Solved

Cannot ping VPN Ip address, no problem pinging other public IPs from same company just the VPN address

Posted on 2007-03-29
20
478 Views
Last Modified: 2013-12-14
Ok, this is the deal.  whe have one computer that cannot VPN to our network.  The thing is that we cannot even ping the VPN server (public IP) from that machine. the computer can browse the web and ping addresses with no problem.  We can ping all other public IPs on our network just not the VPN server's IP.  Nonone else is having this problem.  everybody else connets fine.  this computer is setup on a small office with cable modem internet access.  Everything has been working fine (almost 2 years).  nothing has happened or changed.  we have done a trace route and the tracing stops after the ping passes our router.......its like going to

"40 ms company_name.1152491.cust-rtr.swbell.net [some ip address]
request time out...
-------------------------
when we ping other servers........ after the ping gets to the above there is one more hop and it's complete..........
-----------------------
we believe that if we figure out why we can ping everthing else except the VPN server then we have fixed why we cannot VPN to the company.


Any ideas would be greatly appreciated. thanks.
0
Comment
Question by:nocadmin
  • 8
  • 8
  • 4
20 Comments
 
LVL 14

Expert Comment

by:steveoskh
ID: 18816986
Can others ping the VPN server?   The VPN server is probably set to not respond to any pings.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18819005
steveoskh's question would be my first as well. However if the problem is they cannot ping the Internal IP, then perhaps the this machine/user has a local subnet which is the same as that of the VPN server. If both use the same local subnet such as 192.168.1.x then you will not be able to ping or access the remote server and PC's. This might explain why other user's can connect.
0
 

Author Comment

by:nocadmin
ID: 18819545
yes any user can ping the public IP of the vpn server....and the computer subnet and the VPN server subnets are totally different.  it's like only this machine and that server..........

can this have anything to do witht he ISP either from were that computer connects or the ISP for the network were the vpn server lies?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18819703
Can't imagine the ISP would be blocking a ping from one computer to a specific address.
What type of VPN solution, Windows? If so when they try to connect by VPN what error# do they get, 800?
0
 

Author Comment

by:nocadmin
ID: 18819745
Error 678 and occassionally error 800....

using windows VPN built-in.

but i think not being able to receive a reply from that server has something to do with it......
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18819850
>>"but i think not being able to receive a reply from that server has something to do with it......"
absolutely, just though some errors might shed some additional light on it. 678 and 800 basically indicate "nobody is home".

Have you tried TELNETing an open port. I'm sure you will likely get a time out from that as well.

No chance your firewall has blocked access thinking it is a DoS attack or something. Rebooting the VPN's router would reset it.
0
 
LVL 14

Expert Comment

by:steveoskh
ID: 18820116
Hmm, the trace gets to the router at your company but will won't get any further.
That rules out the users ISP blocking access to the IP or blocking VPN traffic (some do).  This also makes it less likely to be a firewall or IPS on the users system.
Does this user have a fixed IP or is it dynamic?
"Everything worked fine for 2 years, nothing changed"  So this user could connect in the past but now can not?
Do you have a firewall or IPS/IDS that automatically blocks certain IP's.   We have a setup that will blacklist any IP that scans or hits a port that we have "land mined".  This will occasionally bite us if we do a port scan on the public IP.  Our home IP is then locked out until we edit out the entry or restart the firewall.
0
 

Author Comment

by:nocadmin
ID: 18825749
robWill/ Steveoskh, we're having some trouble convincing our admin to try this things out.  he's convinced that the problem is on the computers router/ cable modem.  he says nothing is being blocked on our end of the network.  i have restarted the use's router/cable- modem acutally....and same issue.  i tried to connec to vpn from another computer (there are only two) and got the excact same issue.  I managed to login to the users cable modem and when i try to ping from it i get the same results, i can ping everything except the vpn server.

so now it's not a computer to vpn server issue, rather a site (were cable modem is at) to vpn server issue.  the site can see (ping) all other servers on the vpn server except that particular one.
0
 
