Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Friday, June 4, 2010 7:56 PM
Hi All,
I am connecting to my VPN server with a PPTP or L2TP connection, and the client is getting an IP address, but is unable to get out to the internet or browse local resources. I am assigning addresses via DHCP and here is what I get from an IPconfig/all:
PPP adapter AIS VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AIS VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
The only problem I can see is that there is no default gateway (0.0.0.0) is there somewhere I can set that? Thanks in advance!
--Zaheer
All replies (43)
Saturday, June 5, 2010 2:47 AM | 1 vote
Hi All,
I am connecting to my VPN server with a PPTP or L2TP connection, and the client is getting an IP address, but is unable to get out to the internet or browse local resources. I am assigning addresses via DHCP and here is what I get from an IPconfig/all:
PPP adapter AIS VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AIS VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
The only problem I can see is that there is no default gateway (0.0.0.0) is there somewhere I can set that? Thanks in advance!
--Zaheer
Hello Zaheer,
You will need WINS to make this happen. Browsing uses the browser Service and is NetBIOS based. Unfortunately DNS does not support this. AD support browsing to an extent, but not for VPN users.
Once WINS is installed, you will want to add it to the WINS entry in all NIC properties. For DHCP, you would need to add the WINS options:
Option 044: <WINS IP Address>
Option 046: 0x8
Install and Manage WINS Servers:
http://technet.microsoft.com/en-us/library/cc781979(WS.10).aspx
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Sunday, June 6, 2010 1:02 AM | 1 vote
Hello,
On your VPN Client, go to Networking, TCP/IP Properties ADVANCED and uncheck "use default gateway on remote network".
Restart VPN connection.
Miguel
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Monday, June 7, 2010 5:00 PM
Hi All,
I am connecting to my VPN server with a PPTP or L2TP connection, and the client is getting an IP address, but is unable to get out to the internet or browse local resources. I am assigning addresses via DHCP and here is what I get from an IPconfig/all:
PPP adapter AIS VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AIS VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
The only problem I can see is that there is no default gateway (0.0.0.0) is there somewhere I can set that? Thanks in advance!
--Zaheer
Hello Zaheer,
You will need WINS to make this happen. Browsing uses the browser Service and is NetBIOS based. Unfortunately DNS does not support this. AD support browsing to an extent, but not for VPN users.
Once WINS is installed, you will want to add it to the WINS entry in all NIC properties. For DHCP, you would need to add the WINS options:
Option 044: <WINS IP Address>
Option 046: 0x8Install and Manage WINS Servers:
http://technet.microsoft.com/en-us/library/cc781979(WS.10).aspxAce
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thanks Ace I will put this on my to-do list!
--Zaheer
Monday, June 7, 2010 5:04 PM
Hi Miguel,
I did that and it did solve the problem of losing internet connectivity, but I still can't access any resources on the VPN network. I cannot ping my domain controllers or other machines.
Here is the IPconfig from the VPN client machine:
PPP adapter AIS VPN:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : AIS VPN
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet
Physical Address. . . . . . . . . : 00-04-4B-00-C3-E2
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.2.102(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, June 07, 2010 12:54:38 PM
Lease Expires . . . . . . . . . . : Monday, June 07, 2010 1:24:38 PM
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
NetBIOS over Tcpip. . . . . . . . : Enabled
and here are the network connection details from the VPN connection:
Connection-specific DNS Suffix:
Description: AIS VPN
Physical Address:
DHCP Enabled: No
IPv4 Address: 192.168.1.21
IPv4 Subnet Mask: 255.255.255.255
IPv4 Default Gateway:
IPv4 DNS Servers: 192.168.1.57, 192.168.1.50
IPv4 WINS Server:
NetBIOS over Tcpip Enabled: Yes
In the TCP/IP of the VPN connection, it is set to DHCP, so I'm not sure why it shows DHCP as not enabled.
--Zaheer
Tuesday, June 8, 2010 3:21 AM
On Mon, 7 Jun 2010 17:04:11 +0000, AISWW wrote:
>
>
>Hi Miguel,
>
>I did that and it did solve the problem of losing internet connectivity, but I still can't access any resources on the VPN network. I cannot ping my domain controllers or other machines.
>
>Here is the IPconfig from the VPN client machine:
>
>PPP adapter AIS VPN:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : AIS VPN
> Physical Address. . . . . . . . . :
> DHCP Enabled. . . . . . . . . . . : No
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.255
> Default Gateway . . . . . . . . . :
> DNS Servers . . . . . . . . . . . : 192.168.1.57
> 192.168.1.50
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
>Ethernet adapter Local Area Connection:
>
> Connection-specific DNS Suffix . :
> Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Ethernet
> Physical Address. . . . . . . . . : 00-04-4B-00-C3-E2
> DHCP Enabled. . . . . . . . . . . : Yes
> Autoconfiguration Enabled . . . . : Yes
> IPv4 Address. . . . . . . . . . . : 192.168.2.102(Preferred)
> Subnet Mask . . . . . . . . . . . : 255.255.255.0
> Lease Obtained. . . . . . . . . . : Monday, June 07, 2010 12:54:38 PM
> Lease Expires . . . . . . . . . . : Monday, June 07, 2010 1:24:38 PM
> Default Gateway . . . . . . . . . : 192.168.2.1
> DHCP Server . . . . . . . . . . . : 192.168.2.1
> DNS Servers . . . . . . . . . . . : 192.168.2.1
> NetBIOS over Tcpip. . . . . . . . : Enabled
>
>and here are the network connection details from the VPN connection:
>
>Connection-specific DNS Suffix:
>Description: AIS VPN
>Physical Address: ?
