Microsoft KB Archive/834426

= A demand-dial PPTP connection may disconnect every 1 minute and 30 seconds =

Article ID: 834426

Article Last Modified on 10/31/2006

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Internet Security and Acceleration Server 2000 Service Pack 1
 * Microsoft Internet Security and Acceleration Server 2000 Standard Edition

-



SYMPTOMS
A demand-dial Point-to-Point Tunneling Protocol (PPTP) connection between two Windows servers that use the Routing and Remote Access service may disconnect every 1 minute and 30 seconds.

Also, if Log the maximum amount of information has been set on the Event Logging tab in the Routing and Remote Access MMC, the following event is logged in the system event log every time the PPTP tunnel disconnects:

Event Type: Information

Event Source: RemoteAccess

Event Category: None

Event ID: 20048

Date: DD/MM/YYYY

Time: 

User: N/A

Computer: SERVERNAME

Description: The user DOMAIN\USERNAME connected on port VPN4-127 on MM/DD/YYYY at HH:MM and disconnected on MM/DD/YYYY at HH:MM. The user was active for 1 minutes 32 seconds. 749 bytes were sent and 10349 bytes were received. The port speed was 10000000. The reason for disconnecting was user request.



CAUSE
This problem may occur if the VPN servers have been configured to use two PPTP tunnels, and if the end that initiates that the PPTP control channel is running Network Address Translation (NAT).

NAT may be active if it has been configured in Routing and Remote Access or if the Internet Security and Acceleration (ISA) Server Firewall service is started.

Two PPTP tunnels may be established if the user name of the calling server does not match the remote server's demand-dial interface. Routing and Remote Access uses the user name to see if a local demand-dial interface should be associated with the tunnel. If a match is found, the two interfaces are associated, and both enter a connected state. Traffic can then be tunneled in both directions over one PPTP tunnel. If the user name does not match, two PPTP tunnels are established over the same PPTP control channel (TCP connection); one PPTP call in each direction. RFC 2637 states that only one PPTP control channel should be established between a PPTP Access Concentrator (PAC) and a PPTP Network Server (PNS).

When NAT is running on a Routing and Remote Access VPN Server, all outbound connections are subject to NAT. Routing and Remote Access uses a NAT editor to translate the PPTP packets and make sure that packets received on the public side of NAT is delivered to the correct port on the private side. To do this the PPTP NAT Editor creates a mapping to keep track of each PPTP session. The mapping uses the IP addresses and the PPTP Call IDs to translate the packets correctly. The PPTP Call ID and the PPTP Peer's Call ID are negotiated during the PPTP Call Request and the PPTP Call Reply. When the second PPTP tunnel is created the PPTP Call Request is received on the already existing PPTP Control Channel but in the opposite direction. However a new mapping in the PPTP NAT Editor is not created and the PPTP packets are dropped.



WORKAROUND
To work around this problem, configure the Demand Dial interfaces and user names so the interfaces are associated and only one PPTP tunnel is used. You can do this manually, as explained in this procedure, or you can use the ISA Server VPN Configuration Wizard if both ends are running ISA. The ISA Server VPN Configuration Wizard correctly configures the demand-dial interface names and user credentials.

To configure the demand-dial interfaces manually follow the instructions below. Replace the names  and   with the location of each site.

On

 * 1) Open the Routing and Remote Access MMC, and then expand Server.
 * 2) Right-click Routing Interfaces, and then click New Demand-Dial Interface.
 * 3) Click Next to start the wizard.
 * 4) In the Interface Name dialog box, use the interface name  _, and then click Next.
 * 5) In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.
 * 6) In the VPN Type dialog box, click Point To Point Tunneling Protocol (PPTP), and then click Next.
 * 7) In the Destination Address dialog box, type the IP address or the DNS name of the destination VPN server, and then click Next.
 * 8) In the Protocols and Security dialog box, leave the default settings, and then click Next.
 * 9) In the Dial Out Credentials dialog box, use  _  as the user name, type the domain name and password, click Next, and then click Finish.
 * 10) Right-click the newly-created demand-dial interface, and then click Properties.
 * 11) On the Options tab, change Connection Type to Persistent Connection, and then click OK.
 * 12) Expand IP Routing, and then click Static Routes.
 * 13) Right-click Static Routes, and then click New Static Route.
 * 14) In the Interface list, click the newly-created interface  _ .
 * 15) In the Destination field, type the network destination for.
 * 16) In the Network Mask field, type the subnet mask for , and then click OK.

On

 * 1) Open the Routing and Remote Access MMC, and then expand Server.
 * 2) Right-click Routing Interfaces, and then click New Demand-Dial Interface.
 * 3) Click Next to start the Wizard.
 * 4) In the Interface Name dialog box, use the interface name  _, and then click Next.
 * 5) In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.
 * 6) In the VPN Type dialog box, click Point To Point Tunneling Protocol (PPTP), and then click Next.
 * 7) In the Destination Address dialog box, type the IP address or the DNS name of the destination VPN server, and then click Next.
 * 8) In the Protocols and Security dialog box, leave the default settings, and then click Next.
 * 9) In the Dial Out Credentials dialog box, use  _  as the user name, type the domain name and password, click Next, and then click Finish.
 * 10) Right-click the newly-created demand-dial interface, and then click Properties.
 * 11) On the Options tab, change Connection Type to Demand dial, change Idle time before hanging up to Never, and then click OK.
 * 12) Expand IP Routing, and then click Static Routes.
 * 13) Right-click Static Routes, and then click New Static Route.
 * 14) In the Interface list, click the newly created interface  _.
 * 15) In the Destination field, type the network destination for.
 * 16) In the Network Mask field, type the subnet mask for , and then click OK.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



You can use the Routing and Remote Access MMC to see if a demand-dial interface is configured correctly by looking at the Remote Access Clients node. If the PPTP tunnel appears in this view, the user name did not match any local demand-dial interfaces, and the connection may be affected by the issue.

Additional query words:



Keywords: kbqfe kbpending kbbug KB834426

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.