RAS causing name resolution failure

  • Thread starter Thread starter DavidLee
  • Start date Start date
D

DavidLee

I have been trying to setup a Win2K server to provide a VPN connection
from the public internet to our private LAN. I have 2 NICs, one
exposed to public internet and one connected to our private LAN. I
basically just followed the wizard for setting up RAS. I configured it
for a single PPTP port and a single L2TP port. I initially configured
it to use my LAN's DHCP server to assign addresses to VPN clients (with
DHCP relay agent pointing to it). Later, I configured RAS to assign
the addresses itself... using a pool of 4 addresses I specified.

At first, both configurations noted above appeared to work fine. I was
able to use an XP laptop connected to the internet side and connect to
the LAN via both PPTP and L2TP. But then after a period of time
(curiously... it occurs typically around 5pm), the RAS server looses
network functionality. I can still ping IP addresses, but name
resolution doesn't work. The server can no longer communicate with our
domain controller and the event log fills up with browser service
related errors.

If I disable the RAS service and restart the computer browser service,
then everything is back to normal... name resolution is OK, no errors
in event log, etc. If I restart the RAS service... VPN connections
work OK... but after a period of time... down it goes again.

Another issue, that may or may not be related. RAS seems to be an IP
hog. By my count, the server should need a maximum of 4 IP addresses
(on the LAN subnet) for this configuration. One for the NIC, one for
the "internal" interface, one for an PPTP client and one for a L2TP
client. Yet... when I had it configured to use my DHCP server, it
grabbed ALL of my available IP addresses... 9 (I have a small, 32
address subnet). And that is in addition to the "reserved" address I
had for the NIC. Hence, the reason I switched to having the RAS
server assign its own IPs, based upon a 4 address pool I gave it.

Any suggestions about why these problems occur? When I first attempted
this project, I was using a machine that had formerly been a domain
controller. When I ran into these issues, I FDISK'd the machine and
started from scratch. Same problem.

Any ideas would be appreciated.

Dave
 
Enabling RRAS on multihomed computer may cause a name resolution issue even it is not DC. What you should do is re--configure the TCP/IP to publish only LAN IP in the DNS and WINS. This how to may help,

name resolution and connectivity issues on RRAS Case Study - Name resolution and connectivity issues on a RRAS that also runs DC, DNS or WINS. A computer that is running Windows Server may have name ...
www.howtonetworking.com/casestudy/rraswithdcdnswins1.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I have been trying to setup a Win2K server to provide a VPN connection
from the public internet to our private LAN. I have 2 NICs, one
exposed to public internet and one connected to our private LAN. I
basically just followed the wizard for setting up RAS. I configured it
for a single PPTP port and a single L2TP port. I initially configured
it to use my LAN's DHCP server to assign addresses to VPN clients (with
DHCP relay agent pointing to it). Later, I configured RAS to assign
the addresses itself... using a pool of 4 addresses I specified.

At first, both configurations noted above appeared to work fine. I was
able to use an XP laptop connected to the internet side and connect to
the LAN via both PPTP and L2TP. But then after a period of time
(curiously... it occurs typically around 5pm), the RAS server looses
network functionality. I can still ping IP addresses, but name
resolution doesn't work. The server can no longer communicate with our
domain controller and the event log fills up with browser service
related errors.

If I disable the RAS service and restart the computer browser service,
then everything is back to normal... name resolution is OK, no errors
in event log, etc. If I restart the RAS service... VPN connections
work OK... but after a period of time... down it goes again.

Another issue, that may or may not be related. RAS seems to be an IP
hog. By my count, the server should need a maximum of 4 IP addresses
(on the LAN subnet) for this configuration. One for the NIC, one for
the "internal" interface, one for an PPTP client and one for a L2TP
client. Yet... when I had it configured to use my DHCP server, it
grabbed ALL of my available IP addresses... 9 (I have a small, 32
address subnet). And that is in addition to the "reserved" address I
had for the NIC. Hence, the reason I switched to having the RAS
server assign its own IPs, based upon a 4 address pool I gave it.

Any suggestions about why these problems occur? When I first attempted
this project, I was using a machine that had formerly been a domain
controller. When I ran into these issues, I FDISK'd the machine and
started from scratch. Same problem.

Any ideas would be appreciated.

Dave
 
I tried those items, but no luck. Already had an A record for the RAS
server. And though I had no indication of problems with extra entries
in DNS or WINS, I made the suggested registry entries to
publish/register only the Local NICs IP address. And I just tried
using a unique subnet for the RAS address pool (ie, different than the
subnet the local NIC resides on). Bottom line... same problem.

Any other ideas?

Dave
 
Any errors in the event viewer?

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I tried those items, but no luck. Already had an A record for the RAS
server. And though I had no indication of problems with extra entries
in DNS or WINS, I made the suggested registry entries to
publish/register only the Local NICs IP address. And I just tried
using a unique subnet for the RAS address pool (ie, different than the
subnet the local NIC resides on). Bottom line... same problem.

Any other ideas?

Dave
 
Yep, mostly browser service related. For instance, I get lots of
EventID 8021 ("The browser was unable to retrieve a list of servers
from the browser master \\xxxxx on the network...") and EventID 8032
("The browser service has failed to retrieve the backup list too many
times on transport... the backup browser is stopping"). I also get
from the W32Time source numerous EventID 54 ("The Windows Time Service
was not able to find a domain controller. A time and date update was
not possible"). I also get some from NetLogon with EventID 5783 and
5719... basically complaining about not being able to find a domain
controller. I think that is when I try to logon locally to the server.