>DHCP Enabled: No
>IPv4 Address: 192.168.1.21
>IPv4 Subnet Mask: 255.255.255.255
>IPv4 Default Gateway:
>IPv4 DNS Servers: 192.168.1.57, 192.168.1.50
>IPv4 WINS Server:
>NetBIOS over Tcpip Enabled: Yes
>
>In the TCP/IP of the VPN connection, it is set to DHCP, so I'm not sure why it shows DHCP as not enabled.
>
>--Zaheer
>
>
Hi Zaheer ,
If you are trying to ping using the single name, such as "ping
serverName," it will be using NetBIOS across the VPN connection. I see
you haven't tired WINS, since I do not see it in the VPN or LAN
interface ipconfig. This will be your answer to be able to ping in
this fashion, as well as allow UNC paths, mapped drives, and simple
browsing of resources.
As far as internet connectivity, I'm glad to hear you got that
straightened out.
Actually, DHCP is enabled on the RRAS server, which what the RRAS
server does it actually pulls a block of 10 IPs at a time from the
local DHCP server to provide IPs for VPN clients. When the pool
reaches 10 clients, then it will pull another 10. The workstation will
not show it that way, since the RRAS server is providing the
configuration.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, June 8, 2010 3:33 AM
Hi Ace,
Thanks for clarifying the point on DHCP. As far as the ping goes, I was trying to ping by server IP, not NetBIOS name. In this case, I was trying to ping the DC - 192.168.1.57 but got no response. If the VPN is connecting correctly, I should be able to ping by IP, right?
--Zaheer
Tuesday, June 8, 2010 3:44 AM | 1 vote
That depends. Have you enabled ICMP echo on this server? Ping is not a reliable test these days with most machines having firewalls enabled which block ICMP.
Does nslookup work? That will show that you have a connection to the DC. What about net view? If you can see the shares on the server in net view you can map them using net use.
@Ace,
Windows 7 doesn't show a default gateway address in the PPP config like previous versions did. I just checked it.
Bill
Tuesday, June 8, 2010 4:50 AM
On Tue, 8 Jun 2010 03:33:31 +0000, AISWW wrote:
>
>
>Hi Ace,
>
>Thanks for clarifying the point on DHCP. As far as the ping goes, I was trying to ping by server IP, not NetBIOS name. In this case, I was trying to ping the DC - 192.168.1.57 but got no response. If the VPN is connecting correctly, I should be able to ping by IP, right?
>
>
>
>--Zaheer
Ahh, by IP. Interesting. I assume by name. My bad, sorry! Then it's a
RRAS/NAP config issue. Bill provide some great suggestions to try.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, June 8, 2010 4:53 AM
On Tue, 8 Jun 2010 03:44:05 +0000, Bill Grant wrote:
>
>
> That depends. Have you enabled ICMP echo on this server? Ping is not a reliable test these days with most machines having firewalls enabled which block ICMP.
>
> Does nslookup work? That will show that you have a connection to the DC. What about net view? If you can see the shares on the server in net view you can map them using net use.
>
> @Ace,
>
> Windows 7 doesn't show a default gateway address in the PPP config like previous versions did. I just checked it.
>Bill
You know, I never noticed that on Windows 7. I just connected to one
of my customer sites by VPN and saw the gateway is all zeros. Thanks
for pointing that out. :-)
Cheers!
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Tuesday, June 8, 2010 9:01 AM | 2 votes
Hi AISWW ,
I agree bill's suggestion .
In this case,to verified the connectivity ,please check if it worked with query DNS result from your DC.
On you client side ,open a command prompt windows.
Run “nslookup”
"> server 192.168.1.57”
"> <typr your DC’s FQDN>”
And check if can resolve the DC’s IP address
Could you please paste the route table when VPN connection established. You can run “router print” to show route table in commander prompt.
I suggest to check if it worked with set the remote connection as the highest priority first .Here is the workaround:
1. I assume your client is windows 7
Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.
Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
2. Set [Remote access connections] as highest priority by move to top ,click ok.
3. Reboot.
Troubleshooting remote access VPNs
http://technet.microsoft.com/en-us/library/cc772616(WS.10).aspx
Common VPN Problems
http://technet.microsoft.com/en-us/library/cc958057.aspx
Thanks.
Tiger Li
Tuesday, June 8, 2010 5:46 PM
Hi Bill,
I can ping the server IPs (.57 and .50) from my LAN when I am connected locally, so I don't think ICMP is being blocked by any firewalls.
--Zaheer
Wednesday, June 9, 2010 2:18 AM | 1 vote
Hi AISWW
This issue occurred on a particular computer or all?
Have you installed any antivirus software on your client?
Could you please paste the route table when VPN connection established? You can run “router print” to show route table in commander prompt.
Also please check if it worked with query DNS result from your DC when VPN connected.
Thanks.
