XP SP2 and XP's VPN Client

[MulLa]

Hi all,

Here's the deal. I've installed XP SP2 on a testing machine. Everything went well, nothing seemed to be broken, I can still access the internet via either the network or windows's own PPPoe client.

It's not when I'm unable to connect using my VPN client that I realised SP2 has done something.

Before the application of SP2 I have a L2TP connection to the router at work using preshared key. Everything work fine and I'm happy. After SP2 the connection would time out claiming that "security negotiation has timed out". I monitored the NIC with ethereal and it seemed that all the negotiation is going one way only. From my NIC to the router but no packets are returning (I then suspect windows firewall has something to do with it).

The funny thing is I tried disabling the firewall altogether and still the same problem!!!

I tried swapping out the hdd and load another instance of XP SP1 and recreated those links and 'boom' the VPN works like a charm. Swapped back to the SP2 installation and I get the same time out message, even tried deleting the PPPoE and VPN account and recreating them to no avail

Anyone has any tips on how to get this working?


Thanks in advance.

 

[MulLa]

Anyone? No one??

 

[thirdlegstump]

I dunno but have you tried rebooting?

 

[MulLa]

Yes I have tried rebooting!!!

I think I'm going to try loading a fresh copy of XP SP2 in a stand alone setup. Instead of doing the testing on a domain member.

 

[howdyduty]

If no packets are returning, then the XP firewall is blocking the listening port. Find the right port(s) add them to the firewall rule. XP might even have a rule for L2TP. Or, shut off XP firewall.

 

[dbergtkd]

Silly human...you need to _read_ the post. MulLa said: "The funny thing is I tried disabling the firewall altogether and still the same problem!!!"

I'm also having problems with VPN and SP2 for XP though mine just doesn't correctly route packets unless I do a ROUTE ADD in a command shell. This is with the checkbox "Use Remote Gateway" unchecked. If I check said box, everything works for me "on site" but if I try to go elsewhere with the VPN connection enabled, everything is still being routed through the VPN connection. (This doesn't work well when the VPN server isn't allowed to browse off site.) VPN server is Windows 2000 with all patches installed. And of course, everything worked fine prior to the install of SP2.

 

[Massey4]

MICROSOFT PATCHES THE PATCH
Windows XP Service Pack 2 gets a 'hotfix' for VPNs, part the
never-ending process of software development.
http://pcwnl.pcworld.com/t/199016/8304654/722371/0/

http://support.microsoft.com/default.aspx?scid=kb;%5bLN%5d;884020

 

[wirelessenabled]

Originally posted by: MulLa
Anyone? No one??

Linux?

 

[Boscoh]

If the above hotfix does not work (it should), try going to a command prompt and typing

netsh int ip reset reset.log

And see if that works. If not, try

netsh winsock reset

If you have any LSP's installed on your machine, they'll have to be reinstalled. You can see what LSP's are on your machine by doing

netsh winsock show catalog


If that does not work, uninstall the VPN client, repeat the steps above, and reinstall the VPN client.

Resetting Winsock fixed most of the networking problems I had after upgrading to SP2.

 

[Mem]

Also try ticking all the boxes in the "exceptions tab" in the Windows firewall icon located in Control Panel.

 

[MulLa]

Thanks all for the replies! And I thought this thread died too!! I'll try some stuff and report back!

To resolve this problem immediately, contact Microsoft Product Support Services to obtain the hotfix.

Err... How does this work? Am I supposed to contact them so I can get access to this hotfix?

 

[MainframeGuy]

I have hit the same problem, applied the hotfix, also tried all that Boscoh suggests and yet still cannot get VPN to operate correctly as it did before SP2.

Sorry to bump this thread up - but I would really like to resolve this, I am being forced to use my lap-top (SP1) for work in the interim.

The strange thing is it seems I am required to have the firewall up for any success at all, then I can sometimes get connectivity - but it is intermittent and seldom lasts long enough to be of any use. I am very puzzled, what is the best way to preceed with debugging this?

 

[dbergtkd]

Our campus has been in contact with Microsoft on this issue as the hotfix did not help us, either. They claim a fix will be sent to us in a week or so. In the mean time, a work around for this issue is to manually manipulate the routes. For example, if you are VPN'ing into a class B (like I am), at the CMD prompt, you can add a ROUTE command. e.g. ROUTE ADD 199.163.0.0 MASK 255.255.0.0 199.163.X.X

...where the last number is the IP number assigned by the VPN server. This route should work for the duration of the VPN connection usage and should be automatically deleted when the VPN connection is severed.

Good luck.

 

[MulLa]

Just like MainframeGuy has said... Not much luck here either.

I'll give your solution a shot dbergtkd. In the meantime I'm constantly swapping HDDs to establish VPN connections

 

[MainframeGuy]

I have found some more news of a possible registry mod. to restore pre-SP2 behaviour... see this article

So far though I have to say this has not helped me :frown:

 

[dbergtkd]

We tried those registry settings also with no positive results. Also, if I recall correctly, those are only for L2TP, not PPTP. *shrug*

We also tried setting a static route in Active Directory. All this did was crash our VPN server. We then built another VPN server which didn't crash but the static route in AD did no good, either. In either case, the "correct" route is created briefly (about 3 to 5 seconds) and is then destroyed. Our only luck so far has been through manually adding the desired route.

