VPN COnnection but no Ping

Hello,
I've got RAS set up for VPN connections for outside sales reps to connect to our network.  This tends to work without issue most of the time.  But oddly, when no settings have been changed, sometimes, like now I we run into a problem.  Currently my RAS server (ginkgo) is on a machine w/ 3 NICS w/ IP's  .2, .5 and .6, .2 does not have a Gateway set up on the NIC.  My AD/DHCP/DC/DNS/WINS Server is on another server w/ IP's .9 and .10.  Right now I have a sales rep who is connected to the VPN, and in the MMC I can look at his session.  I know, through this he has a IP of .67, and I have it doing this via DHCP.  The DHCP server has a scope of .60 -.90 and there are 11 entries for Ginkgo RAS, and they correspond to the scope set up on Ginkgo for RAS.  

I'm attempting to use either RAdmin or RDP to take control of his laptop and do some troubleshooting (this is normally not an issue), but now can't reach the computer.  If I ping .67 I've got two different out comes 1)the ping times out or 2) "Reply from 192.168.254.5: TTL Expired in Transit" now, .5 is the Ginkgo server, not the computer I'm actually looking to connect to.  His session is authenticated and he is registered on the network. He can ping any computer within the network, including servers and my desktop (that i'm pining him from).

Any suggestions?  I'm sure there's more info thats going to be needed
LVL 1
JamesonJendreasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

TheCleanerCommented:
Dang...I typed up this big long answer and then closed the browser accidentally...oh well.

Check the server's routing table

Check the remote computer's firewall settings and make sure it is allowing ping/ICMP echo

Try and get to \\remotecomputerIP\c$


Finally, why does the server have 3 NICs with 3 IPs on the same subnet?
0
JamesonJendreasAuthor Commented:
3 NICS are completely unnecessary and they were installed before I began working here.  One is used w/o a gateway for the VPN (I believe this is necessary).  One is also used to host our external FTP site, and the other hosts our internal FTP and Thin Client management.  Now they all could be going through the same NIC for sure, but if you got the three why not?  Anyway, I've attempted to disable one or two of them and we still are in the same boat.   I'll have him check his firewall settings, but I'm pretty sure they are fully turned off, as I've remote'd in before.  

From what I remember, normally when I attempt to ping a VPN computer, it would ping and return the address computer, not the server as it is now.  
0
TheCleanerCommented:
All 3 nics are on the same subnet.  If the one for the VPN w/o the gateway was on a seperate subnet I could understand the setup.

How is the firewall configured?  Sounds like you are using a MIP/VIP or similar to do a 1-1 relationship between the external IP and the NIC .2 IP.  I believe in ISA it is called publishing if that is what you are using.

If that's the case, then all you need is a single nic with a single internal IP and regular gateway setup.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

JamesonJendreasAuthor Commented:
The NICS CAN"T be the issue as this is a new problem that came up recently and we've used all three NIC's without issue before.  Our firewall is set up to "PassThrough to internal server", which is the IP for the NIC w/o a gateway.  This has worked in the past.  

Yes all three nics are on the same subnet (once again I didn't set this up, and I know this is a no no, but we didn't have issues before and I do not want to have to re-point my FTP and Thin Client servers).  Once again, if I disable any of the NICs we get the same issue.

Putting the VPN NIC probably should be on a separate subnet, and I'm going to look into doing this.  If I screw somthing up on it it won't be the end of the world because that one is only used for the VPN.
0
TheCleanerCommented:
in network connections, under advanced, advanced settings, is the VPN NIC set as the top of the binding order?

Does this issue happen every now and then?
0
JamesonJendreasAuthor Commented:
I'm starting to think this is related to his firewall, very well could have changed the settings, and he is able to ping us, and connect to our internal SMTP server when connected (the main reason for the VPN).
0
ChiefITCommented:
The cleaner is correct in thinking ISA has a rule to set up for pinging. You might want to check out this article. Also if you are having problems with DHCP, DNS, or other types of issues. You might want to Google search DHCP rules for ISA and DNS rules for ISA. ISA is a prolific firewall that you have to configure rules for certain functions to work.