Tiger Li
Wednesday, June 9, 2010 2:27 AM | 1 vote
Hello,
My guess is that either RRAS or the LAN cards on the VPN server have some configuration problem. You should not have had to uncheck "use default gateway on remote network". You should have been able to surf via the VPN gateway (that's if your IT mgr configured it that way). If you cannot ping any other devices in the 192.168.1.0 subnet then my guess is tht routing is not properly configured on the VPN server.
Can you post an IPCONFIG /ALL for the VPN Server.
You have two LAN CARDS, one private IP and one Public? Is NAT enabled? Is ICMP Echo Reply On?
Miguel
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Wednesday, June 9, 2010 4:02 AM
Hi Tiger,
Thanks for the suggestions. Here are the results of the nslookup (failed) and the route table:
C:\Users\Zaheer>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.1.57
> server 192.168.1.57
DNS request timed out.
timeout was 2 seconds.
Default Server: [192.168.1.57]
Address: 192.168.1.57
> dc1.aisww.local
Server: [192.168.1.57]
Address: 192.168.1.57
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [192.168.1.57] timed-out
Route table:
C:\Users\Zaheer>route print
Interface List 22...........................AIS VPN 11...00 04 4b 00 c3 e2 ......NVIDIA nForce 10/100/1000 Mbps Ethernet 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
IPv4 Route Table
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.102 20 75.127.218.84 255.255.255.255 192.168.2.1 192.168.2.102 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 192.168.1.21 192.168.1.21 21 192.168.1.21 255.255.255.255 On-link 192.168.1.21 276 192.168.2.0 255.255.255.0 On-link 192.168.2.102 276 192.168.2.102 255.255.255.255 On-link 192.168.2.102 276 192.168.2.255 255.255.255.255 On-link 192.168.2.102 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.102 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.102 276 255.255.255.255 255.255.255.255 On-link 192.168.1.21 276
Persistent Routes:
None
IPv6 Route Table
Active Routes: If Metric Network Destination Gateway 15 58 ::/0 On-link 1 306 ::1/128 On-link 15 58 2001::/32 On-link 15 306 2001:0:4137:9e76:3caa:286b:52fd:1c9f/128 On-link 15 306 fe80::/64 On-link 15 306 fe80::3caa:286b:52fd:1c9f/128 On-link 1 306 ff00::/8 On-link 15 306 ff00::/8 On-link
Persistent Routes:
None
Let me try setting the route connection as the highest priority and I will post the results.
Update: with the remote connection set as the highest priority I still can't ping the server or see any shares with net view:
C:\Users\Zaheer>net view
Server Name Remark
\ZAHEER-PC
The command completed successfully.
--Zaheer
Wednesday, June 9, 2010 4:14 AM | 1 vote
Hi Tiger,
Thanks for the suggestions. Here are the results of the nslookup (failed) and the route table:
C:\Users\Zaheer>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.1.57> server 192.168.1.57
DNS request timed out.
timeout was 2 seconds.
Default Server: [192.168.1.57]
Address: 192.168.1.57> dc1.aisww.local
Server: [192.168.1.57]
Address: 192.168.1.57DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [192.168.1.57] timed-outRoute table:
C:\Users\Zaheer>route print
Interface List 22...........................AIS VPN 11...00 04 4b 00 c3 e2 ......NVIDIA nForce 10/100/1000 Mbps Ethernet 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
IPv4 Route Table
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.102 20 75.127.218.84 255.255.255.255 192.168.2.1 192.168.2.102 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 192.168.1.21 192.168.1.21 21 192.168.1.21 255.255.255.255 On-link 192.168.1.21 276 192.168.2.0 255.255.255.0 On-link 192.168.2.102 276 192.168.2.102 255.255.255.255 On-link 192.168.2.102 276 192.168.2.255 255.255.255.255 On-link 192.168.2.102 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.102 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.102 276 255.255.255.255 255.255.255.255 On-link 192.168.1.21 276
Persistent Routes:
NoneIPv6 Route Table
Active Routes: If Metric Network Destination Gateway 15 58 ::/0 On-link 1 306 ::1/128 On-link 15 58 2001::/32 On-link 15 306 2001:0:4137:9e76:3caa:286b:52fd:1c9f/128 On-link 15 306 fe80::/64 On-link 15 306 fe80::3caa:286b:52fd:1c9f/128 On-link 1 306 ff00::/8 On-link 15 306 ff00::/8 On-link
Persistent Routes:
NoneLet me try setting the route connection as the highest priority and I will post the results.
--Zaheer
HI Zaheer,
Thanks for posting the routing table.
Based on this portion below, assuming the client IP is 192.168.1.21, it basically says to get to the 192.168.1.0 subnet, to use itself (192.168.1.21),which is correct, and also common in a VPN or dialup connection. However, what is the 192.168.2.0 subnet? Is there another connection on the laptop, such as a wireless?
192.168.1.0 255.255.255.0 192.168.1.21 192.168.1.21 21
192.168.1.21 255.255.255.255 On-link 192.168.1.21 276
192.168.2.0 255.255.255.0 On-link 192.168.2.102 276
192.168.2.102 255.255.255.255 On-link 192.168.2.102 276
192.168.2.255 255.255.255.255 On-link 192.168.2.102 276
By default, the RRAS connection in the binding order should have been at the top of the list. That's the one Tiger asked you to check. Was that altered?
If not, then this routing table actually looks fine at first glance, therefore it's telling me, and *assuming* that this is occuring on all VPN clients and not this laptop, that RRAS is misconfigured, or rather simply not allowing to route, or there is a NAP rule not allowing access, or the conditions and/or policy is incorrectly or not configured, or there are RRAS filters in place preventing traffic from VPN (RAS) connections.
If I remember correctly, the RRAS server is a Windows 2008 server, and it is not a domain controller, correct?
How did you setup RRAS? Can you provide a step by step, or did you follow an article? If you followed an online article, can you post it, please?
Thanks,
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, June 9, 2010 12:37 PM
Hi Tiger,
I tried connecting from a laptop (Vista pro SP2) and a desktop (Win7) the same issue happens on both.
--Zaheer
Wednesday, June 9, 2010 12:46 PM
Hi Miguel,
I think you are correct in suspecting a routing issue. i will post an IPconfig from the server. Yes I have one Private IP interface and one Public IP interface. I'm not sure if NAT is enabled, and echo reply is on.
Pinging 75.127.218.84 with 32 bytes of data:
Reply from 75.127.218.84: bytes=32 time=20ms TTL=123
Reply from 75.127.218.84: bytes=32 time=15ms TTL=123
Reply from 75.127.218.84: bytes=32 time=17ms TTL=123
Reply from 75.127.218.84: bytes=32 time=17ms TTL=123
--Zaheer
Wednesday, June 9, 2010 12:48 PM
Hi Ace,
Yes the server is windows 2008, and is NOT a domain controller. When I set it up, I ran the RRAS wizard and selected "VPN" - perhaps I needed to select VPN and NAT?
--Zaheer
Wednesday, June 9, 2010 1:17 PM
Hello Zaheer,
Yes you do need NAT enabled if you have one public and one private and you want network translation. Enable NAT, I think that will take care of it.
Miguel
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Wednesday, June 9, 2010 2:15 PM
Hi Ace,
Yes the server is windows 2008, and is NOT a domain controller. When I set it up, I ran the RRAS wizard and selected "VPN" - perhaps I needed to select VPN and NAT?
--Zaheer
I guess that would depend on the server's purpose. But because the server is connected to a public and private subnet, yes, NAT should be enabled because the VPN connection is hitting the public interface first. To get to the internal subnet, it needs to be translated. Now if the server's purpose is to not offer NAT translation for the network, and only serve VPN purposes, you really don't need it sitting on a public IP. You can simply translate or map PPTP and GRE to the server from your peripheral firewall. It makes things easier.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, June 9, 2010 2:48 PM
Hi Miguel,
I enabled NAT and I'm still getting the same issues. I can connect, but not ping or access any resources on the VPN network.
Here is the nslookup and route table from the Windows7 desktop while connected to the VPN:
C:\Users\Zaheer>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 192.168.1.57
> server 192.168.1.57
DNS request timed out.
timeout was 2 seconds.
Default Server: [192.168.1.57]
Address: 192.168.1.57
> dc1.aisww.local
Server: [192.168.1.57]
Address: 192.168.1.57
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [192.168.1.57] timed-out
> exit
C:\Users\Zaheer>route print
Interface List 14...........................AIS VPN 11...00 04 4b 00 c3 e2 ......NVIDIA nForce 10/100/1000 Mbps Ethernet 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
IPv4 Route Table
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.200 276 75.127.218.84 255.255.255.255 192.168.2.1 192.168.2.200 21 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 192.168.1.21 192.168.1.21 21 192.168.1.21 255.255.255.255 On-link 192.168.1.21 276 192.168.2.0 255.255.255.0 On-link 192.168.2.200 276 192.168.2.200 255.255.255.255 On-link 192.168.2.200 276 192.168.2.255 255.255.255.255 On-link 192.168.2.200 276 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.200 276 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.200 276 255.255.255.255 255.255.255.255 On-link 192.168.1.21 276
Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 192.168.2.1 Default
IPv6 Route Table
Active Routes: If Metric Network Destination Gateway 15 58 ::/0 On-link 1 306 ::1/128 On-link 15 58 2001::/32 On-link 15 306 2001:0:4137:9e74:34d0:254d:3f57:fd37/128 On-link 15 306 fe80::/64 On-link 15 306 fe80::34d0:254d:3f57:fd37/128 On-link 1 306 ff00::/8 On-link 15 306 ff00::/8 On-link
Persistent Routes:
None
And here is the ipconfig/all and route from the VPN server:
Microsoft Windows [Version 6.0.6001]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\administrator.AISWW>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : VPN
Primary Dns Suffix . . . . . . . : aisww.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : aisww.local
Ethernet adapter LOCAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit Network
Adapter
Physical Address. . . . . . . . . : 00-12-17-53-6E-C2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.67(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter INTERNET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-F1-8F-02-C8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 75.127.218.84(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . : 75.127.218.81
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Disabled
PPP adapter RAS (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : RAS (Dial In) Interface
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
C:\Users\administrator.AISWW>route print