Dave
 
It seems to me you have master browser issue. You may want to use browstat to troubleshoot it.

Event ID Troubleshooting Event ID 2504, 2505, 8021 and 8032 - Inability to Browse ... Event id: 8032 - The browser service has failed to retrieve the backup list too many times ...
www.chicagotech.net/wineventid.htm


Computer Browser 2) Event id: 8032 and Description: The browser service has failed to retrieve the backup list too many times on transport of <protocol_netcard>. ...
www.chicagotech.net/browser.htm



Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Yep, mostly browser service related. For instance, I get lots of
EventID 8021 ("The browser was unable to retrieve a list of servers
from the browser master \\xxxxx on the network...") and EventID 8032
("The browser service has failed to retrieve the backup list too many
times on transport... the backup browser is stopping"). I also get
from the W32Time source numerous EventID 54 ("The Windows Time Service
was not able to find a domain controller. A time and date update was
not possible"). I also get some from NetLogon with EventID 5783 and
5719... basically complaining about not being able to find a domain
controller. I think that is when I try to logon locally to the server.

Dave
 
This issue has gone well past a mild irritant to just plane rediculous.
The MS wizard and webcasts seem to basically indicate that setting up
a VPN with their server "just works". Well... it doesn't. I have a
machine that worked for years as a DC without problem. It STILL works
just fine without any browser issues... as long as RAS is shut down.
But if I start RAS, within a matter of hours, the browser service
starts having major problems. If I shut down RAS, within seconds the
browser issues go away.

I have re-installed the OS from scratch... didn't help. I have taken
pains to make sure the addresses assigned come from a subnet not
remotely similar to what is on the LAN or that of the client. I shut
down the computer browser service on the RAS server to assure it
doesn't become the master browser for the subnet. Though it seems
somewhat counter-intuitive, as per suggestions by some online sources,
I removed the default gateway entry from the LAN NIC config and put a
default gateway entry in the public internet NIC config. In short, I
have tried everything mentioned by you (or links you provided), and any
other source I have run across. No luck.

I can't imagine it should be this hard to setup a NIC. There has GOT
to be some critical step that is simply left out of the wizard and
documentation. I don't see what can be unusual about what I'm trying
to do. Simply take a Win2KSP4 server with 2 NICs, one on the public
internet, and one on a private LAN, and setup a VPN connection for
off-site users to access the net. Isn't that what VPNs are all about?
So why does the browser service fail everytime I start RAS (and not
immediately... it may take up to 4 or 5 hours... but once failed...
recovery is immediate after I shut down RAS).
 
I left out a couple things. When I noticed it failed yesterday,
running browstat status indicated it wasn't able to communicate with
the master browser on this segment. So it retrieved the browser list
from a master browser on another segment (another office,reached over
our WAN). So I checked to see if I could look at the shares on our
master browser machine (which is our local DC), and I couldn't. But I
could see the shares on other machines on our segment. And other
machines on this segment could see the master browser's share. So it
was a problem uniquely with communication between our RAS server and
our DC/MBR. But... I COULD ping between these machines, which I
interpret as meaning there isn't a basic network connectivity issue
(such as problem with ethernet switch both are connected to).

After noting the above, I read through some other documentation on the
web (can't recall if it was what you provided), and it indicated
changing which connection I entered the default gw on might matter.
Also, the addresses I was using for the clients was on an adjacent
subnet to the LAN's subnet, and I got to wondering if something was
using the wrong mask, so I changed the assignment pool to use a widely
separated (192.168.2.0 vs 172.16.47.0) subnet. I don't know if it is
coincidence or related, but this time when the browser service failed,
I got a somewhat different result from browstat: "Browsing is NOT
active on domain. Status: 6118. Mastername cannot be determined from
Get adapter Status". In earlier cases, it still indicated browsing was
active on the domain... it just couldn't find my local MBR and grabbed
one across the WAN instead.

But in either case... shutting down RAS immediately (within a matter of
seconds), restored normal browser function.
 
browsing over WAN is not easy. I don't recall if I asked that before. Posting the result of ipconfig /all After establishing the VPN) here may help..

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
I left out a couple things. When I noticed it failed yesterday,
running browstat status indicated it wasn't able to communicate with
the master browser on this segment. So it retrieved the browser list
from a master browser on another segment (another office,reached over
our WAN). So I checked to see if I could look at the shares on our
master browser machine (which is our local DC), and I couldn't. But I
could see the shares on other machines on our segment. And other
machines on this segment could see the master browser's share. So it
was a problem uniquely with communication between our RAS server and
our DC/MBR. But... I COULD ping between these machines, which I
interpret as meaning there isn't a basic network connectivity issue
(such as problem with ethernet switch both are connected to).

After noting the above, I read through some other documentation on the
web (can't recall if it was what you provided), and it indicated
changing which connection I entered the default gw on might matter.
Also, the addresses I was using for the clients was on an adjacent
subnet to the LAN's subnet, and I got to wondering if something was
using the wrong mask, so I changed the assignment pool to use a widely
separated (192.168.2.0 vs 172.16.47.0) subnet. I don't know if it is
coincidence or related, but this time when the browser service failed,
I got a somewhat different result from browstat: "Browsing is NOT
active on domain. Status: 6118. Mastername cannot be determined from
Get adapter Status". In earlier cases, it still indicated browsing was
active on the domain... it just couldn't find my local MBR and grabbed
one across the WAN instead.

But in either case... shutting down RAS immediately (within a matter of
seconds), restored normal browser function.
 
Back
Top