none
PPTP VPN not working with Windows 7. Error 691. Works fine with XP.

    Question

  • Hi folks. I have a client who recently got a Windows 7 computer and now the PPTP hosted by their server 2003 VPN is not working. I get error 691 when I try to connect.  I've tried all sorts of different connection options for the VPN but it will not connect.  I tried from my XP Pro Sp3 computer and the VPN works fine.  Any ideas?  Thanks.

    Got this from the server log:

     NAS-IP-Address = 10.90.1.1
     NAS-Identifier = <not present>
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = 0.0.0.0
     Client-Friendly-Name = PIX
     Client-IP-Address = 10.90.1.1
     NAS-Port-Type = <not present>
     NAS-Port = 346
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Policy-Name = <undetermined>
     Authentication-Type = MD5-CHAP
     EAP-Type = <undetermined>
     Reason-Code = 19
     Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

    For more information, see Help and Support Center at

    Thursday, May 06, 2010 5:03 PM

Answers

  •  

    Hi,

     

    Based on my research, I suggest you temporarily turn off firewall and refer to the following article to troubleshoot the issue.

     

    VPN Error 691

     

    ·         If the issue persists, please also collect the RAS logs for our further research.

     

    RAS Logs

    =======

    Note: The logs need to be collected before you start the connection setup.

     

    Execute the following from elevated command prompt on both computer(the one works and the one fails).

     

    1.  Run “netsh ras set tr * en” (without quotes). This enables logging.

    2.  Recreate the issue.

    3.  Run “netsh trace stop” (without quotes).

    3.  Run “netsh ras set tr * di” (without quotes). This disables logging.

     

    Please share the files, %systemdrive%\users\%USERNAME%\AppData\Local\Temp\nettraces\nettrace.etl, nettrace.cab and %systemdrive%\windows\tracing\* with us.

     

    You can upload the files to Windows Live SkyDrive and share its URL with us.

     

    Thanks.

    Novak

     

    • Marked as answer by Novak Wu Monday, May 17, 2010 8:34 AM
    Thursday, May 13, 2010 2:11 AM

All replies

  •  

    Hi,

     

    Based on my research, I suggest you temporarily turn off firewall and refer to the following article to troubleshoot the issue.

     

    VPN Error 691

     

    ·         If the issue persists, please also collect the RAS logs for our further research.

     

    RAS Logs

    =======

    Note: The logs need to be collected before you start the connection setup.

     

    Execute the following from elevated command prompt on both computer(the one works and the one fails).

     

    1.  Run “netsh ras set tr * en” (without quotes). This enables logging.

    2.  Recreate the issue.

    3.  Run “netsh trace stop” (without quotes).

    3.  Run “netsh ras set tr * di” (without quotes). This disables logging.

     

    Please share the files, %systemdrive%\users\%USERNAME%\AppData\Local\Temp\nettraces\nettrace.etl, nettrace.cab and %systemdrive%\windows\tracing\* with us.

     

    You can upload the files to Windows Live SkyDrive and share its URL with us.

     

    Thanks.

    Novak

     

    • Marked as answer by Novak Wu Monday, May 17, 2010 8:34 AM
    Thursday, May 13, 2010 2:11 AM
  • Hi all...

    Do you ever fix this problem?

    Im under the same issue

    Tuesday, June 01, 2010 7:47 PM
  • I have MCSE certificate but I couldn't configure an easy PPTP vpn !!!

    what's wrong?

    there wasnt any problem in serv 2003 and xp

    Now I have Server 2008 Enterprise and Windows 7 Ultimate 3 days having this issue!!

    I'm getting crazy and I can't sleep for this problem :-(

    IS there any answer?

