Blue Screen, then unable to Tunnel into work via AT&T VP

[dpm_dpmartin]

I have an issue with using AT&T's VPN program to tunnel into my company's resources. This all started when I received a Windows blue screen - DRIVER_IRQL_NOT_LESS_OR_EQUAL - the blue screen pointed towards the file "NDIS.SYS". I am using a ThinkPad T41, Windows XP - was SP1, now SP2.

After the blue screen, AT&T will still tunnel successfully, but no company resources are available. In the detailed messages I get "Do 'MaybeCheckPrimaryDNS" and then "The Configured DNS(s) (x.x.x.x x.x.x.x) could not be reached. You may not be able to resolve names (like www.company.com) during this connection." - I do obtain a company IP address, verified with ipconfig, but no-one can ping me and I cannot ping anyone.

I can get to the Internet - Amazon, Google etc. no problems.

In an attempt to solve this, I have:

1) Re-installed AT&T, several times - I have removed all user settings as well.
2) Turned off the firewall (Check Point Integrity Client); and re-installed the firewall.
3) Turned off ThinkVantage Access Connections; and re-installed Access Connections.
4) Re-installed TCP/IP.
5) Installed XP SP 2.

No joy!

I can access company resources from a company location via the LAN. I cannot access company resources from company locations (there are a few) which require us to tunnel in as well. This is using Ethernet. I cannot access company resources from home using either Wireless or Wired connections to my D-Link router - this has always worked before. I cannot access company resources from a hotel, or customer site using AT&T tunnelling. I cannot access company resources using the same AT&T program to dial-in via a telephone line.

All the above leads me to believe there is something wrong that lies between the hardware and the AT&T program. After all, I can get to company resources directly via an Ethernet cable when I do not need to tunnel, and I have re-installed the AT&T program about four times now - so it must be clean.

Working with my company's Support, we have tried many other things, including:

1) MTU size is 1460, according to SpeedGuide.net.
2) We have set Black Hole detect to true in the registry.
3) We have ensured all AT&T settings are as they should be.
4) Ensured that my AGN Virtual Network Adapter is ordered first.
5) There is no XP bridging enabled.

I have analysed the minidumps created in C:\WINDOWS\Minidump using WinDbg and it pointed to the cause of the Blue Screen as being related to "avpnnic.sys"; the PROCESS_NAME was "svchost.exe". I have checked with a colleague's machine and my "avpnnic.sys", "ndis.sys" and "svchost.exe" files are the same, byte for byte with the same files on their machine.

Obviously I am at bit of a loss, both me and my company's Support function in fact. They want me to have a complete refresh of the ThinkPad, but I'm resisting that at the moment as I have loads of software on there that will take me days to re-install - I might have to bite the bullet eventually though.

Does anyone have any other ideas of what I might check now? If so, I am very willing to listen and try...

[DIGITALgimpus]

Make sure the driver for your network card(s) are up to date. That's the most likely cause.

[dpm_dpmartin]

Actually, ThinkVantage System Update has done this previously. It should have been on my list before. This would be the complete list of what I have tried though... in rough order...

1 ) Turned off the firewall.
2 ) Re-installed new AT&T over the old one; removed user settings.
3 ) De-installed AT&T, and re-installed. (Done it 4 times in total).
4 ) Turned off ThinkVantage Access Connections.
5 ) De-installed and re-installed Access Connections.
6 ) Used ThinkVantage System Update to update the NIC drivers.
7 ) Removed the firewall and re-installed it.
8 ) Re-installed TCP/IP.
9 ) Ensured the MTU size was between 1460 and 1500.
10 ) Done the Black Hole detect registry change.
11 ) Installed XP SP2.
12 ) Re-ensured all AT&T settings are correct by looking at a colleague's machine.
13 ) Ensured that my AGN Virtual Network Adapter is ordered first.
14 ) Clarified that there is no XP bridging enabled.

So, I would be interested in why you think that this might be the most likely cause - after all, I can still get to the Internet via all routes - wired or wireless, home or office - I just can't tunnel into my company because, during the tunnelling process, the program can't seem to access any DNS servers.

Any extra ideas welcome...

[Tigsman]

Actually, its probably the SP2 update you did. I use the dailer for my company and i know there was an update pushed out for those using SP2. You might want to investigate that path/resource.



