VPN to Cisco via Radius fails ppp

Hi,
I have a Windows 2003 Domain, with an internet facing Cisco 837 ADSL router.
The router is configured to allow incoming (pptp) VPN connections, passing
authentication off to a Windows Radius server (IAS). I can VPN into the
network fine from XP, but with Vista I get a 619 error.

I have downgraded the authentication to chap and MSchap (v1) on vista by
configuring the VPN settings manually (and actually setting everything to the
same as my XP client vpn connection), but it still fails. It actually looks
like the authentication phase completes OK by looking in the IAS logs - and
the client briefly displays the "registering your computer on the network"
dialog before being disconnected. I think this is more of a link control
error than the usual VPN authentication or encryption problems.

I have run netmon 3.1 traces on both the XP and Vista clients, and can see
that the vista client gets disconnected following the CCP negotiation phase.
I have tried changing the LCP and compression settings on the Vista client
but this makes no difference.

Something must have changed with the Vista VPN client that has broken this
functionality. I can VPN in fine from many XP, W2K, and even Windows mobile
clients - but not Vista.

Any suggestions gratefully received!

Hello,

Thank you for using newsgroup!

From your post, I'd like to suggest you try the following steps:

Step1
===========
Maybe turning off auto-tuning on the Vista client may help. Please run the
following commands:

netsh interface tcp set global rss=disabled
netsh interface tcp set global autotuninglevel=disabled and reboot

Related Articles:
934430: Network connectivity may fail when you try to use Windows Vista
behind a firewall device
http://support.microsoft.com/kb/934430/en-us

555912: Windows 2003 service pack 2 known issues on Small Business Server
2003
http://support.microsoft.com/kb/555912/en-us

Step2
===========
Changing or disabling the behavior for Strong Host Routing in Windows Vista.

In this case, the customer has an application that would switch to using a
faster network dynamically if one was available. The Strong Host Routing in
Windows Vista was preventing this from happening.

There is no setting that can be made in the registry to disable this
behavior. You can only disable the metric preference for gateways using
NETSH.
The syntax is: netsh interface ipv4 set int
ignoredefaultroutes=enabled/disabled

However it only works on a per connection basis though. If you are using
CMAK you can create a script that runs that command at the end of a
connection.

The VPN software could be coded to disable the default route like below,
but they probably don't have access to source for that client.
http://msdn2.microsoft.com/en-us/library/aa814496.aspx
It is exposed through IP Helper.

DisableDefaultRoutes
A value that indicates if using default route on the interface should be
disabled. This member can be used by VPN clients to restrict split
tunneling.

Step3
===========
Check if you have obtain the proper IP addresses from the DHCP server. If
not, please refer to:
928233: Windows Vista cannot obtain an IP address from certain routers or
from certain non-Microsoft DHCP servers
http://support.microsoft.com/kb/928233/en-us

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.




--------------------
| Thread-Topic: VPN to Cisco via Radius fails ppp
| thread-index: AcfZ1uCyf4HVu6YfRGSfMdE8was6LQ==
| X-WBNR-Posting-Host: 207.46.19.197
| From: =?Utf-8?B?ZnJlZA==?= <mojacmankey.DeleteThis@community.nospam>
| Subject: VPN to Cisco via Radius fails ppp
| Date: Wed, 8 Aug 2007 09:12:11 -0700
| Lines: 24
| Message-ID: <BA6ABA86-76E7-451D-8A41-23DBC1529FDE.DeleteThis@microsoft.com>
| MIME-Version: 1.0
| Content-Type: text/plain;
| charset="Utf-8"
| Content-Transfer-Encoding: 7bit
| X-Newsreader: Microsoft CDO for Windows 2000
| Content-Class: urn:content-classes:message
| Importance: normal
| Priority: normal
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2826
| Newsgroups: microsoft.public.windows.vista.networking_sharing
| Path: TK2MSFTNGHUB02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl
microsoft.public.windows.vista.networking_sharing:12407
| NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
| X-Tomcat-NG: microsoft.public.windows.vista.networking_sharing
|
| Hi,
| I have a Windows 2003 Domain, with an internet facing Cisco 837 ADSL
router.
| The router is configured to allow incoming (pptp) VPN connections,
passing
| authentication off to a Windows Radius server (IAS). I can VPN into the
| network fine from XP, but with Vista I get a 619 error.
|
| I have downgraded the authentication to chap and MSchap (v1) on vista by
| configuring the VPN settings manually (and actually setting everything to
the
| same as my XP client vpn connection), but it still fails. It actually
looks
| like the authentication phase completes OK by looking in the IAS logs -
and
| the client briefly displays the "registering your computer on the
network"
| dialog before being disconnected. I think this is more of a link control
| error than the usual VPN authentication or encryption problems.
|
| I have run netmon 3.1 traces on both the XP and Vista clients, and can
see
| that the vista client gets disconnected following the CCP negotiation
phase.
| I have tried changing the LCP and compression settings on the Vista
client
| but this makes no difference.
|
| Something must have changed with the Vista VPN client that has broken
this
| functionality. I can VPN in fine from many XP, W2K, and even Windows
mobile
| clients - but not Vista.
|
| Any suggestions gratefully received!
|