Solved

Windows XP VPN Client cannot see folder shares except those shared by the VPN Server

Posted on 2006-11-28
18
382 Views
Last Modified: 2008-01-09
Hi there,

I have a strange one (i believe)

We have an XP VPN client, using the MS PPTP client connecting into a W2k server in London over the internet.

On the network in London we have a few different servers that host shared folders.

The VPN server has little disk space and as such doesnt host the shared folders.

The problem is that once the Client has connected, he cannot see any of the network shares of any other machines.

In actual fact, he cannot ping, or be pinged by anything other than the VPN Server.

Shared folders on the VPN server ARE accessible to the VPN Client.

There is NO firwewall on the VPN server. the network is 192.168.1.x  the vpn client gets allocated 192.168.1.201 when he connects.

The RRAS console has been used to configure the VPN connection. No extra routing table entry should be required as the VPN client and the Workstations on the network are on the same subnet.  The fact i cannot ping does suggest its a routing issue though, what can i do?

Im at a loss of what to try next.

Thanks in anticipation of your kind assistance.
0
Comment
Question by:davesheppard
  • 8
  • 7
18 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"No extra routing table entry should be required as the VPN client and the Workstations on the network are on the same subnet. "
This may in fact be the problem. In order for a VPN to function it requires that the local LAN's be on different subnets. Since the London office uses 192.168.1.x the remote site must use something else such as 192.168.2.x assuming a subnet mask of 255.255.255.0 This does not apply to the VPN client's virtual IP. The one exception to this rule is the Windows VPN client. It will often work, if in the client configuration the "use default gateway on remote network" option is enabled (on by default), however the result is usually as you described. You can only connect to the VPN server. The problem is the routing devices do not know to which subnet to send the packets since they are the same.

Try changing one site as a test. I think you will find this will resolve the problem.
0
 

Author Comment

by:davesheppard
Comment Utility
Ok, am in the process of trying, just thought i would add that i disabled the "use default gateway" setting becasue this was undesirable for web access to go through the london office gateway, when the remote isp connection was perfectly fine for external traffic....

will update asap!

thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"thought i would add that i disabled the "use default gateway"
I can see your reasons why.
Perhaps try enabling it as a test, since that is easy. As mentioned, either site should have different subnets, this is a basic VPN rule, but because the remote gateway option forces traffic to the remote site it sometimes works. As to why this is not consistent, I have yet to figure that out. :-)
Let us know how you make out.
--Rob
0
 

Author Comment

by:davesheppard
Comment Utility
Ok, i set the VPN to allocate 192.168.2.201 to the VPN client.

I cant find where its set, but the VPN server purported to be 192.168.2.200

When the VPN client connects, i can ping 192.168.2.200. (the server) but cannot ping any of the network IPs (192.168.1.x)

I checked the routing table on the client machine, and there was no route to 192.168.1.0.  So i guess, pinging 192.168.1.x is fruitless as packets would be sent to the default gateway (which happens to be the vpn clients internet router as i disabled use remote network default gateway).

I therefore tried the "route add 192.168.1.0 mask 255.555.255.0 192.168.2.200 metric 2" command on the VPN client machine.

The response i received was something like "the route cannot be added because the gateway is not on this network".  grrr. Just as i thought this was begining to make sense.!.

Im guessing that the route to 192.168.2.0 will be automatically generated on the VPN server but I Will have to add that same route to the default gateway router on the london network so that the other LAN machines will be able to return packets to the remote VPN client.

I shall have nother go tonite and feed back accordingly, any comments, please add!.

Thanks again.


0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Changing the VPN allocation will not solve the problem. And adding routes will not work unless you have a router to roter tunnel with static routing in place.
As an example assume you have 2 sites using 192.168.1.0/24 (192.168.1.x with 255.255.255.0). A router routes packets by the subnet to which it belongs. When the router receives a packet for 192.168.1.101 it keeps it within the local network, and directs it to the appropriate device, because it knows the LAN side is 192.168.1.0  If it receives a packet for 24.222.123.123 it will send it to it's default gateway, usually the Internet as it doesn't know the location of the recipient. Though this is all most routers have for a routing table, they could also have static routes for other networks. When you add a VPN you are basically adding another route. However, when it receives a packet destined for 192.168.1.201 (on the remote network) it assumes it is part of the local network, and keeps the packet within the local network. If the Windows PPTP virtual adapter has the "use remote gateway" enabled, the packet should be forced, by the virtual adapter to the remote network, without the router being involved, but this is not proper and is very undependable. It seems to work in some cases and not others.
Basically, you will need to change the subnet of the local LAN at one site or the other. Using the default gateway option, "might" be a work around.
0
 

Author Comment

by:davesheppard
Comment Utility
Last night i set the VPN to 192.168.2.200 - 203 in the RRAS console. Reconnected the VPN and was able to ping both 192.168.2.200 (the server) from the client machine and .201 (the client) from the Server machine.