 

[MainframeGuy]

I agree the ADD ROUTE workaround gets me through to my telnet - so I can do the bulk of my work back at my desk again, with a small additional task every day before I get going. I have asked M$ their stance on this and am still waiting to hear.

One other thing I used VPN access for on a daily basis was my OUTLOOK email - here I have to refer to the MSExchange server by name, cannot enter it's IP address. Is there any way I can get that manually connected? If I add the IP address I can ping it OK, but still not the name... and if I try to enter the IP address in Outlook it just converts it back to the name anyway

 

[dbergtkd]

Without knowing more about how your network is structured (i.e. is your VPN server in the same class C, B, or A as the Exchange server?), I'm not sure I can offer much. At the same time, if you can ping the Exchange server by IP but not by name, you may be having a DNS issue. If you want, execute IPCONFIG /ALL and ROUTE PRINT and send me the output. Be sure to include the name and IP of the Exchange server. You can send the info to: shirsaibsi@kneebsourk.mailexpire.com

I'll post a response here but with the numbers changed to protect the "innocent". ;-) Mind you, no promises on a solution, but I will post something.

 

[MainframeGuy]

hi there - thanks for the offer, but I think I am unlikely to take it up. Not that I wish to offend, I am completely prepared to trust you personally, but the company I work for:-
a) has not authorized SP2 deployment (so I can hardly advise of fixes for it!)
b) would have a hissy fit about server names and IPs I suspect (although pretty secure with Raptor firewall et al.)

Also I don;t believe the info you asked for would shed any light - I've already puzzled over that. I do not know the serverside VPN configuration, I just used to log in and go with no problems on native XP client (alas no more!). I do know the VPN connection I make is USA and the Outlook mail server I connect to is UK so entirely likely the two are separate VPN servers and that is where issues lie - I am not going to trouble myself right now....

Will of course post back here as and when there is new from my company who are bound to look to resolve this as and when they deploy SP2....

 

[dbergtkd]

Hey, no problem. I understand completely. (You'll notice I didn't hang my real email address out there, either. ;-)

If the Exchange server is a different number set (Class A, B, etc.), you'll probably need to execute another ROUTE ADD command. Something like: ROUTE ADD 222.333.88.0 MASK 255.255.255.0 199.163.X.X ...where the last number is the IP number assigned by the VPN server and the first number (222...) is the first three octets of the Exchange server in question. The octet of the first number should remain zero although you could probably use the whole number and then use 255 for all four octets of the MASK. *shrug* Play with it a little and I bet it'll work.

Also, M$ has reneged on its offer of a fix/patch. Their new "work around" is to upgrade our DHCP server to Windows 2003. This will allow implementation of something called "classless static routes" (a new scope option in the 2003 version of DHCP).

We'll probably be trying that shortly. I'll post back when I have something, good or bad.

 

[MainframeGuy]

Thanks dbergtk - I had tried that ADD ROUTE so it is not that, maybe for all I know there are Outlook issues with SP2 also? That WOULD be a biggie though, so I think I'd have heard.

Still waiting on some news from M$ after I told them the hotfix did not help and I ws having to do my own ADD ROUTE for my telnet.... the longer they take the more I am getting the feeling they may say this is "behaving as designed" - anyone else have news or opinions?

 

[najitaka]

I have had this same problem with VPN sorta. I connect to the VPN site, at first the connection seems like it is working but any attempt to do anything with the connection fails. The connection remains but it is stale, i.e. it doesn't work.

I've contacted M$ and received the hotfix. It did not help. I disabled the firewall, no help. I reenabled the firewall and checked all the exception boxes, no help. I checked the box for it to work with the VPN connections and checked all those exception boxes, no help.

They have escalated my information to a senior support person again. They tried to get me to disable my hardware firewall but we have multiple machines on OS other than XP and need it, so that wasn't a valid solution. I'm beginning to think that they have code within the firewall code that is required by VPN yet is unaccessible by VPN itself. I can roll my machine back to SP1 and everything works like a charm.

I'll let you know if they resolve the issue.

 

[MainframeGuy]

you're idea fits your symptoms with one exception - how come we can ROUTE ADD and get our VPN to operate just as before for things like Telnet? It's a little more complex than that and I am to be frank just amazed M$ is not reacting a little faster on it... *goes off to mail M$ support!*

 

[fblack]

Any more information on this issue - I'm having the same issue. I have to manually enter the route to the network on the other side of the VPN I connect to. If I recall, they've had this issue in the past with other OS's.

Thanks,
Fred

 

[MainframeGuy]

well... by strange coincidence I did get an email from M$ support, and it went like this:-
"As I understand the issue , I would like you to try the following trouble
shooting steps
What i want you to do is to boot of the CD XP
press R for recovery , then choose option1, press enter on admin password
Then when the black screen appears type the following command
cd \windows/system32/restore then press enter
then type in the following rstrui.exe then press enter . then select a pervious
date then press next
and then run a clean boot and reinstall Sp2 , if you go to the following web
address
www.support.microsoft.com and type in the following article number>310353
this will show you how to perform a clean boot."

now I do not think this is going to do anything for my problem, but it sure as hell will keep me busy! So I am going to jump through these hoops and then re-raise the incident when it does not help.

Of course if it DOES help I will post back here and eat humble pie along with my hat!