Dialup VPN clients resolve DNS properly, High Speed Connections (LAN) Do not.

  • Thread starter Thread starter XxLicherxX
  • Start date Start date
X

XxLicherxX

Hello everyone,

I hope this is the right group to ask this (Ifound it while searching
for an answer to my problem) , if not, please direct me to the correct
one.

I am experiencing a frustrating problem that all the Googling in the
world doesn't seem to have an answer to. I have a fresh install (and
fully updated) of Windows 2000 server, and a fresh install (fully
updated) of ISA 2000. I have a VPN set up. Both dialup and LAN clients
can login just fine, however, DNS refuses to resolve machine names when
a LAN client connects. Everything must be accessed with an IP address
(ping, remote desktop, etc). When I dial in to the VPN, everything
works just fine.

There is a setting in Routing and Remote Access that says "Use the
following adapter for DHCP, DNS and WINS addresses for dialup clients"
I have selected the internal adapter. This got everything working
correctly for dial up clients.

Where do I set this information for LAN/High Speed clients? I have
tried manually configuring the DNS server on the VPN client settings to
point to the internal network's DNS, server, but that does work. What
am I missing here?

Thanks
 
Make darn sure that ONLY the internal interface of the ISA server has DNS &
WINS entries, and they should be your internal servers. If you put the
entries on any other interface, it will mess things up.

What does "ipconfig /all" on a LAN client show for the DNS server? Where is
DHCP coming from?

Ray
 
XxLicherxX said:
Hello everyone,

I hope this is the right group to ask this (Ifound it while searching
for an answer to my problem) , if not, please direct me to the correct
one.

I am experiencing a frustrating problem that all the Googling in the
world doesn't seem to have an answer to. I have a fresh install (and
fully updated) of Windows 2000 server, and a fresh install (fully
updated) of ISA 2000. I have a VPN set up. Both dialup and LAN clients
can login just fine, however, DNS refuses to resolve machine names
when a LAN client connects. Everything must be accessed with an IP
address (ping, remote desktop, etc). When I dial in to the VPN,
everything works just fine.

There is a setting in Routing and Remote Access that says "Use the
following adapter for DHCP, DNS and WINS addresses for dialup clients"
I have selected the internal adapter. This got everything working
correctly for dial up clients.

Where do I set this information for LAN/High Speed clients? I have
tried manually configuring the DNS server on the VPN client settings
to point to the internal network's DNS, server, but that does work.
What am I missing here?

Thanks
Click to expand...

For DNS to resolve host names only, the client must have a DNS suffix search
list, and must use the DNS server only that has these host names in them.
Your ipconfig /all will show you this information.
 
Hi Ray,

Thanks for your response.

Both NICs have entries for DNS. The internal NIC uses our main server's
IP for DNS. The external NIC has DNS entries from our ISP. I I am not
sure if this is getting in the way, because this was the way we had it
set up on our previous server and everything worked properly. I can't
post an ipconfig \all at the moment, because I am at the office, but I
will post one tonight when I get home and VPN in.

Thanks
 
That will definitely get in the way. You can also try the group of
microsoft.public.isa.vpn for questions.

http://www.isaserver.org/tutorials/DNS_for_ISA_Server.html

First paragraph of the article:

"Want some more fun? Let's look at the ISA scenario. What many folks will do
is place DNS resolver IPs in both NICs, ISP in the external, local in the
internal. While this seems to make sense, it's actually very inefficient and
you can actually cause huge timeouts this way. Remember that TCP/IP will
choose the route for a given packet based on its destination, not where it
found the data. This means that DNS entries are not really NIC-specific, it's
just more meaningful to the person entering them."

Yeah, I did it, too, initially. :-)

If you VPN in, the ipconfig /all won't be the same as for a LAN client, will
it?

Ray
 
Ok, I have taken the DNS servers out of the external card. I will try
VPNing in when I get home and see what happens.
 
Keep your fingers crossed.

Are you trying to connect by the fully-qualified name or just the server
name?

If the latter, make sure YOUR computer's name is fully qualified.

Ray
 
Hi Ray,

I am tried connecting last night, I was able to connect just fine, but
the resolving machine name to IP still didn't work. The DNS servers are
still out of the external card. What else could I look into to see what
is causing this?
 
I also tried connected with a fully qualified domain name on the VPN
Client, but that still gave me the same problem.
 
In
XxLicherxX said:
I also tried connected with a fully qualified domain name on the VPN
Client, but that still gave me the same problem.
Click to expand...

Also make sure the ISA server's external interface is allowed both UDP and
TCP 53 traffic to and from it.


Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, if I may suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx, you can easily find your post, track
threads, cross-post, and sort by date, poster's name, watched threads or
subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================
 
Hi everyone,

Thanks again for all of your responses. I think this problem has
something to do with the DHCP server. Everytime a client connects
through a high speed connection, they will get an ip of
169.xxx.xxx.xxx. I beleive this means that the DHCP server is not
handing IP addresses like it should. I am also getting the following
error (# 20169) in the event log:

"Unable to contact a DHCP server. The Automatic Private IP Address
169.254.183.229 will be assigned to dial-in clients. Clients may be
unable to access resources on the network"

I look in RRAS and it is set to use the DHCP server. I don't see any
other configuration options for this. Do I need to have DHCP service
installed on the same server as ISA in order for this to work? I also
see that it is possible to assign static IPs, but I don't want to do
this.
 