Again, i was unable to ping 192.168.1.76 (the VPN server LAN address) or any other 192.168.1.x address.

I tried adding routes on both the VPN client and Server and also the internet routers used as the default gateways for the london and rotherham networks, to catch 192.168.2.x packets and send to the appropriate gateways. None of this worked.

I shall have someone on site today to set the "use default gateway on remote network" switch. Once this is done, and hopefully working, Im hoping i will still be able to add a 0.0.0.0 route to the VPN client machine to force external traffic through the local internet gateway rather than the gateway at the end of the VPN tunnel.??

I dont want web traffic etc going to the internet via the tunnel, then out and back in the London internet pipe.

Thanks for your continued interest....

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"Again, i was unable to ping 192.168.1.76 (the VPN server LAN address) or any other 192.168.1.x address."
As mentioned you will need to change the site subnet. Try connecting from another site that uses a different subnet, I think you will find it will work. You cannot have duplicate subnets anywhere along the path. If you sort mail based on city alone, and you have 2 cities with the same name, how will you know to which one to send it?  :-)  Routers route packets based on the subnet. (not talking about subnet mask by the away)

>>"I shall have someone on site today to set the "use default gateway on remote network" switch. Once this is done, and hopefully working, Im hoping i will still be able to add a 0.0.0.0 route to the VPN client machine to force external traffic through the local internet gateway "
If successful then the VPN will no longer be the default route, and therefore you will loose remote connectivity.

This is an extremely common problem, and there is no workaround other than changing the site subnet, although the "remote gateway" option will work for some devices, in some situations.
This is why it is important when designing a network to avoid the common/default subnets. Doing so creates conflict with other sites.



0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:davesheppard
Comment Utility
Ok, wow.  what a session.

Ive set the vpn clients to be 192.168.2.x whilst the london net is 192.168.1.x (mask 255.255.255.0)

Ive enabled "use default remote gateway"

After doing all this, pinging worked to all hosts on the london network. Woopee.

BBBUUUUTTTT (sorry)

No internet access, of course... need help with that... as the VPN needs to be up whilst being able to surf the web doesnt sound unreasonable to me.....???

Now the main point, accessing shared folders. Simply doesnt work even though i can ping the remote file server (192.168.1.77).  Net view 192.168.1.77 results in System error 53. deep joy.

Ive done some web research, and was advised to enable wins. Ive installed this on the server and the client as recommended, but still no access and still system error 53....

The strangest thing, it works perfectly from the london network out to the VPN client share. but i cannot access shares from the VPN Client.

This is weird, i thought it would all go swimmingly once i could ping. weird....

Please help some more ! thanks




0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
>>"No internet access, of course... need help with that... as the VPN needs to be up whilst being able to surf the web "
Sorry I cannot help you with that. It is not an option. In order to connect to anything on your local network you need to at least connect to the router which is 192.168.1.x. By enabling the "remote gateway" option, you have opted to force all traffic to the remote network. You cannot direct some 192.168.1.x traffic to London, and other 192.168.1.x traffic to the local network.

Sorry, that is TCP/IP. You need to change the subnet at one end or the other !!!!! Or deal with using the "remote gateway" as is.

As for accessing shares. Browsing uses NetBIOS, and NetBIOS is not broadcast over a VPN. A common solution is to connect by IP such as \\192.168.1.123\ShareName  You can also edit the LMHosts file. Below is a list of options that can help with name resolution.
1) Use the IP address (of the computer you are connecting to) when connecting to devices such as;   \\123.123.123.123\ShareName   or map a drive at a  command prompt using  
 Net  Use  U:  \\123.123.123.123\ShareName
2) An option is to use the LMHosts file which creates a table of IP's and computer names. LMHosts is located in the Windows directory under c:\Windows (or WINNT)\System32\Drivers\Etc\LMHosts.sam , instructions are included within the file. Any line starting with # is just a comment and is ignored. Open the file with Notepad and add entries for your computers as below;
192.168.0.101      CompName       #PRE
Hit enter when each line is complete (important), then save the file without a file extension. To be sure there is no extension ,when saving enclose in quotations like "LMHosts". Now when you try to connect to a computer name it should find it as it will search the LMHosts file for the record before connecting.
More details regarding LMHosts file:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfd_lmh_qxqq.mspx?mfr=true
The drawback of the LMHosts file is you have to maintain a static list of computernames and IP addresses. Also if the remote end uses DHCP assigned IP's it is not a feasible option. Thus in order to be able to use computer names dynamically try to enable with some of the following options:
3) if you have a WINS server add that to the network cards configuration
4) also under the WINS configuration on the network adapter make sure NetBIOS over TCP/IP is selected
5) try adding the remote DNS server to your local DNS servers in your network card's TCP/IP configuration
6) verify your router does not have a "block NetBIOS broadcast" option enabled
7) test if you can connect with the full computer and domain name as  \\ComputerName.domain.local  If so, add the suffix DomainName.local to the DNS configuration of the virtual private adapter/connection [ right click virtual adapter | properties | TCP/IP properties | Advanced | DNS | "Append these DNS suffixes (in order)" | Add ]
0
 