Interface List 11 ...00 12 17 53 6e c2 ...... Linksys EG1032 v2 Instant Gigabit Network Adapte r 10 ...00 0c f1 8f 02 c8 ...... Intel(R) PRO/1000 MT Network Connection 16 ........................... RAS (Dial In) Interface 1 ........................... Software Loopback Interface 1
IPv4 Route Table
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 75.127.218.81 75.127.218.84 276 75.127.218.80 255.255.255.248 On-link 75.127.218.84 276 75.127.218.84 255.255.255.255 On-link 75.127.218.84 276 75.127.218.87 255.255.255.255 On-link 75.127.218.84 276 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 On-link 192.168.1.67 266 192.168.1.21 255.255.255.255 On-link 192.168.1.21 41 192.168.1.67 255.255.255.255 On-link 192.168.1.67 266 192.168.1.255 255.255.255.255 On-link 192.168.1.67 266 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 75.127.218.84 276 224.0.0.0 240.0.0.0 On-link 192.168.1.67 266 224.0.0.0 240.0.0.0 On-link 192.168.1.21 296 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 75.127.218.84 276 255.255.255.255 255.255.255.255 On-link 192.168.1.67 266 255.255.255.255 255.255.255.255 On-link 192.168.1.21 296
Persistent Routes: Network Address Netmask Gateway Address Metric 0.0.0.0 0.0.0.0 75.127.218.81 Default
IPv6 Route Table
Active Routes: If Metric Network Destination Gateway 1 306 ::1/128 On-link 1 306 ff00::/8 On-link
Persistent Routes:
None
C:\Users\administrator.AISWW>
Wednesday, June 9, 2010 3:30 PM
Try this:
Ethernet adapter LOCAL:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys EG1032 v2 Instant Gigabit Network
Adapter
Physical Address. . . . . . . . . : 00-12-17-53-6E-C2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.67(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : ENTER YOUR LOCAL GATEWAY 192.168.1.1?
DNS Servers . . . . . . . . . . . : 192.168.1.57
192.168.1.50
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter INTERNET:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-0C-F1-8F-02-C8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 75.127.218.84(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.248
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Disabled
Then reboot server and reconnect.
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Wednesday, June 9, 2010 5:04 PM
Hi Miguel,
That did not work. When I made the suggested change my desktop could no longer connect to the VPN.
I reverted to the previous configuration and now the VPN is connecting again, but I still can't see the network resources on remote network.
--Zaheer
Wednesday, June 9, 2010 5:38 PM
have you checked the firewall setting on the VPN Server's LAN interface and also the IP filters?
Miguel
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Wednesday, June 9, 2010 5:43 PM
Firewall is turned off and no IP filters are enabled. Under RRAS Server/IPv4/General static filters are set to "disabled"
I can ping both interfaces and get responses from the server.
--Zaheer
Wednesday, June 9, 2010 6:46 PM
Hi Miguel,
That did not work. When I made the suggested change my desktop could no longer connect to the VPN.
I reverted to the previous configuration and now the VPN is connecting again, but I still can't see the network resources on remote network.
--Zaheer
Zaheer,
Did you enable NAT in RRAS?
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, June 9, 2010 6:49 PM
Hi Ace,
Yes I disabled RRAS, then reconfigured it using the "VPN and NAT" option. This should enable NAT, correct? Should I post the routing table again?
--Zaheer
Wednesday, June 9, 2010 6:59 PM
Hi Ace,
Yes I disabled RRAS, then reconfigured it using the "VPN and NAT" option. This should enable NAT, correct? Should I post the routing table again?
--Zaheer
Zaheer,
Can you ping the VPN Server's LAN IP address from another workstation on the LAN?
From the VPN Server itself, can you ping other private IP addresses on the LAN like the gateway 192.168.1.1?
From the VPN Server, can you ping a public FQDN like www.google.com ?
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Wednesday, June 9, 2010 7:08 PM
Miguel,
Can you ping the VPN Server's LAN IP address from another workstation on the LAN?
Yes
From the VPN Server itself, can you ping other private IP addresses on the LAN like the gateway 192.168.1.1?
Yes
From the VPN Server, can you ping a public FQDN like www.google.com ?
Yes
--Zaheer
Wednesday, June 9, 2010 7:29 PM | 1 vote
Hi Ace,
Yes I disabled RRAS, then reconfigured it using the "VPN and NAT" option. This should enable NAT, correct? Should I post the routing table again?
--Zaheer
Zaheer,
Did that work?
If not, can you post the step by steps you did to configure VPN and NAT? Did you follow a doc online perhaps, showing you how to set it up? One setting I'm looking for is if you enabled LAN routing for VPN clients.
Disregarding the certificate portion of this step by step, see if the following link helps:
Configuring Windows Server 2008 as a Remote Access SSL VPN Server (Part 2): http://www.windowsecurity.com/articles/Configuring-Windows-Server-2008-Remote-Access-SSL-VPN-Server-Part2.html
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Wednesday, June 9, 2010 7:45 PM
Ace,
Routing was not installed. I'm installing it now and will follow the steps in the article and report back. Thanks!
--Zaheer
Wednesday, June 9, 2010 8:35 PM
Hi Ace,
I disabled the RRAS, then re-enabled/configured it and followed the steps in the article you posted (from Enable the RRAS Server and Configure it to be a VPN and NAT Server to Configure the NAT Server to Publish the CRL) and restarted the RRAS service, but still the same problem - I can connect to the VPN but can't access any of its resources. Is there further configuration that I need to do for NAT?
