Link to home
Start Free TrialLog in
Avatar of livegirllove
livegirllove

asked on

RRAS 20209, VPN, SBS 2003, DHCP internal adapter

SBS 2003 Standard
2 NIC
CEICW/Remote Access Wizards complete successfully.

Internet Access is fine.  
internal clients are fine.  IPconfigs (i dont have one for clients)  are correct for wins/dns/gateway to the SBS.
here is IP config for the server.


Windows IP Configuration

   Host Name . . . . . . . . . . . . : server01
   Primary Dns Suffix  . . . . . . . : Saunders.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : Saunders.local

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Inter
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Autoconfiguration IP Address. . . : 169.254.190.13
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter LAN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : NETGEAR GA311 Gigabi
   Physical Address. . . . . . . . . : 00-0F-B5-FE-98-D4
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   Primary WINS Server . . . . . . . : 192.168.16.2

Ethernet adapter INTERNET:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT
   Physical Address. . . . . . . . . : 00-13-72-3E-57-68
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.15.10
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.15.1
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Disabled


I am able to VPN using the connection wizard or through a manually create connection.  However no internet or network resources are available.  

Also the server logs an error 20209
A connection between the VPN server and the VPN client 68.5.97.138 has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The problem seems to lie in the internal adapter not getting an IP from DHCP.  

Also an IPconfig from a VPN connected client shows an IP and Default gateway of the same IP address. (obviously not going out anywhere through yourself)  I have checked the DHCP scope and the internal clients using DHCP are fine.  I assume this is also bcause the internal adapter cant get an ip.
PPP adapter Connect to Small Business Server:

        Connection-specific DNS Suffix  . : Saunders.local
        Description . . . . . . . . . . . : WAN (PPP/SLIP) I
        Physical Address. . . . . . . . . : 00-53-45-00-00-0
        Dhcp Enabled. . . . . . . . . . . : No
        -->IP Address. . . . . . . . . . . . : 192.168.16.13
        Subnet Mask . . . . . . . . . . . : 255.255.255.255
        -->Default Gateway . . . . . . . . . : 192.168.16.13
        DNS Servers . . . . . . . . . . . : 192.168.16.2
        Primary WINS Server . . . . . . . : 192.168.16.2

VPN gre47 PPTP passthrough is set on the router as well as forwarding 1723 to the server.  (also it worked a few days ago)  
This is a new client and I was called in after some "virus removal"
Also seems that this server was mainly managed with "enterprise logic"  Although the wizards seem to be running ok.

 

Avatar of livegirllove
livegirllove

ASKER

I just ran the connection manager to my company server and realized that it gives me the same ip for default gateway and IP so my comment about that being a problem was obviously wrong..  (I use a manually configured VPN connection and I forgot I set it up different.  Making my comparisons of ipconfigs a little off...
I am now able to access the network and the internet at the same time, however I had to setup RRAS to use a static range of IPs.  So something is still up.

Against my better judgement I installed server 2003 SP2 on an slightly ill server and after that the VPN started working.  (although I had to fix help and support service, but we knew that..)
Avatar of Rob Williams
Did you run the "Configure remote access" wizard? This is important with SBS, to properly configure DHCP, RRAS, WINS and the firewall. See:
http://www.lan-2-wan.com/SBS-VPN-instr.htm

>>"realized that it gives me the same ip for default gateway and IP so my comment about that being a problem was obviously wrong"
This is proper.

Sounds like SP2 is not a problem but it can be with VPN's. If so have a look at the following site/issues:
http://www.lan-2-wan.com/2003-SP2.htm
i ran it and it completes successfully.
SP2 actually made it so that it worked.  Before that even with the static IP range i had no internet or network access when connected to the VPN and I would get the DHCP error.
Are you saying everything is working now?

>>"I am now able to access the network and the internet at the same time"
For the record there is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
It seems to be working correctly now.  Although I did leave the Static range in RRAS.  However I discovered that the scope options had not been set in DHCP which may be why RRAS wasnt giving out/getting the correct IP info.  However since it isnt my client/server the other tech said let it ride.  I have a feeling that now that I have set the scope options RRAS will work.