Author Comment

by:davesheppard
Comment Utility
Netbios names are working, i can ping for example "datastore".  the failure occurs when trying to map a drive to a share, or use unc in my computer e.g. //datastore/shared  comes back with network path not found....

At the same time i can ping the ip address windows is failing to find the path too. this is so damn typical.

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Is  //datastore/shared    a typo?  You will get a "network path not found" error with that path ( / should be \ ). Try  \\datastore\shared     such as \\ServerName\ShareName or \192.168.123.123\ShareName

Can you ping the IP of the device to which you wish to connect? If not as mentioned "You need to change the subnet at one end or the other !!!!! "
0
 

Author Comment

by:davesheppard
Comment Utility
Yes, typo. I have a habit of doing that.

Yes. can ping everything from everything.  Remote subnet is 192.168.2.x. London subnet is 192.168.1.x.  Both masks are 255.255.255.0.

I have followed your guidance, and am amazed that even after succesful pinging throughout the network, i still cannot connect to shares

I am close to moving the required shared folders to the VPN server, This also means moving the SQL database to the VPN server (yuck). Im reluctant to do that.

ATB fingers crossed for your inspiration....

0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Mmmmmm....
Interesting. What if any error message do you get when trying to connect. If none, try from a command line something like;
\\192.168.2.123\ShareName
You should get an error, and #.

On the remote systems it is possible the windows or similar firewall is enabled through group policy to allow access to users from the same LAN but not others. Do you have control of the remote systems to test by disabling the firewall on one remote systems? assuming it is enabled?
0
 

Author Comment

by:davesheppard
Comment Utility
ok, will print the error message, i seem to recall "system error 53".

I have not setup any group policy and avoid it at all costs to be honest, being one of Microsoft amazing blunders, but yes, i do have remote control.... although the firewall is built into the internet routers at each end, so disabling is a bit tricky.  They are performing NAT and i havent unblocked or blocked any particular ports aside my remote access ports, VPN ports 47 and 1723 and SMTP/POP.



Next problem, im sorry, but i have two desktop machines here, and they both wish to establish VPN connections to the same server.

So far i have been unable to establish 2 simultaneous connections to the london office. i can make one, but to establish the other, i have to disconnect the first, then reboot the netgear router, then the other will connect.  To reconnect the other, i have to do the same again.

Any way, i suspect that is netgear firmwware update to fix that...

To fix this Shared folder issue, it looks like im just going to have to add an external disk to the VPN server and set the shared folder on that seing as it seems to be quite happy and functional like that..... ill persist for a little longer and allocate points as you have been very helpful

0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
Comment Utility
As for the system error 53, I assume the file shares have been tested from the local network, and work OK, this is only over the VPN that the problem occurs??  Looking for solutions, one was to enable NetBIOS over TCP/IP under the WINS tab of advanced TCP/IP properties of the connecting computer's network adapter. I am doubtful this will help, as the problem occurs even when connecting by IP address, but easy enough to try.

As for disabling firewalls, only software firewalls on the server or devices that hold the shares to which you are trying to connect. Leave the router firewall configuration in tact.

You mentioned forwarding port 1723 and 47. It is not port 47 but rather protocol 47 GRE. Some routers this is enabled with "PPTP pass-through". Most Netgear's have the option to forward built-in services. Enabling forwarding of the built-in PPTP service usually enables both port 1723 and protocol 47. Manually port forwarding of port 1723 doesn't accomplish enabling GRE (protocol 47)

As for only being able to connect one VPN tunnel at a time, you may be stuck with that. Many routers only support a single VPN pass-through tunnel. Have a look at the following site to check:
http://kbserver.netgear.com/kb_web_files/n101222.asp
The solution is to add another Netgear router at the second site and create a site to site tunnel. This has many advantages.

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Sometimes you might need to configure routing based not only on destination IP address, but also on a combination of destination IP address (or hostname) and destination port number. I will describe a method how to accomplish this with free tools. …
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now