Thanks again (to everyone!) for all the help, it is much appreciated.
--Zaheer
Wednesday, June 9, 2010 9:20 PM
This is weird.
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Thursday, June 10, 2010 1:24 AM
This is weird.
Miguel Fra / Falcon ITS
Computer & Network Support, Miami, FL
Visit our Knowledgebase Sharepoint Site
Yep, it is weird. Setting up a VPN on 2003 or 2008 is usually a cynch. It usually just works, unless there'a something missed or another factor we are missing.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, June 10, 2010 1:28 AM
Hi Ace,
I disabled the RRAS, then re-enabled/configured it and followed the steps in the article you posted (from Enable the RRAS Server and Configure it to be a VPN and NAT Server to Configure the NAT Server to Publish the CRL) and restarted the RRAS service, but still the same problem - I can connect to the VPN but can't access any of its resources. Is there further configuration that I need to do for NAT?
Thanks again (to everyone!) for all the help, it is much appreciated.
--Zaheer
Zaheer,
Honestly, this should just work.
What third party software is installed on this server? Please list out all of them, including antivirus, antispyware, antimalware, anything on it, as insignificant as it may seem. This includes the laptops.
Was Zone Alarm ever installed at any time and removed? Any other security apps installed and removed? Is the laptop's firewall enabled? If so, try disabling it.
Please post any event log errors, by posting their EventID# and Source Names.
Also, on the client side, enable PPP logging, then connect, then disconnect, check the log, and please post any errors you see in the logs. Check the Event log on the client side as well.
Thanks,
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, June 10, 2010 2:17 AM
Ace,
I agree. I set up a few VPN servers in the past on 2000/2003 and it was always pretty easy. I didn't expect this much trouble with 2008.
The server is a little old (dell poweredge 400sc, 1.25GB ram, 2.0 celeron) but I figured that would be ok since all it was doing was routing and authentication. We formatted it and installed 2008, so there is zero third party software on it. Also, each network card works fine individually, so I don't think its a hardware issue.
The desktop client (win7 ultimate) has the windows firewall disabled, and microsoft security essentials. The laptop is vista business and it has CA security suite with the firewall disabled and windows firewall disabled.
Neither machine ever had zone alarm installed.
PPP log on the win7 machine shows lots of information, but I don't see any errors.
The event viewer shows an event ID 56: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. But it only shows that error once.
I will post the logs from the server tomorrow.
--Zaheer
Thursday, June 10, 2010 2:36 AM
Ace,
I agree. I set up a few VPN servers in the past on 2000/2003 and it was always pretty easy. I didn't expect this much trouble with 2008.
The server is a little old (dell poweredge 400sc, 1.25GB ram, 2.0 celeron) but I figured that would be ok since all it was doing was routing and authentication. We formatted it and installed 2008, so there is zero third party software on it. Also, each network card works fine individually, so I don't think its a hardware issue.
The desktop client (win7 ultimate) has the windows firewall disabled, and microsoft security essentials. The laptop is vista business and it has CA security suite with the firewall disabled and windows firewall disabled.
Neither machine ever had zone alarm installed.
PPP log on the win7 machine shows lots of information, but I don't see any errors.
The event viewer shows an event ID 56: The Terminal Server security layer detected an error in the protocol stream and has disconnected the client. But it only shows that error once.
I will post the logs from the server tomorrow.
--Zaheer
I don't believe hardware type is the issue here, unless the cards are teamed, where you may want to unteam them to give it a shot. But I don't rremember the SC400's having multiple (4) cards to team them.
The EventID 56 appears to have been a one time thing when you attempted to connect using Remote Desktop. You can see more of this event here: http://eventid.net/display.asp?eventid=56&eventno=9421&source=TermDD&phase=1
Did you try to remote desktop while connected with the VPN while testing? If so, that explains why that came up because it couldn't connect.
I would like to suggest a different test. As a test, if you like to try it, if you disable the outside interface and port remap GRE and PPTP to the server (using it's inside interface), does it work?
As for the Microsoft Security Essentials, and the Vista desktop CA, as another test, I would like you to uninstall the software and try it again, unless you have a clean, pristine laptop (nothing installed and Windows firewall disabled), to give that a shot. If that does work, then it tells us something in the security config is causing it. I worked for a large company at one time, and we had some issues with CA. Uninstalling it or stopping services overcame the issue, which helped us construct a case with CA support to assist us. I'm not saying this is the problem, but at this time, and assuming the VPN was setup correctly on the server, I would like to look at other factors, or at least eliminate them.
Another test is to plug in a laptop on the same subnet, if possible, of the outside interface between the router and the server. This will eliminate any firewall port remap misconfig.
