Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Windows RRAS GRE error

I have a Win2K3 RRAS server behind a 2801 router. The server is statically NATted and GRE and port 1723 are allowed via the external ACL.

I thought this was just a Windows error, but the error I get when clients try to connect led me to post this here.

The connection begins, then times out with the following error:

Event Type: Warning

Event Source: Rasman

Event Category: None

Event ID: 20209

Date: 6/6/2008

Time: 1:33:36 PM

User: N/A

Computer: SERVER


A connection between the VPN server and the VPN client has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets.

This implies that the problem is with GRE. However, GRE is permitted any any. What gives?


Re: Windows RRAS GRE error

Have you provisioned the return path (inspection on the 2801's external interface, or ACL on the 2801's internal interface) to permit GRE between the two endpoints?

New Member

Re: Windows RRAS GRE error

No ACL is applied going in or out the inside interface (Fast 0/1.)

On the outside interface, the ACL is:

ip nat inside source static

access-list 160 permit icmp any any

access-list 160 permit gre any any

access-list 160 permit tcp any host eq 1723

int Fast0/0

ip access-group 160 in


That should be enough to get PPTP going from the router's standpoint.