Ping Rules for ISA:
http://www.isaserver.org/tutorials/Configuring_ISA_Server_for_Incoming_Ping_Responses__By_Dieter_Rauscher.html
0
JamesonJendreasAuthor Commented:
But it's an INTERNAL IP, and this is a new issue and we've been using .2 for longer than I've been here.  If he's on my network, it shouldn't matter what ISA says about pinging .2, plus I changed it over to .3 temporarily for testing (i'd have to change a bunch of things to leave it at .3). And what diffrence would it make, the computer I'm pinging isn't .2, but .64, the VPN NIC's on .2 and even when I try to ping it attempts to ping .5 not .2 (which are on the same server)  Also I have RAS setup to use .5 as the 'internet' nic, .2 to be the VPN NIC.

Were using Win 2k3 standard I don't believe ISA is even in the non-enterprise additions, or at leased not loaded into ours.

My main point is that I A) can ping .2 and B) the user I'm trying to ping is .64 not .2.  And I wouldn't want others to be able to ping my server if at all possible. Actually the person on the VPN can ping me, I can't ping him.  I'm going to wait until he is in house and see if it's due to his unit.  

By the sound of it the client isn't allowing the ping, not the server.
0
ChiefITCommented:
I think I got this straight:

So, if you try to ping the server you get .5 instead of .2
This sounds like it could be a persistant route or a problem with NIC .2. Here is an explaination of a persistant route:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=4220

Dual NICs on a switched network can also flood a NIC and cause shut down services on one NIC. There will be relatively no errors associated with this issue in event viewer or DCdiag reports. However, you might see problems with DHCP, DNS, WSUS, or pinging. I like to call it intermittant comms. There is also a service pack on the server that can cause intermittant comms. If you think NIC flooding could be a problem let me know and I will provide some input on these issues. Llike I said, you should see more issues that ping problems.

Is the second NIC, (.5), used for a fault tolerant NIC?
_______________________________________________________________________________

Then, you don't want folks pinging the server.
You can disallow ICMP traffic on your server. ICMP is used for ping requests. The information is on this post:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22436476.html
________________________________________________________________________________
Then, you want the ability to ping VPN clients.
This should work unless they have ICMP or IPsec, (Like a firewall rule that I just discussed), configured on their computers.

-------------------------------------

Information on ICMP and what it is used for:
http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol
0
JamesonJendreasAuthor Commented:
Actually what happens is if i ping .62 (or whatever RAS assigns the VPN client), it ends up pining .5 and gives a TTL error.  .5 one is nic in the VPN server.  Could this be an issue with NAT?  

As for the multiple NICs on the same subnet, I do agree that this could be the issue, or if it isn't is probably part of other issues we have with the unit.  I'm working on removing the .2 and have .5 be the VPN and .6 to do the rest.  We do have other network issues other than pinging problems which very well could be a result of NIC flooding.  We do often see issues with resolving DNS names on our two servers intermittently, especially the server that holds our DNS records..  That sound like an issue with multi-NICs.

I'm more and more thinking this is an issue with the user's computer itself.  If he can reach our local network and ping us via both internal ip's and internal DNS names, then I'd conclude the error isn't on the server, although I could be wrong.

The only thing that makes me think otherwise is how pining routes to .5;.
0
ChiefITCommented:
I have been mostly trying to create a fix to Network Load Balancing on a Switched network. I have seen a lot of errors pertaining to NLB on a switched network. All of these settings apply to your situation. But the correct combination to your application is what you want from me.

Since I have been researching the NLB application and not VPN application with multiple NICs, I think THECLEANER could provide better input on a working combination for you. He/She has more experience with VPNs than I do. I see this is his/her field of expertise.  