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Thursday, June 10, 2010 2:48 PM
Hi Ace,
Here is the server log:
| Date and Time | Source | Event ID |
| 6/9/2010 16:06 | Service Control Manager | 7024 |
| 6/9/2010 16:06 | RemoteAccess | 20103 |
| 6/9/2010 13:09 | Microsoft-Windows-DistributedCOM | 10010 |
| 6/9/2010 10:12 | Service Control Manager | 7024 |
| 6/9/2010 10:11 | RemoteAccess | 20103 |
| 6/9/2010 8:34 | RemoteAccess | 20253 |
| 6/9/2010 8:34 | RemoteAccess | 20253 |
| 6/9/2010 8:34 | RemoteAccess | 20253 |
| 6/9/2010 8:34 | RemoteAccess | 20253 |
| 6/4/2010 15:50 | RemoteAccess | 20253 |
| 6/4/2010 15:49 | RemoteAccess | 20253 |
| 6/4/2010 15:48 | RemoteAccess | 20253 |
| 6/4/2010 15:47 | RemoteAccess | 20253 |
| 6/4/2010 15:43 | RemoteAccess | 20253 |
| 6/4/2010 12:59 | RemoteAccess | 20253 |
| 6/4/2010 12:58 | RemoteAccess | 20253 |
| 6/4/2010 11:24 | RemoteAccess | 20255 |
| 6/3/2010 14:07 | Service Control Manager | 7024 |
| 6/3/2010 14:07 | RemoteAccess | 20103 |
| 6/3/2010 11:43 | TermDD | 56 |
| 6/3/2010 11:43 | TermDD | 50 |
| 6/3/2010 10:41 | Service Control Manager | 7024 |
| 6/3/2010 10:41 | RemoteAccess | 20103 |
| 6/2/2010 14:48 | Service Control Manager | 7024 |
| 6/2/2010 14:48 | RemoteAccess | 20103 |
| 6/2/2010 14:43 | Microsoft-Windows-GroupPolicy | 1129 |
| 6/2/2010 14:41 | Microsoft-Windows-TerminalServices-RemoteConnectionManager | 1067 |
| 6/2/2010 14:41 | Service Control Manager | 7024 |
| 6/2/2010 14:41 | RemoteAccess | 20103 |
| 6/2/2010 14:39 | Microsoft-Windows-GroupPolicy | 1055 |
| 6/2/2010 14:39 | NETLOGON | 5719 |
| 6/2/2010 11:44 | Service Control Manager | 7024 |
| 6/2/2010 11:44 | RemoteAccess | 20103 |
| 6/2/2010 11:39 | Service Control Manager | 7024 |
| 6/2/2010 11:39 | RemoteAccess | 20103 |
| 6/2/2010 11:35 | Service Control Manager | 7024 |
| 6/2/2010 11:35 | RemoteAccess | 20103 |
| 6/2/2010 11:29 | TermDD | 56 |
| 6/2/2010 11:24 | Service Control Manager | 7024 |
| 6/2/2010 11:24 | RemoteAccess | 20103 |
| 6/2/2010 11:09 | Service Control Manager | 7024 |
| 6/2/2010 11:09 | RemoteAccess | 20103 |
| 6/2/2010 11:09 | Service Control Manager | 7024 |
| 6/2/2010 11:09 | RemoteAccess | 20103 |
| 6/2/2010 10:31 | Service Control Manager | 7024 |
| 6/2/2010 10:31 | RemoteAccess | 20103 |
| 5/27/2010 18:35 | Service Control Manager | 7032 |
| 5/27/2010 18:34 | Service Control Manager | 7032 |
| 5/27/2010 18:33 | Service Control Manager | 7024 |
| 5/27/2010 18:33 | RemoteAccess | 20103 |
Thursday, June 10, 2010 2:56 PM
I filtered out all the 1111 terminal services printer errors, since they were not relevant.
I'm running a windows update on the server right now to make sure I have all the latest patches.
--Zaheer
Friday, June 11, 2010 5:50 PM
One more question, if I connect with multiple VPN clients, the remote network address is always 192.168.1.21 - is this indicative of a configuration issue?
Saturday, June 12, 2010 5:37 AM
Hi Ace,
Here is the server log:
Date and Time Source Event ID 6/9/2010 16:06 Service Control Manager 7024 6/9/2010 16:06 RemoteAccess 20103 6/9/2010 13:09 Microsoft-Windows-DistributedCOM 10010 6/9/2010 10:12 Service Control Manager 7024 6/9/2010 10:11 RemoteAccess 20103 6/9/2010 8:34 RemoteAccess 20253 6/9/2010 8:34 RemoteAccess 20253 6/9/2010 8:34 RemoteAccess 20253 6/9/2010 8:34 RemoteAccess 20253 6/4/2010 15:50 RemoteAccess 20253 6/4/2010 15:49 RemoteAccess 20253 6/4/2010 15:48 RemoteAccess 20253 6/4/2010 15:47 RemoteAccess 20253 6/4/2010 15:43 RemoteAccess 20253 6/4/2010 12:59 RemoteAccess 20253 6/4/2010 12:58 RemoteAccess 20253 6/4/2010 11:24 RemoteAccess 20255 6/3/2010 14:07 Service Control Manager 7024 6/3/2010 14:07 RemoteAccess 20103 6/3/2010 11:43 TermDD 56 6/3/2010 11:43 TermDD 50 6/3/2010 10:41 Service Control Manager 7024 6/3/2010 10:41 RemoteAccess 20103 6/2/2010 14:48 Service Control Manager 7024 6/2/2010 14:48 RemoteAccess 20103 6/2/2010 14:43 Microsoft-Windows-GroupPolicy 1129 6/2/2010 14:41 Microsoft-Windows-TerminalServices-RemoteConnectionManager 1067 6/2/2010 14:41 Service Control Manager 7024 6/2/2010 14:41 RemoteAccess 20103 6/2/2010 14:39 Microsoft-Windows-GroupPolicy 1055 6/2/2010 14:39 NETLOGON 5719 6/2/2010 11:44 Service Control Manager 7024 6/2/2010 11:44 RemoteAccess 20103 6/2/2010 11:39 Service Control Manager 7024 6/2/2010 11:39 RemoteAccess 20103 6/2/2010 11:35 Service Control Manager 7024 6/2/2010 11:35 RemoteAccess 20103 6/2/2010 11:29 TermDD 56 6/2/2010 11:24 Service Control Manager 7024 6/2/2010 11:24 RemoteAccess 20103 6/2/2010 11:09 Service Control Manager 7024 6/2/2010 11:09 RemoteAccess 20103 6/2/2010 11:09 Service Control Manager 7024 6/2/2010 11:09 RemoteAccess 20103 6/2/2010 10:31 Service Control Manager 7024 6/2/2010 10:31 RemoteAccess 20103 5/27/2010 18:35 Service Control Manager 7032 5/27/2010 18:34 Service Control Manager 7032 5/27/2010 18:33 Service Control Manager 7024 5/27/2010 18:33 RemoteAccess 20103
These are all errors?
