VPN connects, Unable to ping anything but the VPN server

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi there, PPTP has been working on a machine (DC windows 2003) single
interface (It has two but the second is disabled) ISA is NOT installed and
no plans to install it. The server is behind a firewall which is configured
correctly

Remote clients authenticate and connect and get an ip address dished out by
the local DHCP server

VPN server 10.0.0.4/24 GW 10.0.0.1
client receives and ip of 10.0.0.108-125 with a subnet mask of 255.255.255.255
The VPN client receives DNS and WINS as I would expect it to.

The client can ping 10.0.0.4 (VPN server) but cannot ping anything else on
the VPN severs network.


Below is the configuration tab settings of the RRAS snapin:

In RRAS in the Genral tab: Enable this computer as a: (*) router (*)
Lan and Demand-dial routing (*) Remote access server

IP tab: (*) Enable IP routing (*) Allow ip-based remote access and
deman-dial connections (*) Dynamic host Configuration Protocol (*) enable
Broadcast name resolution

PPP Tab : All are checked

---
(10.0.0.111 iis the IP address of my test machine currently connected to the
VPN server)

In the RRAS Snapin under Server -> IP routing -> general
loopback 127.0.0.1 UP Operational
Local Area Connection Dedicated 10.0.0.4 UP Operational
Internal Internal 10.0.0.111 UP
 
posting the results of both vpn server and client routing table here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi there, PPTP has been working on a machine (DC windows 2003) single
interface (It has two but the second is disabled) ISA is NOT installed and
no plans to install it. The server is behind a firewall which is configured
correctly

Remote clients authenticate and connect and get an ip address dished out by
the local DHCP server

VPN server 10.0.0.4/24 GW 10.0.0.1
client receives and ip of 10.0.0.108-125 with a subnet mask of 255.255.255.255
The VPN client receives DNS and WINS as I would expect it to.

The client can ping 10.0.0.4 (VPN server) but cannot ping anything else on
the VPN severs network.


Below is the configuration tab settings of the RRAS snapin:

In RRAS in the Genral tab: Enable this computer as a: (*) router (*)
Lan and Demand-dial routing (*) Remote access server

IP tab: (*) Enable IP routing (*) Allow ip-based remote access and
deman-dial connections (*) Dynamic host Configuration Protocol (*) enable
Broadcast name resolution

PPP Tab : All are checked

---
(10.0.0.111 iis the IP address of my test machine currently connected to the
VPN server)

In the RRAS Snapin under Server -> IP routing -> general
loopback 127.0.0.1 UP Operational
Local Area Connection Dedicated 10.0.0.4 UP Operational
Internal Internal 10.0.0.111 UP
 
One more odd wrinkle. when I connect to the VPN server from the external
client. The server can no long route to the interal address. Pings to the
internal server ip of 10.0.0.4 fail. When I disconnect the VPN connection
pings respond as normal.

I'll include the routing tables for the client and the server, Before and
after connections..


********Client Machine before PPTP connection..

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 b0 87 75 ...... Broadcom 570x Gigabit Integrated Controller
- P
cket Scheduler Miniport
0x3 ...00 90 4b 67 ef bd ...... Dell TrueMobile 1300 WLAN Mini-PCI Card -
Packe
Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.200 10.0.2.239 30
10.0.2.0 255.255.255.0 10.0.2.239 10.0.2.239 30
10.0.2.239 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 30
24.123.113.26 255.255.255.255 10.0.2.200 10.0.2.239 30
65.54.179.195 255.255.255.255 10.0.2.200 10.0.2.239 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
207.46.19.30 255.255.255.255 10.0.2.200 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.2.239 10.0.2.239 30
255.255.255.255 255.255.255.255 10.0.2.239 2 1
255.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 1
Default Gateway: 10.0.2.200
===========================================================================
Persistent Routes:
None

**************The Server before a VPN client connects:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 14 22 1e eb e5 ...... Intel(R) PRO/1000 MT Network Connection #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 10
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.112 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 10
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