T

[dpm_dpmartin]

Please do take into consideration the fact that the tunnelling worked completely fine before the blue screen - then it failed. All of the actions listed below were taken as a potential remedy to the situation... so how could SP2 have been the cause?

I am not sure that your logic is sound at all.

[pben14]

I have the same problem:
Browser : IE6
Operating System: XP Pro SP2 Fr
Problem Description : Blue screen crash when connecting to my company's VPN using AT&T global network client in IPSec setting (no problem if using SSL) since Kaspersky Internet Security 6 was installed on my computer (before I used to have Symantec antivirus, and there was no trouble, but Kaspersky is better, no ?)

Error Messages: Blue screens error messages: "Bad_Pool_Caller" or "Driver_Irql_Not_Less_Or_Equal"

Hoping Kaspersky will make a corrective or AT&T build a new version of AGN driver for IPSec...

[pvetch]

I've had this problem too, on a T42p. Though I was using the standard XP VPN dialer in IPSec mode. I also ran Kaspersky Business edition (which IMHO is certainly better than Symantec) - looks like it may be part of the problem though.

Since I've had T60p I haven't had this problem. Also my X31 has never had the problem either - all making the same connection, all with Kaspersky.

[SirJack]

Hello from Italy.
I've a T30 with XP SP2, and i'm experiencing a quite similar problem.
Me too, I connect to my company's network using both AGN Virtual Network Adapter and AT&T Network Client, but i'm a little more lucky than you: i can connect only one time, ie. if the connection drops, in order to reconnect i have to restart Windows. Quite annoying...
I think our problem it's related to the AGN Virtual Network Adapter and AT&T Network Client relationships. Sometimes AT&T connects while AGN is still acquiring network address, some other times AGN gets connected while AT&T is even not started.
Please let me know if you're still experiencing the problem, and, if no more, please write down here the solution.
Best regards,

SirJack

[Steltek]

I've got the exact same issue on a Dell Latitude D610:

Windows XP SP2, AT&T Dialer worked fine and all of a sudden stopped working. I can connect through dial-in or via broadband VPN, the Connection establishes, but I cannot reach my company network. (the AGN's log shows the 'The Configured DNS(s) (x.x.x.x x.x.x.x) could not be reached.' error messages, ...)

I've also tried traceroutes to internal servers, only to find that the packets apparently never even leave my system (I get no response whatsoever, not a single gateway responding....).

I've tried reinstalling the dialer (various releases from 5 to 6) but to no avail, reinstalling SP2 didn't fix anything either, reset my winsock stack, reinstalled the network interface several times, .... no luck. I'm out of ideas and fear the only resolution to this will be to wipe out my entire Windows installation (knowing fully well that with the new install, the problem may reappear and I will still have no way of fixing it and only lost my time reinstalling everything).

I even had a ticket open with the AT&T helpdesk here in Europe, but apart from confirming that my login worked fine from other computers, they never did anything.

[Mobile_Mike]

I too use this VPN and over the years have seen this problem. Try going into the VPN under "Show Login Properties"->"Preferences" and check "Override Defaults". Scoll down this list and either check or uncheck "Negotiate UDP encapsulation with VPN for NAT traversal". Have this checked works for me ....

[Steltek]

Alas, toggling that setting does not help. AT&T connects to the VPN, but still won't route packets.

[Mobile_Mike]

One last try here: if you open a command prompt and type IPCONFIG /ALL do you see an IP address and DNS fo the "AGN Virtual Network Adapter"? If you go into you adapter's property setting is the "AGN VPN Client" listed under the adapter and checked?

[Mobile_Mike]

also, what version of the AT&T VPN?

[SirJack]

also, what version of the AT&T VPN?

From the "About..." panel:

AT&T Network Client GA 2 for <MyCompanyName>
Version 5.09.2 English
AT&T IPSec Application version 5.09.2
for Windows 98, Me, 2000, and XP

In addition, after connecting, the VPN Network Connection become Connected, and, strangely remains Connected even if I disconnect any other connection.

FYI, I'll try your "Negotiate UDP encapsulation with VPN for NAT traversal" flag suggestion and i'll post here if it solves or not.

Regards from Roma.

