to make a connection, so looking at the settings for the VPN client would be in order.

 

[ykfc]

1) vpn client
I forget to ask. I assume I am using the VPN client that comes with MS Windows XP. But am I able to tell without asking the person who installs it? If I know it is the VPN client of MS, am I in the position to tell my broadband ISP that I am using PPTP port # 1723 for VPN. You know, they asked me to tell them the port # of my VPN client before helping me further,

2)telnet test
Typing telnet ccX.ccY.ccZ.ccP 1723 gives me a connection fails after more than 5 seconds. No luck.

3)netstat
I've got some netstat data. Does it help to find out the port # and explain what's wrong?

 

[John Lewis]

It really sounds like you are using the Windows client, you would notice a Nortel, Cisco, or some other company logo if you were using one of those clients. A way to check would be to right click on the icon you click to start the connection and select properties. Do you see any indication of another company name or logo there?

If it is a MS client, click on the 'Networking' tab while you are there. What is the "Type of VPN server I am calling" set to? This would nail down the port for sure.

Yes, no luck with the telnet test, nothing can be inferred from the results.

A netstat while you are connected over the dialup connection would verify which port is being used. In the Foreign Address column, the number after the colon is the port number in use. You should see the VPN server listed there, probably with a 1723 after the colon, possibly a 500, less likely something else. A netstat while trying to connect with broadband is not of any value, as it only shows active connections.

 

[ykfc]

From what you wrote, I'm quite sure my PC isn't running any non-MS vpn client.

While with vpn established via dial-up networking, I do not understand why it gives ccX.ccY.ccZ.ccPptp and not 1723 after the colon. The full netstat reads:

Active Connections
Proto Local Address Foreign Address State
TCP myPcName:epmap myPcName.OurDomainID:0 LISTENING
TCP myPcName:microsoft-ds myPcName.OurDomainID:0 LISTENING
TCP myPcNameptp myPcName.OurDomainID:0 LISTENING
TCP myPcName:1075 10.40.2.3:1025 TIME_WAIT
TCP myPcName:1025 myPcName.OurDomainID:0 LISTENING
TCP myPcName:1088 ccX.ccY.ccZ.ccPptp ESTABLISHED
UDP myPcName:microsoft-ds *:*
UDP myPcName:isakmp *:*
UDP myPcName:1032 *:*
UDP myPcName:1035 *:*
UDP myPcName:1039 *:*
UDP myPcName:4500 *:*
UDP myPcName:ntp *:*
UDP myPcName:1046 *:*
UDP myPcName:1068 *:*
UDP myPcName:1900 *:*

Do you know why 1723 is not shown.

BTW: the ISP gives me their investigation result. They suggest the vpn server is blocking my IP.

 

[John Lewis]

It is shown. Netstat replaces port numbers of common ports with the name. 1723 is 'named' pptp, so the last TCP line does indeed show 1723. I was not taking this into account.

I am also still leaning toward the VPN server blocking your IP.

 

[ykfc]

For some reasons I still couldn't contact our IT group to confirm if they've refused my IP. That being the case, I think it is more likely the server is actually setup to allow a specific IP RANGE, say from x.y.0.0 through to x.y.255.255. Assume that is the IP range the specify ISP tells us they could lease out.

Does anyone know whether a typical vpn server could also accept a second IP address range, or a specific IP, aside from the above suggested range (between x.y.0.0 - x.y.255.255)?

I am thinking if there is a chance I don't need to switch ISP to get connected.

Thanks.