LVL 14

Expert Comment

by:steveoskh
ID: 18825818
Ask your admin to ping or trace to the remote PC.  If it is on the server end, the response should be blocked on the return.  Ask if he will search the logs for that IP.
Putting a sniffer in the connection between the vpn server and the Internet connection would allow you to see what packets are flowing in and out.  Then again with an uncooperative admin......
0
 

Author Comment

by:nocadmin
ID: 18826259
Ok we are able to ping the cable-modem's public IP address form our network, including from the vpn server.  there is one time-out hop like 3 hops beforfe the end....like11 will time out then 12, 13 ok and end ok.

we have upgraded the cable-modem's firmware and same issue.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 14

Expert Comment

by:steveoskh
ID: 18826297
When you did the traceroute from the remote user you get a ping from your router and then next hop should be the VPN server, but it does not return the ping?
My next step would be to put a sniffer on the connection and see where it is failing.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18828872
>>"....he's convinced that the problem is on the computers router/ cable modem."
At the client site is it a separate router and cable modem or combo unit. If separate try connecting directly to the modem to rule out the router. Makes sure windows firewall is enabled and Windows and virus updates current.
If a combo unit is it possible to take the PC to another site to verify it is not it, though I am ver doubtful the PC is a problem.

To me it sounds like the corporate router has intentionally blocked traffic from your IP. Rebooting that router would reset it if that is the case.
0
 

Author Comment

by:nocadmin
ID: 18835455
We have connected the cable-modem (DSL actually), directly to the computer and it works beautifully without problem.  so the question now would be why if the cable modem connects to the home router the only problem is connecting to a particular vpn server. thanks......
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18836120
NAT or duplicate subnets.
Any chance there is an extra hop at the client site, i.e 2 NAT devices. When the router is connected at the client site does it get a private (192.168.x.x, 10.x.x.x, or 172.16-32.x.x) IP or a public IP. Should be public.

0
 

Author Comment

by:nocadmin
ID: 18836229
the cable-modem connects to a home wireless router. from this router one port is used to connect to the client computer.   all other comptuers use the wireless to connect.  Router is giving 192.168.123.X addresses.....

could a change at the ISP have anything to do with this? thanks...........also, some friend mentioned IPSec settings on the router........?

0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18836900
>>"Router is giving 192.168.123.X addresses....."
Yes, but what is its WAN/public IP (only post first 2 octets for security like 66.66.x.x)

>>"all other comptuers use the wireless to connect"
The wireless router, the one above, or the wireless from the modem. If the latter, Bingo! ,  dual NAT.

The ISP can block IPSec, and the router can block IPSec. However, neither is common. On the router try enabling "IPSec pass Through" if available. Actually the ISP is fine because you can connect when you take the router out of the picture.
0
 

Author Comment

by:nocadmin
ID: 18837860
My bad on the above...........the cable-modem IS assigning he IPs.  all, including the wireless router have an internal address.......
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 18838018
There is your problem. Normally you would have a modem only, and a router. The router is assigned a public IP and it performs NAT (network address translation). In your case the modem is a combined unit providing DHCP and NAT, the router then receives an IP from the modem and again NAT's the addressing. VPN's do not like dual NAT configurations.

Normally the solution is to put the modem in bridge mode. This effectively makes it a basic modem, and disables it's DHCP option, NAT, and unfortunately, I would assume the wireless. To resolve you would have to replace the router with a wireless router, or add a wireless access point to the LAN side of the router.
0
 

Author Comment

by:nocadmin
ID: 18854223
the router is wireless also. it has ports for wired machines. there is not dual NAT configurations.  after the users was connecting the cable-modem directly one full day when we connected the cable-modem to the router and the machine to the router everything began working fine again.  i think this cleared some cashe on the router. RobWill, pls take the points, thanks to your advice we were able to narrow the problem and eventually resolve it. thanks you.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18854965
Sorry, I assumed by "cable-modem IS assigning he IPs.  all, including the wireless router have an internal address" you meant the router was assigned an internal/private IP on the WAN side.

Very welcome, sounds like it is sorted out ??

As for "pls take the points", I cannot do that, you have to award them.
Thanks and Cheers !!
--Rob
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
CISCO refresh sheets 2 35
Google Authenticator instead of RSA tokens for VPN access? 13 53
sync conflicts 1 27
Network Connection 5 35
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now