nocadmin
asked on
Cannot ping VPN Ip address, no problem pinging other public IPs from same company just the VPN address
Ok, this is the deal. whe have one computer that cannot VPN to our network. The thing is that we cannot even ping the VPN server (public IP) from that machine. the computer can browse the web and ping addresses with no problem. We can ping all other public IPs on our network just not the VPN server's IP. Nonone else is having this problem. everybody else connets fine. this computer is setup on a small office with cable modem internet access. Everything has been working fine (almost 2 years). nothing has happened or changed. we have done a trace route and the tracing stops after the ping passes our router.......its like going to
"40 ms company_name.1152491.cust-
request time out...
-------------------------
when we ping other servers........ after the ping gets to the above there is one more hop and it's complete..........
-----------------------
we believe that if we figure out why we can ping everthing else except the VPN server then we have fixed why we cannot VPN to the company.
Any ideas would be greatly appreciated. thanks.
"40 ms company_name.1152491.cust-
request time out...
-------------------------
when we ping other servers........ after the ping gets to the above there is one more hop and it's complete..........
-----------------------
we believe that if we figure out why we can ping everthing else except the VPN server then we have fixed why we cannot VPN to the company.
Any ideas would be greatly appreciated. thanks.
Can others ping the VPN server? The VPN server is probably set to not respond to any pings.
steveoskh's question would be my first as well. However if the problem is they cannot ping the Internal IP, then perhaps the this machine/user has a local subnet which is the same as that of the VPN server. If both use the same local subnet such as 192.168.1.x then you will not be able to ping or access the remote server and PC's. This might explain why other user's can connect.
ASKER
yes any user can ping the public IP of the vpn server....and the computer subnet and the VPN server subnets are totally different. it's like only this machine and that server..........
can this have anything to do witht he ISP either from were that computer connects or the ISP for the network were the vpn server lies?
can this have anything to do witht he ISP either from were that computer connects or the ISP for the network were the vpn server lies?
Can't imagine the ISP would be blocking a ping from one computer to a specific address.
What type of VPN solution, Windows? If so when they try to connect by VPN what error# do they get, 800?
What type of VPN solution, Windows? If so when they try to connect by VPN what error# do they get, 800?
ASKER
Error 678 and occassionally error 800....
using windows VPN built-in.
but i think not being able to receive a reply from that server has something to do with it......
using windows VPN built-in.
but i think not being able to receive a reply from that server has something to do with it......
>>"but i think not being able to receive a reply from that server has something to do with it......"
absolutely, just though some errors might shed some additional light on it. 678 and 800 basically indicate "nobody is home".
Have you tried TELNETing an open port. I'm sure you will likely get a time out from that as well.
No chance your firewall has blocked access thinking it is a DoS attack or something. Rebooting the VPN's router would reset it.
absolutely, just though some errors might shed some additional light on it. 678 and 800 basically indicate "nobody is home".
Have you tried TELNETing an open port. I'm sure you will likely get a time out from that as well.
No chance your firewall has blocked access thinking it is a DoS attack or something. Rebooting the VPN's router would reset it.
Hmm, the trace gets to the router at your company but will won't get any further.
That rules out the users ISP blocking access to the IP or blocking VPN traffic (some do). This also makes it less likely to be a firewall or IPS on the users system.
Does this user have a fixed IP or is it dynamic?
"Everything worked fine for 2 years, nothing changed" So this user could connect in the past but now can not?
Do you have a firewall or IPS/IDS that automatically blocks certain IP's. We have a setup that will blacklist any IP that scans or hits a port that we have "land mined". This will occasionally bite us if we do a port scan on the public IP. Our home IP is then locked out until we edit out the entry or restart the firewall.
That rules out the users ISP blocking access to the IP or blocking VPN traffic (some do). This also makes it less likely to be a firewall or IPS on the users system.
Does this user have a fixed IP or is it dynamic?
"Everything worked fine for 2 years, nothing changed" So this user could connect in the past but now can not?
Do you have a firewall or IPS/IDS that automatically blocks certain IP's. We have a setup that will blacklist any IP that scans or hits a port that we have "land mined". This will occasionally bite us if we do a port scan on the public IP. Our home IP is then locked out until we edit out the entry or restart the firewall.
ASKER
robWill/ Steveoskh, we're having some trouble convincing our admin to try this things out. he's convinced that the problem is on the computers router/ cable modem. he says nothing is being blocked on our end of the network. i have restarted the use's router/cable- modem acutally....and same issue. i tried to connec to vpn from another computer (there are only two) and got the excact same issue. I managed to login to the users cable modem and when i try to ping from it i get the same results, i can ping everything except the vpn server.
so now it's not a computer to vpn server issue, rather a site (were cable modem is at) to vpn server issue. the site can see (ping) all other servers on the vpn server except that particular one.
so now it's not a computer to vpn server issue, rather a site (were cable modem is at) to vpn server issue. the site can see (ping) all other servers on the vpn server except that particular one.