In
XxLicherxX said:
Hi everyone,

Thanks again for all of your responses. I think this problem has
something to do with the DHCP server. Everytime a client connects
through a high speed connection, they will get an ip of
169.xxx.xxx.xxx. I beleive this means that the DHCP server is not
handing IP addresses like it should. I am also getting the following
error (# 20169) in the event log:

"Unable to contact a DHCP server. The Automatic Private IP Address
169.254.183.229 will be assigned to dial-in clients. Clients may be
unable to access resources on the network"

I look in RRAS and it is set to use the DHCP server. I don't see any
other configuration options for this. Do I need to have DHCP service
installed on the same server as ISA in order for this to work? I also
see that it is possible to assign static IPs, but I don't want to do
this.
Click to expand...

You shouldn't need to do that.

If you;ve specified RRAS to use the internal DHCP server, (ssuming the
subnet is different for the VPN clients), you've created a scope for the VPN
client subnet, you've setup a DHCP Relay, and the ISA rules are allowing it,
it should give out IPs.

Using DHCP with ISA/VPN Server Clients
http://www.isaserver.org/tutorials/dhcpoptions.html

Enabling DHCP Relay for ISA Firewall VPN Clients
http://www.isaserver.org/tutorials/2004dhcprelay.html

Ace
 
Hi Ace,

Thanks for the links, it looks like DHCP is working properly now,
Someone has VPNed in and has an IP address in the lease pool, however I
DNS still won't resolve. All that works for accessing network resources
is IP.

Now I am seeing this error in the eventviewer from Microsoft H.323
Gatekeeper:

Failed to create a RAS context for the IP address 192.168.0.xx. Please
insure that no other application or service is using the H.225 RAS
ports (1719 and 1718). Context status code: 00002751H Context status
text: A socket operation was attempted to an unreachable host.

Does this have anything to do with my problem? 192.168.0.xx is an
address that is in the lease pool for VPN clients.
 
In
XxLicherxX said:
Hi Ace,

Thanks for the links, it looks like DHCP is working properly now,
Someone has VPNed in and has an IP address in the lease pool, however
I DNS still won't resolve. All that works for accessing network
resources is IP.

Now I am seeing this error in the eventviewer from Microsoft H.323
Gatekeeper:

Failed to create a RAS context for the IP address 192.168.0.xx. Please
insure that no other application or service is using the H.225 RAS
ports (1719 and 1718). Context status code: 00002751H Context status
text: A socket operation was attempted to an unreachable host.

Does this have anything to do with my problem? 192.168.0.xx is an
address that is in the lease pool for VPN clients.
Click to expand...

Possibly. Try this:
netsh routing ip nat delete h323

You can always re-enable H.323 support by substituting 'add' for 'delete'.

Also, are you using WINS? That supports NetBIOS name resolution for the VPN
clients.

Ace
 
Hi Ace,

I just tried adding a WINS server in the entry for the internal network
adapter. I then changed the setting in RRAS for dialup clients (so I
can try a VPN from work) back to letting RAS decide what adapter to
use. Still won't work. Will this make a difference with a high speed
connection? Also, what will the command:

netsh routing ip nat delete h323

do? Will this only affect VPN or will it impact other things?

Thanks
 
In
XxLicherxX said:
Hi Ace,

I just tried adding a WINS server in the entry for the internal
network adapter. I then changed the setting in RRAS for dialup
clients (so I can try a VPN from work) back to letting RAS decide
what adapter to use. Still won't work. Will this make a difference
with a high speed connection? Also, what will the command:

netsh routing ip nat delete h323

do? Will this only affect VPN or will it impact other things?

Thanks
Click to expand...

It disables H.323 support. My feeling is if it has to do with H.323, as that
message you received indicates (whether itis or not), you can disable it and
see if it works. By default H.323 is enabled. You can also re-enable it as I
mentioned.

Read this for more info:
261203 - Error Messages When Windows 2000 Client in Windows 2000 Domain
Attempts to Open Active Directory Snap-in [NAT, H.323, PDU size, Netsh and
LDAP issues wtih mutli NAT'ed NICs]:
http://support.microsoft.com/?id=261203

It's either that or you don'thave ISA setup properly,. which I supplied
links on it. High speed, low speed, doesn't matter. It's a matter of
creating the VPN correctly within ISA with the VPN clients on their own
subnet, have the correct rules in order to allow traffic from their subnet
to the internal subnet, create a scope on your internal DHCP (with the
necessary options, such as WINS, gateway, internal DNS addresses, etc), for
that subnet with a DHCP relay for that subnet. If disabling H.323 doesn't do
the trick, re-enable it.

Ace
 
Hey Guys,

Thanks for all your help this far. I think I have isolated the problem.
I beleive the client is not receiving WINS server information when it
makes the VPN connection. I added the WINS server into the VPN settings
on the client machine, and now everything is works fine. Where do I
check/set the WINS for VPN clients on the firewall?

Thanks
 
In
XxLicherxX said:
Hey Guys,

Thanks for all your help this far. I think I have isolated the
problem. I beleive the client is not receiving WINS server
information when it makes the VPN connection. I added the WINS server
into the VPN settings on the client machine, and now everything is
works fine. Where do I check/set the WINS for VPN clients on the
firewall?

Thanks
Click to expand...

As I said before, it's a DHCP option. It's two DHCP Options: Option 041 (the
WINS server IP) and 044 (Node type: set it to 0x8). If the VPN server is
offering DHCP, set it in there. If DHCP is coming from the internal AD
network DHCP server, I assume you already have that option configured??

Ace
 
Back
Top