And now for something completely different. I love the VPN services offered by the Microsoft platform in general, and by ISA or TMG specifically. SSTP (Microsoft’s SSL VPN) is great!…as long as you have an all Vista or later client base. Until then, IPSec works well as long as you get the NAT issues ironed out in XP and Vista (7 just works!) With a mixed environment, PPTP lets you extend your network to practically every platform and device you have, including Windows Mobile devices, iPhones, Linux boxes, and even Macs. And all of this comes at no additional charge, without concern for 32 bit versus 64 bit operating systems, support for GPO management, login scripts, password expiry, and more.
A couple of years ago I created a slide deck about troubleshooting the MS VPN services I’d deployed, to provide some training for first and second level technicians, so that I wouldn’t have to be the single support contact for VPN issues for 6,000 users. It’s not that there were very many at all, but I had to go on vacation sometime. I stumbled across it while looking for some other old design docs I put together, and figured that the data might be of some use to others, so here it is. Rather than leaving it in a PPTX, I’ve reformatted the data, added some wording, and spread it across three posts.
This is part one, where we’ll go over error codes clients may encounter which are caused by server issues. In part two, we’ll discuss the more likely client side issues. In part three, we’ll go over some serious weirdness that I have seen out there, that really defied all expectations or flew in under the duh threshold. By sharing them, maybe I will save you an hour of looking for deeply rooted causes, when the true source of the problem is not what you would expect.
So to assist you with your efforts, the following table lists the most common error codes caused by server side issues, along with what you should check to address these. But remember, it is the client that will see the error. You will see related entries in the event logs of the server, but this table defines the error codes that the client will see which are caused by server side troubles. These could be with the VPN server itself, the DHCP server supporting VPN connections, the RADIUS server (if used,) or within Active Directory.
|
Error code |
Description |
Possible explanation |
|
645 |
Internal authentication error. |
The VPN server cannot reach any domain controllers (or RADIUS server if used,) or user credentials are not correct. |
|
717 |
No IP addresses are available in the static pool of Remote Access IP Addresses. |
Your VPN server is configured to use a static pool and it has assigned all the available addresses. You need to extend the pool of available addresses. |
|
730 |
Computer registration is not complete. |
Your VPN server is configured to use RADIUS to authenticate remote connections, and the RADIUS server did not respond to the VPN server’s request. |
|
738 |
The server did not assign an address. |
Your VPN server is configured to use DHCP relay to obtain addressing for connected clients, and the DHCP server scope is exhausted. |
|
647 |
The account is disabled. |
Check the user’s account in ADUC…it has been disabled. |
|
648 |
The password has expired. |
Check the user’s account in ADUC…the user’s password has expired but the flag is set to not allow user to change their password. |
|
649 |
The account does not have Remote Access Permission. |
Check the user’s account in ADUC…if you are controlling remote access through AD, it does not have dial-in permissions. If you are controlling remote access through RAS, it does not belong to a group that has dial-in permissions. |
|
691 |
Access denied because username and/or password is invalid on the domain. |
Once you are sure the user is using the correct credentials, try logging on using domain\username or username@domain. |
|
708 |
Account has expired. |
Check the user’s account in ADUC…it has expired. |
|
709 |
Error changing password on domain. |
You will only see this after a successful authentication for a user whose account was set to require them to change their password. Your VPN server is using LDAP to authenticate. You must use LDAPS to change passwords. |
Now, don’t make the mistake of disregarding the server’s event logs. They will still be your best source of information about what is happening on the server. The above codes are a great place to start, and the ones above should help you identify what you want to focus first on the server side of things. In our next post, we’ll go over the codes that point to the client side of things. Until then, should your server troubleshooting start to get serious be careful when messing around with RAS servers; they tend to take things personally. The last time I had to take one down, it went something like this.
Have any questions about troubleshooting the server, or tips to share. Leave a comment, and don’t forget to check back for part two of this post, troubleshooting client side issues, and part three, tales from the trenches.
You might also enjoy:
