Solved

Client not receiving default gateway info from W2K RAS Server

Posted on 2003-11-12
13
507 Views
Last Modified: 2010-03-19
I am trying to resolve an issue whereby a Windows 2000 RAS Server is not allocating a default gateway to clients, and hence they can't get Internet access via the corporate network.

When I connect  a client via ISDN or Modem dial-up, ipconfig states the subnet mask of the connection as 255.255.255.255, and the default gateway is the same as the IP address assigned to the dial-up client.

Computer Name: RASSERVER
Static IP x.x.x.21
SM 255.255.255.0
DG x.x.x.130 router to US office

We also have a Firewall x.x.x.10

RASSERVER Setup
---------------

Setup as a Remote Access Server only.
Enable IP Routing is ticked
Allow IP based remote access... is ticked
Static address pool is defined

IP Routing
----------

General ->Loopback, LAN and Internal. Enable IP Router Management and Router Discovery options both ticked for LAN and Internal interfaces.

Static Routes -> None defined

IGMP -> LAN Connection is enabled as proxy. Internal enabled as router.


Apparently this was working before the firewall was put in place. But now is not. I imagine its a routing thing but not too sure. The firewall is managed by a third party.

Please help.
0
Comment
Question by:gmoore96
13 Comments
 
LVL 4

Expert Comment

by:Roly_Dee
Comment Utility
I assume your Internet traffic goes via the Firewall? If so, does you router re-direct unknown traffic to use the firewall, or do you use a web proxy?

Can you do a tracert or ping to an external web site from the RAS server? From the dial-up client? How far do these get?

Let us know, post back the results of the tracert if you like.
0
 

Author Comment

by:gmoore96
Comment Utility
Here are the results of a tracert to www.microsoft.com direct from the Rasserver console.

Tracing route to a562.cd.akamai.net [63.208.194.15] over a maximum of 30 hops:
  1   <10 ms   <10 ms   <10 ms  x.x.x.10

  2   <10 ms   <10 ms   <10 ms  demon.internet.router[x.x.x.129]

  3   <10 ms   <10 ms   <10 ms  rea1-bstdx-1.router.demon.net [194.159.7.71]

  4   <10 ms    15 ms   <10 ms  anchor-backbone-11.router.demon.net [194.159.7.5]

  5   <10 ms   <10 ms   <10 ms  anchor-border-1-1-0-2-551.router.demon.net [194.159.36.226]

  6   <10 ms    16 ms    16 ms  tele-border-4-228.router.demon.net [195.173.72.29]

  7   <10 ms    16 ms    15 ms  tele-core-11-1-0-238.router.demon.net [194.159.176.113]

  8    78 ms    94 ms    94 ms  ny1-border-2-x-0-1-1-102.router.demon.net [194.159.176.102]

  9    78 ms    94 ms    94 ms  gige5-0-225.ipcolo2.newyork1.level3.net [64.158.176.129]

 10    78 ms    94 ms    94 ms  ae0-56.bbr2.newyork1.level3.net [64.159.17.162]

 11    94 ms    93 ms   110 ms  so-0-1-0.mp1.boston1.level3.net [209.247.9.125]

 12    94 ms    94 ms    94 ms  gige11-2.hsa1.boston1.level3.net [64.159.3.198]

 13    93 ms    94 ms    94 ms  unknown.level3.net [63.208.194.15]

Trace complete.
[EOF]

We also have an Internet router with the .129 address (as well as the router to the US with the .130 address)

I am not able to dial-in at the moment but can supply a tracert later tonight.

Thanks
0
 
LVL 4

Expert Comment

by:Roly_Dee
Comment Utility
I presume the Internet router is only connected to the Firewall and the ISP?

I forgot to ask earlier, how do your RAS clients get IP addresses, via DHCP or a static pool? If static, what is the range? On the same subnet as the RAS server?
0
 

Author Comment

by:gmoore96
Comment Utility
Yes the router is only connected to the Firewall and ISP.

The clients get IPs from a static pool in the range x.x.x.140-149, on the same subnet as the rest of the network, including the RAS Server
0
 
LVL 4

Expert Comment

by:Roly_Dee
Comment Utility
That all sounds OK so far, let's see if there is any more info in the client's tracert.

I'm going home soon, will catch up tomorrow... :-)
0
 

Author Comment

by:gmoore96
Comment Utility
Thanks Roly, speak tomorrow
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:gmoore96
Comment Utility
Output of tracert from DUN client to www.microsoft.com.      x.x.x.140 is the dynamically assigned IP address of the client.

Tracing route to a562.cd.akamai.net [63.208.194.32] over a maximum of 30 hops:

  1   147 ms   135 ms   128 ms  x.x.x.140
  2   142 ms   142 ms   143 ms  x.x.x.10
  3     *        *        *     Request timed out.
  4     *        *        *     Request timed out...... and so on
0
 
LVL 9

Expert Comment

by:drev001
Comment Utility
This is normal and by design. To use the internet while connected to the vpn, untick the box for "Use Default Gateway on Remote Network". This is set on the client machine within the properties of the VPN Connection. This way, only VPN traffic will travel over the vpn, all other traffic (web browsing) will go out directly over the internet connection.
0
 

Author Comment

by:gmoore96
Comment Utility
Thanks drev001 but this is actually a RAS Dial-Up server rather than VPN. We have a VPN server and we use your method for Internet access that way. however, we also have a need for some remote users to dial-in and want to make use of the LAN's connection to the Internet.
0
 
LVL 4

Accepted Solution

by:
Roly_Dee earned 125 total points
Comment Utility
So it seems that your IP packets from RAS clients aren't making it past the firewall. I guess the problem is that the firewall knows that all these packets arrive from the RAS server's NIC, but with different source IP addresses.

Can you double-check that RAS clients can ping hosts on your LAN and also on the WAN link to the US: this will definately eliminate any IP routing problems. I can't see this as an issue, but your outsourcer might :-)

You should then get the firewall logs and rules checked.

The firewall logs will show the reason the packets are being rejected, and this rule will need to be adjusted. The RAS server probably needs to be identified as a router, so that it is permitted to send traffic with a different source address. Failing that, it could just allow all traffic from the x.x.x.140-149 range, but that is a bit slack :-o and defeats the object of a firewall

Let me know how you get on
0
 

Author Comment

by:gmoore96
Comment Utility
I can ping hosts on both the LAN and WAN. I will get the Firewall people to check over the logs and rules as per your suggestion and get back to you. Thanks for all your help so far.
0
 

Author Comment

by:gmoore96
Comment Utility
Hi Roly, sorry for the delay but we finally got there. There were firewall rules preventing replies going back to the client.

0
 

Expert Comment

by:digilla
Comment Utility
I am having the same problem, but I do not believe it to be related to the firewall rules.  To answer some questions that were asked earlier:

-This worked without a problem until about three weeks ago.  Not sure what changed.

-The RAS server can access the internet, but the dial-up clients cannot.

-The Dial-up clients can access network resources but not the internet.

-The Dial-up clients have their own IP address as the gateway or no default gateway listed at all.

-tracert of www.microsoft.com yeilds the following results:
"Unable to resolve target system name www.microsoft.com"

-Trying to go to the internet from a Dialed-up client spawns absolutely no traffic on the firewall.  No denys, no allows, nothing...

-We are not, nor were we ever, using the RAS server as a router ( I assume because we want to know exactly who the network traffic is coming from on the firewall, so we do not want to mask the IP address in any way), but it worked this way before.

-All other network settings are being pushed down to the machine (DNS, WINS, IP are all correct or within range)

-The Subnet Mask and Default Gateway are the only two incorrect settings.  The SM ends in 255 when it should be 0.

-RAS clients get IP addresses via static pool between 210 and 235.  This is on the same subnet as the RAS server.

-Internet traffic does go through the firewall and we do not use proxy.

-Some of the things I have tried:
>setting the RAS server to be a router
>deleting the TCP/IP protocol and reinstalling
>deleting the network card and reinstalling
>in routing and remote access management, I set a static route = 0.0.0.0 0.0.0.0 10.0.0.xx Internal and 0.0.0.0 0.0.0.0 10.0.0.xx Local area network

-I'm not saying that it is definitely unrelated to the firewall rules, but you would think that denied traffic would be present on the firewall log if it were.  Seems like the traffic never leaves the DUN PC or the RAS server one.

Any help would be greatly appreciated.  Thanks much!

 
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

FIPS stands for the Federal Information Processing Standardisation and FIPS 140-2 is a collection of standards that are generically associated with hardware and software cryptography. In most cases, people can refer to this as the method of encrypti…
The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now