Microsoft KB Archive Search

Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

  1. Home
  2. A demand-dial PPTP connection may disconnect every 1 minute and 30 seconds

A demand-dial PPTP connection may disconnect every 1 minute and 30 seconds

View products that this article applies to.

Symptoms

A demand-dial Point-to-Point Tunneling Protocol (PPTP) connection between two Windows servers that use the Routing and Remote Access service may disconnect every 1 minute and 30 seconds.

Also, if Log the maximum amount of information has been set on the Event Logging tab in the Routing and Remote Access MMC, the following event is logged in the system event log every time the PPTP tunnel disconnects:

Event Type: Information
Event Source: RemoteAccess
Event Category: None
Event ID: 20048
Date: DD/MM/YYYY
Time: <Time>
User: N/A
Computer: SERVERNAME
Description: The user DOMAIN\USERNAME connected on port VPN4-127 on MM/DD/YYYY at HH:MM and disconnected on MM/DD/YYYY at HH:MM. The user was active for 1 minutes 32 seconds. 749 bytes were sent and 10349 bytes were received. The port speed was 10000000. The reason for disconnecting was user request.

↑ Back to the top

Cause

This problem may occur if the VPN servers have been configured to use two PPTP tunnels, and if the end that initiates that the PPTP control channel is running Network Address Translation (NAT).

NAT may be active if it has been configured in Routing and Remote Access or if the Internet Security and Acceleration (ISA) Server Firewall service is started.

Two PPTP tunnels may be established if the user name of the calling server does not match the remote server's demand-dial interface. Routing and Remote Access uses the user name to see if a local demand-dial interface should be associated with the tunnel. If a match is found, the two interfaces are associated, and both enter a connected state. Traffic can then be tunneled in both directions over one PPTP tunnel. If the user name does not match, two PPTP tunnels are established over the same PPTP control channel (TCP connection); one PPTP call in each direction. RFC 2637 states that only one PPTP control channel should be established between a PPTP Access Concentrator (PAC) and a PPTP Network Server (PNS).

When NAT is running on a Routing and Remote Access VPN Server, all outbound connections are subject to NAT. Routing and Remote Access uses a NAT editor to translate the PPTP packets and make sure that packets received on the public side of NAT is delivered to the correct port on the private side. To do this the PPTP NAT Editor creates a mapping to keep track of each PPTP session. The mapping uses the IP addresses and the PPTP Call IDs to translate the packets correctly. The PPTP Call ID and the PPTP Peer's Call ID are negotiated during the PPTP Call Request and the PPTP Call Reply. When the second PPTP tunnel is created the PPTP Call Request is received on the already existing PPTP Control Channel but in the opposite direction. However a new mapping in the PPTP NAT Editor is not created and the PPTP packets are dropped.

↑ Back to the top

Workaround

To work around this problem, configure the Demand Dial interfaces and user names so the interfaces are associated and only one PPTP tunnel is used. You can do this manually, as explained in this procedure, or you can use the ISA Server VPN Configuration Wizard if both ends are running ISA. The ISA Server VPN Configuration Wizard correctly configures the demand-dial interface names and user credentials.

To configure the demand-dial interfaces manually follow the instructions below. Replace the names SiteA and SiteB with the location of each site.

On SiteA

  1. Open the Routing and Remote Access MMC, and then expand Server.
  2. Right-click Routing Interfaces, and then click New Demand-Dial Interface.
  3. Click Next to start the wizard.
  4. In the Interface Name dialog box, use the interface name SiteA_SiteB, and then click Next.
  5. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.
  6. In the VPN Type dialog box, click Point To Point Tunneling Protocol (PPTP), and then click Next.
  7. In the Destination Address dialog box, type the IP address or the DNS name of the destination VPN server, and then click Next.
  8. In the Protocols and Security dialog box, leave the default settings, and then click Next.
  9. In the Dial Out Credentials dialog box, use SiteB_SiteA as the user name, type the domain name and password, click Next, and then click Finish.
  10. Right-click the newly-created demand-dial interface, and then click Properties.
  11. On the Options tab, change Connection Type to Persistent Connection, and then click OK.
  12. Expand IP Routing, and then click Static Routes.
  13. Right-click Static Routes, and then click New Static Route.
  14. In the Interface list, click the newly-created interface SiteA_SiteB.
  15. In the Destination field, type the network destination for SiteB.
  16. In the Network Mask field, type the subnet mask for SiteB, and then click OK.

On SiteB

  1. Open the Routing and Remote Access MMC, and then expand Server.
  2. Right-click Routing Interfaces, and then click New Demand-Dial Interface.
  3. Click Next to start the Wizard.
  4. In the Interface Name dialog box, use the interface name SiteB_SiteA, and then click Next.
  5. In the Connection Type dialog box, click Connect using virtual private networking (VPN), and then click Next.
  6. In the VPN Type dialog box, click Point To Point Tunneling Protocol (PPTP), and then click Next.
  7. In the Destination Address dialog box, type the IP address or the DNS name of the destination VPN server, and then click Next.
  8. In the Protocols and Security dialog box, leave the default settings, and then click Next.
  9. In the Dial Out Credentials dialog box, use SiteA_SiteB as the user name, type the domain name and password, click Next, and then click Finish.
  10. Right-click the newly-created demand-dial interface, and then click Properties.
  11. On the Options tab, change Connection Type to Demand dial, change Idle time before hanging up to Never, and then click OK.
  12. Expand IP Routing, and then click Static Routes.
  13. Right-click Static Routes, and then click New Static Route.
  14. In the Interface list, click the newly created interface SiteB_SiteA.
  15. In the Destination field, type the network destination for SiteA.
  16. In the Network Mask field, type the subnet mask for SiteA, and then click OK.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

You can use the Routing and Remote Access MMC to see if a demand-dial interface is configured correctly by looking at the Remote Access Clients node. If the PPTP tunnel appears in this view, the user name did not match any local demand-dial interfaces, and the connection may be affected by the issue.

↑ Back to the top

Keywords: KB834426, kbbug, kbpending, kbqfe

↑ Back to the top

Article Info
Article ID : 834426
Revision : 4
Created on : 10/31/2006
Published on : 10/31/2006
Exists online : False
Views : 326