Do the scope options not get set by the CEICW if you remove and reinstall DHCP?
To be honest I am not sure in SBS where the client scope options are set.
In the default RRAS configuration using the static address pool, only IP, subnet, and gateway are usually assigned to the client. If you enable the DHCP relay agent in RRAS then it will use the server's "normal" DHCP server functions and hand out the appropriate scope options.
SBS does not seem to use the DHCP relay agent, yet it very nicely hands out the WINS and DNS IP's. I think this is more a function of using the remote client configuration install from RWW or using the client disk, that customizes the client, rather than the server to hand them out.
ah ok.
well ill leave this open for a day or so but the issue is resolved.
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks livegirllove.
Cheers !
--Rob
the problem has returned.

The server was rebooted today because a tape got hung in the drive and now its back to the same private IP being assigned to the Internal network interface.

I can hook up to the VPN.  The internal adapter will show an internal IP.  As soon as I try to browse shares it reverts back to the private IP.
What state is it in? You can establish a connection, but cannot access any resources over the VPN?

>>"SBS 2003 Standard"
I assume then ISA is not installed?
i can connect.  for about 30 seconds I can access the internal website before the servers internal network interface goes to APIPA.

no ISA
I set RRAS use to use a static range.  Same thing happens.

I updated the drivers for both NICs to the most current...
i should say I set it back to static.  I had changed it to DHCP to see if that would work now.  It didn't so I switched it back but that hasnt helped.
So it assigns the correct IP to the server's internal adapter, and then 30 seconds later changes to an APIPA address? Strange.
What happens to the client? Do they get a proper address and then loose the connection when the server changes it's IP? Can you reconnect with the VPN and get an APIPA address? The VPN will work with APIPA addresses, but of course only if both ends are using it.
they get a correct IP.  then the server switches to APIPA.  The VPN does not drop.  However they have no access to lan resources.

the client keeps the IP they were originally assigned.

Strange also that even when set to static IPs it still reverts to APIPA.
and another thing weird.  I am connected to the server via RDP to the external(public) IP of the server.  If I connect via VPN  I do not drop my connection to the server even though I lose internet access.  i assume this is because im using an IP to RDP so no DNS is required.
How many IP's are assigned to your static Range? If less than 10, I am not sure of the results. By default RRAS grabs/reserves the first block of 10 IP's and assigns itself the first one. If you have a static pool of 1 IP or a subnet mask of 255.255.255.255 (in the RRAS pool - that is fine on the client), I suspect you will experience problems as you have described. Make sure you are using >10 IP address pool, and subnet mask matches that of the server's LAN

As for RDP still working, I assume that is a routing issue. When the Server's IP changes you would have to add a route to the client to access anything beyond the server, however the server itself may remain connected. You should be able to access shares on the server even with the new IP...I assume.
i have a static block of only 5....

Im actually on the phone with PSS.  They said "that's really strange.  Give me 4 or 5 minutes to research it"  after logging in and poking around.

Ill update with what they say.
Well 4-5 minutes turned into them logging in from 9:30am - 1:30PM

It ended up being a registry key was wrong.  I happened to look away when they did it and didnt see which one. DOH!! I have contacted the lady that helped me and hopefully she will send me the details which I will post back here.

btw PSS business critical support is pretty good.  very helpful and courteous and spoke english well enough that I didnt have to strain.

The cause was most likely a windows update and so they never asked me for any money.  However they have my partner account info so they could probably send a bill later.

I will post back when   I get more details.
Thanks for updating livegirllove. Love to hear the answer if you hear from them.
Thanks,
--Rob
ISSUE: Unable to establish VPN connection
RESOLUTION:
Steps mentioned in KB 323441
http://support.microsoft.com/kb/323441/

There are two NICs on the server and both the NICs are on different subnet. Both of them were not able to communicate with each other hence we enable IP routing  by changing the value of IPEnableRouter key in registry.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the following registry values:
Value Name: IPEnableRouter
Value type: REG_DWORD
Value:1

After the NICs were able to communicate with each other we ran the following command to reset the TCP/IP stack which reverts the value of IPEnableRouter key back to 0
Netsh int ip reset reset.log
Very interesting. I have only seen that key manually edited on non server operating systems. The "LAN and demand-dial routing" option in RRAS should look after the routing. However, I just looked at a couple of systems and enabling and disabling that option does not change the registry key. I am not sure what the differences are.

Good information to know. Out of curiosity, I plan to do a little more digging.
Thanks livegirllove.
Cheers !
--Rob