Thecleaner suggested, "All 3 nics are on the same subnet.  If the one for the VPN w/o the gateway was on a seperate subnet I could understand the setup." THECLEANER also made the remark "If that's the case, then all you need is a single nic with a single internal IP and regular gateway setup." Now, this is something I didn't know. I didn't know a VPN tunnel and regular networking could work on a single NIC. To resolve a lot of problems with your network, may I suggest you pick THECLEANER's brain. Sounds like there is some good advice there. I was also thinking about suggesting a single NIC application if it is possible.

With that said:

The errors I have seen with NICS pertain to the following settings on switches, servers, and routers. The settings are Spanning tree, portfast, Multicast/unicast,  Mode of operation for switches and routers, A faulty service pack (2003 server SP1). If not in the correct combination, any of these will cause NIC flooding and intermittant communications with 2003 server services (like DHCP, DNS, WSUS ect...).
__________________________________________________________________
Putting NLB over a switched network into perspective: (You should really read this article)
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23037760.html

Preventing NIC flooding caused by NLB:
http://technet2.microsoft.com/windowsserver/en/library/bf3a1c95-f960-4ed3-b154-3586631fb0061033.mspx?mfr=true
_________________________________________________________________
A little explaination of spanning tree and portfast.
http://itt.theintegrity.net/pmwiki.php?n=ITT.Spanning-TreeAndPortfast
(NOTE: Portfast is necessary for XP clients. XP clients will time out otherwise.)

An Event error usually associated with a Spanning tree portfast problem:
Event ID 5719, spanning tree portfast:
http://support.microsoft.com/kb/247922
____________________________________________________________________
The differences between Unicast and Multicast modes:
http://support.microsoft.com/kb/291786
(The server requires Multicast mode to work with dual NICS)
______________________________________________________________________
2003 server Service Pack 1 has a discrepancy that can even cause a single NIC to be flooded.
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

Service pack 1 problem usually has problems with DHCP, (if applicable), and is also sometimes associated with Event 333.
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23008324.html
___________________________________________________________________________

Now, I think THECLEANER and I both agree that multiple NICs on a switched network is the bane of your existance for intermittant communications. I think you should pick THECLEANER's brain on figuring out a good fix for this issue.

On the other NOTE:
I totally agree that you have a problem with the client.

To see where the ping packets stop, try tracecert on the client's IP. That should give you a better understanding where your packets stop. If you reach the client, then the client is refusing ICMP traffic by some sort of IPsec setting at the client's machine. Regardless of tracert, If the client is working through the VPN tunnel and all you have a problem with is pinging the client, then it almost has to be the client's IPsec settings that is preventing you or the client computers ICMP service disabled or not installed.

This is not likely the case:
One last thing you might want to check on the client: Not long ago, IP version 6 came out. If not on a Version 6 router on the remote end, You will not be able to communicate with that client at all. If you do an IPconfig /all, you will see an alpha-numeric IP address with a line that says something like toredo tunnel in the reply.  
0
TheCleanerCommented:
"Now, this is something I didn't know. I didn't know a VPN tunnel and regular networking could work on a single NIC." -ChiefIT

So consider this setup I have at a branch office:

- External Internet IP (from DSL Line) is on External Port on my Juniper SSG20 Firewall/Router (call it ExtPort), let's say 5.5.5.5

- Juniper SSG20 has an internal LAN port with IP 10.10.10.1 (call it IntGatewayIPport)

- That IntGatewayIPport is attached to a LAN switch (layer 2, but could be Layer 3 if you wanted to create a /30 subnet between the LAN switch and the Juniper router I guess but it's a small shop)

- The LAN Switch has the only server at that site on it.  The server has AD/DNS/DHCP/file server duties.  The Server's IP is 10.10.10.5 with a single NIC.

NOW:

1.  Setup RRAS on the server to allow for remote access (either L2TP or PPTP, but for a small office PPTP is easy enough).  Follow MS' guides on this part but it's pretty much a wizard the first time.  Set either static IP's or let it use the local DHCP server.