*************The Workstation After the VPN connects:

C:\Documents and Settings\mike>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 b0 87 75 ...... Broadcom 570x Gigabit Integrated Controller
- Pa
cket Scheduler Miniport
0x3 ...00 90 4b 67 ef bd ...... Dell TrueMobile 1300 WLAN Mini-PCI Card -
Packet
Scheduler Miniport
0x1a0005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.108 10.0.0.108 1
0.0.0.0 0.0.0.0 10.0.2.200 10.0.2.239 31
10.0.0.108 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.2.0 255.255.255.0 10.0.2.239 10.0.2.239 30
10.0.2.239 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.0.0.108 10.0.0.108 50
10.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 30
24.123.113.26 255.255.255.255 10.0.2.200 10.0.2.239 30
64.122.229.107 255.255.255.255 10.0.2.200 10.0.2.239 30
65.54.179.195 255.255.255.255 10.0.2.200 10.0.2.239 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
207.46.19.30 255.255.255.255 10.0.2.200 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.2.239 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.0.108 10.0.0.108 1
255.255.255.255 255.255.255.255 10.0.0.108 10.0.0.108 1
255.255.255.255 255.255.255.255 10.0.2.239 2 1
255.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 1
Default Gateway: 10.0.0.108
===========================================================================
Persistent Routes:
None

The Server after the VPN is connected
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 14 22 1e eb e5 ...... Intel(R) PRO/1000 MT Network Connection #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.109 10.0.0.112 1
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.109 255.255.255.255 10.0.0.112 10.0.0.112 1
10.0.0.112 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 10
24.123.125.10 255.255.255.255 10.0.0.1 10.0.0.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 10
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None


I did notice the route ont he server that prevents the server from
communicating on its lan while the VPN is active
10.0.0.0 255.255.255.0 10.0.0.109 10.0.0.112 1

Why is it doing this?

if there is more information that you would like to see please include the
syntax of the commands you would like to see.
 
first of all, as we always say it is not recommended enabled RRAS on a DC. That may cause the name resolution and connectivity issue. check this link for the details,

Name resulotion on VPN Connection issues on DC, ISA, DNS and WINS server as VPN server How to assign DNS and WINS on VPN client manually Name resolution Issue in a VPN client ...
www.chicagotech.net/nameresolutionpnvpn.htm

The workstation routing table looks OK. Assuming 10.0.0.109 is RRAS PPP IP, that could be the issue. I would check the RRAS filter first.


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com


One more odd wrinkle. when I connect to the VPN server from the external
client. The server can no long route to the interal address. Pings to the
internal server ip of 10.0.0.4 fail. When I disconnect the VPN connection
pings respond as normal.

I'll include the routing tables for the client and the server, Before and
after connections..


********Client Machine before PPTP connection..

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 b0 87 75 ...... Broadcom 570x Gigabit Integrated Controller
- P
cket Scheduler Miniport
0x3 ...00 90 4b 67 ef bd ...... Dell TrueMobile 1300 WLAN Mini-PCI Card -
Packe
Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.2.200 10.0.2.239 30
10.0.2.0 255.255.255.0 10.0.2.239 10.0.2.239 30
10.0.2.239 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 30
24.123.113.26 255.255.255.255 10.0.2.200 10.0.2.239 30
65.54.179.195 255.255.255.255 10.0.2.200 10.0.2.239 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
207.46.19.30 255.255.255.255 10.0.2.200 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.2.239 10.0.2.239 30
255.255.255.255 255.255.255.255 10.0.2.239 2 1
255.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 1
Default Gateway: 10.0.2.200
===========================================================================
Persistent Routes:
None

**************The Server before a VPN client connects:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 14 22 1e eb e5 ...... Intel(R) PRO/1000 MT Network Connection #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 10
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.112 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 10
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None