Ask your admin to ping or trace to the remote PC. If it is on the server end, the response should be blocked on the return. Ask if he will search the logs for that IP.
Putting a sniffer in the connection between the vpn server and the Internet connection would allow you to see what packets are flowing in and out. Then again with an uncooperative admin......
Putting a sniffer in the connection between the vpn server and the Internet connection would allow you to see what packets are flowing in and out. Then again with an uncooperative admin......
ASKER
Ok we are able to ping the cable-modem's public IP address form our network, including from the vpn server. there is one time-out hop like 3 hops beforfe the end....like11 will time out then 12, 13 ok and end ok.
we have upgraded the cable-modem's firmware and same issue.
we have upgraded the cable-modem's firmware and same issue.
When you did the traceroute from the remote user you get a ping from your router and then next hop should be the VPN server, but it does not return the ping?
My next step would be to put a sniffer on the connection and see where it is failing.
My next step would be to put a sniffer on the connection and see where it is failing.
>>"....he's convinced that the problem is on the computers router/ cable modem."
At the client site is it a separate router and cable modem or combo unit. If separate try connecting directly to the modem to rule out the router. Makes sure windows firewall is enabled and Windows and virus updates current.
If a combo unit is it possible to take the PC to another site to verify it is not it, though I am ver doubtful the PC is a problem.
To me it sounds like the corporate router has intentionally blocked traffic from your IP. Rebooting that router would reset it if that is the case.
At the client site is it a separate router and cable modem or combo unit. If separate try connecting directly to the modem to rule out the router. Makes sure windows firewall is enabled and Windows and virus updates current.
If a combo unit is it possible to take the PC to another site to verify it is not it, though I am ver doubtful the PC is a problem.
To me it sounds like the corporate router has intentionally blocked traffic from your IP. Rebooting that router would reset it if that is the case.
ASKER
We have connected the cable-modem (DSL actually), directly to the computer and it works beautifully without problem. so the question now would be why if the cable modem connects to the home router the only problem is connecting to a particular vpn server. thanks......
NAT or duplicate subnets.
Any chance there is an extra hop at the client site, i.e 2 NAT devices. When the router is connected at the client site does it get a private (192.168.x.x, 10.x.x.x, or 172.16-32.x.x) IP or a public IP. Should be public.
Any chance there is an extra hop at the client site, i.e 2 NAT devices. When the router is connected at the client site does it get a private (192.168.x.x, 10.x.x.x, or 172.16-32.x.x) IP or a public IP. Should be public.
ASKER
the cable-modem connects to a home wireless router. from this router one port is used to connect to the client computer. all other comptuers use the wireless to connect. Router is giving 192.168.123.X addresses.....
could a change at the ISP have anything to do with this? thanks...........also, some friend mentioned IPSec settings on the router........?
could a change at the ISP have anything to do with this? thanks...........also, some friend mentioned IPSec settings on the router........?
>>"Router is giving 192.168.123.X addresses....."
Yes, but what is its WAN/public IP (only post first 2 octets for security like 66.66.x.x)
>>"all other comptuers use the wireless to connect"
The wireless router, the one above, or the wireless from the modem. If the latter, Bingo! , dual NAT.
The ISP can block IPSec, and the router can block IPSec. However, neither is common. On the router try enabling "IPSec pass Through" if available. Actually the ISP is fine because you can connect when you take the router out of the picture.
Yes, but what is its WAN/public IP (only post first 2 octets for security like 66.66.x.x)
>>"all other comptuers use the wireless to connect"
The wireless router, the one above, or the wireless from the modem. If the latter, Bingo! , dual NAT.
The ISP can block IPSec, and the router can block IPSec. However, neither is common. On the router try enabling "IPSec pass Through" if available. Actually the ISP is fine because you can connect when you take the router out of the picture.
ASKER
My bad on the above...........the cable-modem IS assigning he IPs. all, including the wireless router have an internal address.......
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the router is wireless also. it has ports for wired machines. there is not dual NAT configurations. after the users was connecting the cable-modem directly one full day when we connected the cable-modem to the router and the machine to the router everything began working fine again. i think this cleared some cashe on the router. RobWill, pls take the points, thanks to your advice we were able to narrow the problem and eventually resolve it. thanks you.
Sorry, I assumed by "cable-modem IS assigning he IPs. all, including the wireless router have an internal address" you meant the router was assigned an internal/private IP on the WAN side.
Very welcome, sounds like it is sorted out ??
As for "pls take the points", I cannot do that, you have to award them.
Thanks and Cheers !!
--Rob
Very welcome, sounds like it is sorted out ??
As for "pls take the points", I cannot do that, you have to award them.
Thanks and Cheers !!
--Rob