[pietjepuk]

I had vpn issues and traced them down to the tvt packet filter option, see topic http://forum.thinkpads.com/viewtopic.php?t=33423

[Steltek]

Sorry for waking up this thread, but I've finally resolved my AT&T VPN issues and thought I might share the resolution. In my case it was:

Go to the network connections, there right-click the 'AGN Virtual Network Adapter' and select properties. In the 'this connection uses the following items' part where you can select services attached to the connection, uncheck 'Odyssey Network Agent'. Now click OK and you're done.

The 'Odyssey Network Agent' was probably installed on my system by my Wireless Network card (a Linksys WPC54G in my case) to do WPA authentication (AES encryption and the like, that were not supported in Windows XP before Service Pack 2). I'm no longer using that card, so I'm not sure whether that Odyssey stack is still functional or somehow damaged, but I guess if it is attached to the aforementioned virtual AGN connection, it somehow filters or mangles all the passing packages, preventing the VPN connection from working properly.

So, if you're seeing this problem, I guess it's a good idea to go check what is attached to the AGN Virtual Network connection and try to unhook services you don't need there.

[dpm_dpmartin]

Sadly, I am still experiencing this issue with AT&T Network Client. I have been using WebSphere Everyplace Connection Manager for previous months, but thought I would re-investigate AT&T lately.

I had previously uninstalled version 5.0.9.2 so I re-installed that to check it still did the same thing (it did, as below), then I installed the latest I could get from AT&T over it, version 7.0.2.3003, hoping that might fix something.

With 5.0.9.2 I got the following line in the "Detailed Messages":
18:01:32.468 The configured DNS(s) (9.64.162.21 9.64.163.21) could not be reached. You may not be able to resolve names (like www.company.com) during this connection.

And with version 7.0.2.3003 I get:
21:27:13.760 The configured DNS(s) (9.64.162.21 9.64.163.21) could not be reached. You may not be able to resolve names (like www.company.com) during this connection.

Exactly the same! And when I go to my company's Intranet page, I get the Page Not Found. Most frustrating. I can still access everything on the Internet of course.

I tried changing the "Negotiate UDP encapsulation with VPN for NAT traversal" option, but nothing better happened. Nothing seemed to change actually.

I've tried connecting via SSL-DualAccess instead of IPSec-DualAccess but that changed nothing too.

I've tried ipconfig /all and do get details for the AGN Virtual Network Adapter.

Not sure what else to try here.

[Steltek]

Check the bindings of the services both on your network card and on the 'AGN Virtual Network Adapter' connection. Remove anything from the bindings that is not needed (as seen in my case above, a service bound to the virtual adapter was causing the problem).

[tiagobittar]

I am having a quite similar issue on my T42...

First I had some problems with AT&T Network client.... A few bluescreens later and the uninstall/install of the drivers for my ethernet card, wireless card and AGN Virtual Network Adapter, I managed to :

- Connect to my company's network through AT&T Network client using IPSec Duall Access from home where I am behind a Linksys WRT58G, therefore connecting through wireless card and AGN

However, when I tried to connect from the client site - where I connect throught the ethernet card and I have to use SSL Dual Acess (due to firewall) - AT&T connects but do not find the DNS: (The configured DNS(s) (x.x.x.x and x.x.x.x) could not be reached. You may not be able to resolve names (like www.company.com) during this connection)

I have already try playing with the "Negotiate UDP encapsulation with VPN for NAT traversal" flag but still can't reach the DNS.

Since I can connect from home (wireless), I assume that I can rule out AGN Virtual Network Adapter config as a possible cause of the problem, so I moved to the Ethernet Card config....

Following Steltek suggestions, I start removing a few services from the Ethernet card and..... Bluescreens again (( Maybe 'cause I removed more than I should, or maybe this is not the solution all together...

In any case, the services I have on my "Intel(R) PRO/1000 MT Mobile Connection" ethernet card are:
- Client for Microsoft Network
- Eeacfilt Driver
- Net Firewall Service
- VMware Bridge Protocol
- Deterministic Network Enhancer
- AEGIS Protocol (IEEE 802.1x) v 3.4.10.0
- IBM Personal Communications LLC2 Driver
- Internet Protocol (TCP/IP)

Any ideas? For some reason I can't find the company's DNS....