*************The Workstation After the VPN connects:

C:\Documents and Settings\mike>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 0d 56 b0 87 75 ...... Broadcom 570x Gigabit Integrated Controller
- Pa
cket Scheduler Miniport
0x3 ...00 90 4b 67 ef bd ...... Dell TrueMobile 1300 WLAN Mini-PCI Card -
Packet
Scheduler Miniport
0x1a0005 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.108 10.0.0.108 1
0.0.0.0 0.0.0.0 10.0.2.200 10.0.2.239 31
10.0.0.108 255.255.255.255 127.0.0.1 127.0.0.1 50
10.0.2.0 255.255.255.0 10.0.2.239 10.0.2.239 30
10.0.2.239 255.255.255.255 127.0.0.1 127.0.0.1 30
10.255.255.255 255.255.255.255 10.0.0.108 10.0.0.108 50
10.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 30
24.123.113.26 255.255.255.255 10.0.2.200 10.0.2.239 30
64.122.229.107 255.255.255.255 10.0.2.200 10.0.2.239 30
65.54.179.195 255.255.255.255 10.0.2.200 10.0.2.239 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
207.46.19.30 255.255.255.255 10.0.2.200 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.2.239 10.0.2.239 30
224.0.0.0 240.0.0.0 10.0.0.108 10.0.0.108 1
255.255.255.255 255.255.255.255 10.0.0.108 10.0.0.108 1
255.255.255.255 255.255.255.255 10.0.2.239 2 1
255.255.255.255 255.255.255.255 10.0.2.239 10.0.2.239 1
Default Gateway: 10.0.0.108
===========================================================================
Persistent Routes:
None

The Server after the VPN is connected
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 14 22 1e eb e5 ...... Intel(R) PRO/1000 MT Network Connection #2
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.0.0.1 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.4 10.0.0.4 10
10.0.0.0 255.255.255.0 10.0.0.109 10.0.0.112 1
10.0.0.4 255.255.255.255 127.0.0.1 127.0.0.1 10
10.0.0.109 255.255.255.255 10.0.0.112 10.0.0.112 1
10.0.0.112 255.255.255.255 127.0.0.1 127.0.0.1 50
10.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 10
24.123.125.10 255.255.255.255 10.0.0.1 10.0.0.4 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
224.0.0.0 240.0.0.0 10.0.0.4 10.0.0.4 10
255.255.255.255 255.255.255.255 10.0.0.4 10.0.0.4 1
Default Gateway: 10.0.0.1
===========================================================================
Persistent Routes:
None


I did notice the route ont he server that prevents the server from
communicating on its lan while the VPN is active
10.0.0.0 255.255.255.0 10.0.0.109 10.0.0.112 1

Why is it doing this?

if there is more information that you would like to see please include the
syntax of the commands you would like to see.
 
name resolution is not a problem. It will resolve any name of any
workstation or server on the network. The Workstation gets the correct DNS
and WINS settings and it works just fine.

As far as I can tell the problem is the routes that are being generated for
both the server and the VPN connected workstation.
 
I've just been looking through the newsgroup for issues that I'm having.
However, I was wondering if you have seen the post "VPN fails to route after
SP1 is installed" from "Wendel Hamilton" in this group? Don't know if this
pertains to your situation. I'm having a similair issue with a Windows 2000
Server.

Good luck,

Mike B.
I.D.M. Technologies
Milwaukee, WI, USA
 
I did read through that but I saw it was for ISA2000 installed on the server,
which I do not have.


I thought about grabbing the hotfix just to see what would happen.

Since I do not have ISA on this machine would it help at all?
 
After much wrangling I got this setup to work.

As described above when the remote workstation connected to the server the
routing tables changed for the worse. A lower metric was assigned to the
VPN interface and the server was not longer able to talk to its own
10.0.0.0/24 network. As such, the workstation was unable to communicate to
other resources on the server side LAN including the inability for ther
server itself to perform any fuctions.

I eventually fixed this by:

Removed routing and remote access and reinstalled (I have been reinstalling
for days) to start from scratch.

Because this server has but one interface I chose custom in the Setup
wizard. The only option in custom that I chose was "VPN server"

***The main differance***
Leaving everything else as default I specified a range of IPs instead of
using my DHCP server (the VPN server is the DHCP,DNS,WINS,AD server for the
network) as I had been doing previously. (This was working for months before
my initial post, it just stopped after the last batch of updates)

Specifying a range of IPs to be dished out by RRAS no longer changes the
metric. when a workstation connects. Everyone is happy and routing as
expected,

I have no idea why this works the way it does now, I don't know what caused
this problem to happen in the first place.

As suggested above the hotfix was NOT applied so that does not seem to be a
factor.

DNS, WINS, and other name resoultions all seem to work just fine. In my
setup the remote workstaion is being fed that info from the server's
configuration.

The Remote workstation can be set to "use default gateway on remote network"
or not depending on your needs, it doesn't seem to have any effect on the
ability to reach server side IPs in this setup.

At best I just have to chalk this lovely experience to another case of
unexplained "Windows Weirdness"
 
Back
Top