    Error:

    CoId={1F2E9B4A-E957-4DE5-95C9-1DE5D6F847E7}: The user David connected from 20.20.20.6 but failed an authentication attempt due to the following reason: The connection was denied because the username and/or password you specified is invalid. This could be caused by the following conditions: Your username and/or password was mis-typed. The specified username does not exist on the server. Your password has expired. The administrator has not given you access to connect remotely. The selected authentication protocol is not permitted on the remote server.

    All the scenario is correct but why I have problem!???

    Tuesday, July 27, 2010 10:48 AM
  • Hi Cyberline,

    Not sure that my issue was identical to yours, as I was variously getting DUN errors 800, 806 & 807 (mostly 806 with sensible settings on the client). I had a XP box connecting to both 2k3 and 2k8R2 RRAS servers and a Win7 box that would only connect to the 2k3 box. 806 (unsurprisingly) was a red herring here as all the other three connections worked, and there was no additional softare firewall intalled on the Win7 box. Turns out the issue was negotiation and/or authentication. Setting the VPN type to PPTP and unticking CHAP as an authentication protocol got it working (VPN connection | Properties | Security). Strangely enough, I couldn't replicate this issue on the Win7 box after it successfully connected, even with a separate VPN connection.

    All very strange, but I hope it saves you/someone else a few hours of head scratching, as it drove me pretty crazy this afternoon too.

    Wednesday, August 04, 2010 3:14 PM
  • I was getting error 734 with windows 7 dial up networking.  I finally found this article http://blogs.technet.com/b/rrasblog/archive/2007/04/08/troubleshooting-vista-vpn-problems.aspx that notes MS-CHAPv1 support has been removed from Vista and Win7.  After using XP with only 1 authentication protocol enabled at a time to test dial-up, I found that my dial-up server was only allowing MS-CHAPv1 and hence Vista and Win7 cannot connect.  When I try to use MS-CHAPv2 I get error 734.  If I tried PAP or CHAP, I got error 691 since those were disabled in the dial-up server.
    Wednesday, May 25, 2011 8:20 PM
  • Hi folks. I have a client who recently got a Windows 7 computer and now the PPTP hosted by their server 2003 VPN is not working. I get error 691 when I try to connect.  I've tried all sorts of different connection options for the VPN but it will not connect.  I tried from my XP Pro Sp3 computer and the VPN works fine.  Any ideas?  Thanks.

    Got this from the server log:

     NAS-IP-Address = 10.90.1.1
     NAS-Identifier = <not present>
     Called-Station-Identifier = <not present>
     Calling-Station-Identifier = 0.0.0.0
     Client-Friendly-Name = PIX
     Client-IP-Address = 10.90.1.1
     NAS-Port-Type = <not present>
     NAS-Port = 346
     Proxy-Policy-Name = Use Windows authentication for all users
     Authentication-Provider = Windows
     Authentication-Server = <undetermined>
     Policy-Name = <undetermined>
     Authentication-Type = MD5-CHAP
     EAP-Type = <undetermined>
     Reason-Code = 19
     Reason = The user could not be authenticated using Challenge Handshake Authentication Protocol (CHAP). A reversibly encrypted password does not exist for this user account. To ensure that reversibly encrypted passwords are enabled, check either the domain password policy or the password settings on the user account.

    For more information, see Help and Support Center at


    Thursday, December 01, 2011 10:11 AM
  • What works for me was to allow only one security-protocol at Windows-VPN properties. At default theres CHAP and MS-CHAPv2 allowed, i disabled CHAP ( my PPTP Server can handle MS-CHAPv2).
    Tuesday, December 20, 2011 1:47 PM
  • This thread is rather old, but still. If some one finds it this helped me:

    In the VPN connection properties go to options tab and unselect [ ] Include windows logon domain.

    This works with Linksys PPTP VPNs


    SelfMan

    Tuesday, September 04, 2012 5:22 PM
  • I got it working by taking away the .local part in my domain name . 

    Instead of "company.lcoal" use "Company"

    I just used company and it connected instantly . No error 691

    Tuesday, October 02, 2012 12:28 PM