Have you looked at www.eventid.net to see what most of them mean?
Please verify that the following services are started:
- Remote Registry
- Remote Procedure Call (RPC)
- DHCP Client Service (different than the DHCP Server service)
Let's also concentrate on the RemoteAccess errors in the list.
EventID 20103
Routing and Remote Access Service does not start and event ID ...Event ID: 20103. Source: Router Description: Unable to load C:\Winnt\System32\Iprtrmgr.dll. In addition, the available ports may not be displayed in the ... This article indicates TCP/IP is corrupted and suggests to reinstall TCP/IP on the machine.
(I'm starting to believe this error is causing all the other ones.)
http://support.microsoft.com/kb/299013
EventID 20103 - more info on it.
At eventid.net, it was also suggested to reinstall TCP/IP:
http://eventid.net/display.asp?eventid=20103&eventno=1601&source=RemoteAccess&phase=1
EventID 5719
Netlogon error. THis is indicative of not using the right DNS servers for AD. However, it can be caused by other things, such as the TCP Chimney/RSS feature that can cause issues with AD communications. Was that disabled?
I'm also thinking that if TCP/IP is corrupt, it will also cause this error.
http://eventid.net/display.asp?eventid=5719&eventno=104&source=NETLOGON&phase=1
EventID 20253
The user: %1 connected to port: %2 has been disconnected because no network protocols were successfully negotiated. This hints at the server's TCP/IP protocol is possibly corrupt or necessary components are missing.
http://technet.microsoft.com/en-us/library/cc733803(WS.10).aspx
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
Friday, June 25, 2010 2:45 PM
Hi Ace,
Sorry for the long layoff, I got caught up in some other projects.
For all the errors listed in the logs, those were from re-installing RRAS and it re-enabling IPV6, so I followed the instructions in the previous thread in order to remove those errors.
After not having any luck, I decided to nuke the system and reinstall with window server 2003. After installing RRAS, I came up with the same problem. I can connect, but can't access any other servers besides the VPN server.
The fact that this is happening on 2 different OSes (2008 and 2003) leads me to believe that this is some sort of hardware error. The Linksys card EG1032 did not have native Windows server 2008 or 2003 drivers. The XP driver worked, I was able to get network traffic through, but no luck with RRAS.
At this point I decided to nix the two-NIC setup, and configured the VPN server with 1 NIC. I forwarded the proper ports and protocols from the firewall to the server (now with only 1 NIC) but still having the same issue - I can connect to the VPN but can't access any other resources.
At this point I'm ready to punt and go buy a SonicWall. If anyone has a suggestion I'm all ears... and thanks again for everyone who tried to help!
--Zaheer
Friday, June 25, 2010 8:25 PM
Hi Ace,
Sorry for the long layoff, I got caught up in some other projects.
For all the errors listed in the logs, those were from re-installing RRAS and it re-enabling IPV6, so I followed the instructions in the previous thread in order to remove those errors.
After not having any luck, I decided to nuke the system and reinstall with window server 2003. After installing RRAS, I came up with the same problem. I can connect, but can't access any other servers besides the VPN server.
The fact that this is happening on 2 different OSes (2008 and 2003) leads me to believe that this is some sort of hardware error. The Linksys card EG1032 did not have native Windows server 2008 or 2003 drivers. The XP driver worked, I was able to get network traffic through, but no luck with RRAS.
At this point I decided to nix the two-NIC setup, and configured the VPN server with 1 NIC. I forwarded the proper ports and protocols from the firewall to the server (now with only 1 NIC) but still having the same issue - I can connect to the VPN but can't access any other resources.
At this point I'm ready to punt and go buy a SonicWall. If anyone has a suggestion I'm all ears... and thanks again for everyone who tried to help!
--Zaheer
Wow, two servers, same problem? Interesting. It narrows it down to either the NIC or the router/firewall. DO you have a 3Com NIC laying around? Install it and try it, if you do. If you get the same results, then it would lead to the SonicWall as the solution.
And thanks for the update!
Ace
Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.