Firstly two things, I am a newbie in this forum, not to the topic of this post, and I hope I have posted in the right thread.

Theres the situation:

I am running Windows 2003 Enterprise Server configured with a domain controller, DHCP etc... and I am wanting a VPN system.

I have enabled Routing and Remote Access via the Wizard, entered the required information which is:

Network Card 1: "Internet Card" IP 10.16.13.13 - connects the internet
Network Card 3: "Internal Card" IP 10.16.13.15 - connects to the LAN

The wizard completed successfully. I have opened ports 47 TCP & UDP for the GRE, port 1701 UDP and port 1723 TCP on my ADSL router. I have also setup a redirection so my static IP given to my by my ISP is routed to the "Internet Card". My router is a DLink DSL-504.

All is well to this point. I connected to the VPN via a machine on the name network (running XP Pro) as the VPN, setup the VPN to connect to the "Internet Card 10.16.13.13" it connected successfully in less than 5 seconds.

I went over to by neighbours house (he is running XP Pro) and connected to the net via dialup and then setup a VPN connection, it dials, sees the host and then errors a 721. I researched this error at Microsoft.com and found it to be related to the GRE port being closed but it isn't.


Any help would be much appreciated!!!

It's IP type 47, GRE, the 47 isn't actually a port. Go ahead and close port 47. You need to tell your router to allow GRE passthrough, basicaly VPN passthrough, PPTP/IPSEC. There should be a checkbox switch somewhere.

Is one NIC connected to a LAN port on the router, and the other NIC connected to a switch for the rest of your LAN? Usually you have a different IP range if done that way.

Is one NIC connected to a LAN port on the router, and the other NIC connected to a switch for the rest of your LAN? Usually you have a different IP range if done that way.

Thanks for your assistance, I will give it a go.

No, the two NICs are on the same router, right next to one another.

It's IP type 47, GRE, the 47 isn't actually a port. Go ahead and close port 47. You need to tell your router to allow GRE passthrough, basicaly VPN passthrough, PPTP/IPSEC. There should be a checkbox switch somewhere.

The PPTP and IPSEC is already enabled.

No, the two NICs are on the same router, right next to one another.

Hmmm.... :confused:

Well, if you want 2x NICs that way for some reason, makes sure other network services are unbound from it, else you'll get duplicate netbios broadcast errors.

Try the latest firmware on the router?

Hmmm.... :confused:

Well, if you want 2x NICs that way for some reason, makes sure other network services are unbound from it, else you'll get duplicate netbios broadcast errors.

Try the latest firmware on the router?

Latest firmware is already on router. Current protocols are on both network cards:

Client for Microsoft Networks
File and Printer Sharing for Microsoft Networks
Internet Protocol (TCP/IP)

Do you think I should only use one NIC?

Make sure that 1723 is being forwarded on to your Internet Card interface for routing purposes. PPTP has to be installed as a routing protocol on the server you are trying to connect to.

Make sure that 1723 is being forwarded on to your Internet Card interface for routing purposes. PPTP has to be installed as a routing protocol on the server you are trying to connect to.

The port does forward to the internet card.

I am not sure if PPTP is installed, but the routing and remote access is installed.

When you connect on a remote computer, it finds the host, and pauses on "verifying username and password" and then errors 721 remote computer did not respond.

Newbie to this site. Not a MS wizard, but I've seen issues like this in networking.

Has this been resolved? Sounds like NIC contention for remote outbound traffic, but here's some detail.

Two NICs on the same subnet can cause issues when return packets are destined for remote networks if gateways are not configured correctly or if the OS can't handle it, or if there is contention for which of the 2 NICs returns the outbound packet (I'd check for the latter).

In the latter case, if the "outbound" NIC is not the same NIC as received the inbound packet - I'm talking 2 NICs on the same subnet not different subnets, then stateful connections cannot be achieved if I'm not mistaken.

I've seen some weird anomolies that I think were OS-dependent where the OS wasn't smart enough to realize "send the packet out the interface it came in on" in the special case where multiple NICs with different IPs were configured for the same network.

If I understand your topo and results, it sounds like a connection from within the same subnet worked (local connection), but one across networks didn't (remote connection).

In the sucessful case, routing/default gateway, OS anomoly and NIC contention are not an issue because they don't come into play, all that's needed is ARP for MAC addresses at OSI layer 2 and the IP/subnet at layer 3. Machines will talk on the same subnet without a gateway.

But in the second case, routing is invoked and therefore a routing/gateway decision must be made. In such a case, here are some things to check.

a) The inbound NIC may not have the correct default gateway (either it's wrong or missing).

b) Above is probably correct, but the 2nd NIC may be taking over the sending of the packet back out to its gateway, even though it was the 1st NIC that received the inbound packet, and even though the 1st NIC is configured correctly. It doesn't matter if the IP of the gateway is exactly the same on both NICs (say 10.16.13.1), the OS may not be smart enough.

If you suspect this,

c) disable your "LAN" NIC that may be contending for outbound remote traffic, then try the remote connection.

If that works and you want to bring up the 2nd NIC for some reason...
d) see if you can correlate if there is any NIC precedence, such as the Internet NIC ("inbound") is listed below/after the LAN NIC ("outbound") in ipconfig /all. If so, you may be able to fool the OS by switching their addresses so the Internet NIC is listed first and becomes dominant. I've seen some weird stuff...so it's merely a brainstorm suggestion.

You haven't mentioned why you want two IP addresses on the same machine on the same subnet. It's a bit unorthodox, absent any reason, but hey I've seen some strange stuff.