2.  Now on the Juniper box I create a VIP (virtual IP).  Cisco and others use other terminology I believe.  For ISA I believe it is called "Server Publishing".  Basically you are going to tell the firewall to listen on its ExtPort for traffic destined to it on the PPTP ports (1723 and GRE).  Then in your VIP you tell it to send that traffic down to the server IP 10.10.10.5 using Source-based NAT.

3.  That's really it, then your clients connect their VPN to 5.5.5.5 and they'll be pushed through to the server for authentication and an IP.

So from an IP routing/flow perspective:

1.  Client initiates his VPN client
2.  His IP is 25.25.25.25 connecting to 5.5.5.5 (25.25.25.25 is Source and 5.5.5.5 is Destination)
3.  5.5.5.5 takes the request and NAT's it down to 10.10.10.5 (now the traffic is 5.5.5.5 as Source and 10.10.10.5 as Destination)
4.  10.10.10.5 (the Server) authenticates the user and assigns them 10.10.10.150 as their internal IP for VPN
5.  IP traffic sent back to client from server = 10.10.10.5 as Source and 5.5.5.5 as Destination
6.  Juniper ExtPort 5.5.5.5 takes the traffic and "Un-NAT's" it (for lack of a better term) back to 25.25..25.25

That's a pretty wild explanation I'm sure...it makes more sense when you see it in action and you understand IP routing and NATting and VIPs better.

Hope that helps.
0
JamesonJendreasAuthor Commented:

Cleaner Wrote:
1.  Setup RRAS on the server to allow for remote access (either L2TP or PPTP, but for a small office PPTP is easy   enough).  Follow MS' guides on this part but it's pretty much a wizard the first time.  Set either static IP's or let it use the local DHCP server.

2.  Now on the Juniper box I create a VIP (virtual IP).  Cisco and others use other terminology I believe.  For ISA I believe it is called "Server Publishing".  Basically you are going to tell the firewall to listen on its ExtPort for traffic destined to it on the PPTP ports (1723 and GRE).  Then in your VIP you tell it to send that traffic down to the server IP 10.10.10.5 using Source-based NAT.

3.  That's really it, then your clients connect their VPN to 5.5.5.5 and they'll be pushed through to the server for authentication and an IP.


Ok I'm going to put this in the perspective of my network to help myself better understand.  What we have:

1. External IP from T1 line 5.5.5.5 on my Instagate Firewall
2. We create a PPTP "passthrough" as the InsatGate Calls it to IP x.x.x.2, which is the win 2k3 RAS server
3. RAS Server watches NIC x.x.x.5 for VPN clients.  This NIC does not have a gateway.

So as an IP flow
1.Client Initiates Connection
2. His IP (from his ISP) is 6.6.6.6 connecting to the Instagate 5.5.5.5 (from our ISP)
3. This is then Passed Through the Instagate firewall to x.x.x.2
4. x.x.x.2 sends authentication request to AD/DHCP (x.x.x.10)  Authenticates and assigns the IP x.x.x.62 for VPN
5. IP traffic moves from x.x.x.62 to x.x.x.2 to 5.5.5.5 to destiantion
6. Instagate sends data back through 6.6.6.6 (didn't know this step)


Much easier to follow when I re-write it.
I actually am under the impression that it is currently set up correctly.  I was able to ping another computer connected to the VPN, but that unit was connecting to the VPN from the local internal LAN, but still through the external IP. (x.x.x.127 connects to 5.5.5.5 gets assigned x.x.x.65). So I'm not sure how accurate that would be. I'm going to have to wait for the unit to be in house and check it out.  I just realized it's a new machine and I haven't attempted to RDP into this exact machine.

Plus we are getting a new firewall next week. I'm also considering putting the extra NIC on our Parent companies Subnet in Florida (I'm in CA) via our remote office VPN tunnel (never have issues with this one), as we're installing our exchange server over there.
0
TheCleanerCommented:
Your setup will work fine, just add the gateway IP back to NIC x.x.x.2 OR put a default route on it through net route command.

I'd be pretty shocked if it didn't clear up after that.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JamesonJendreasAuthor Commented:
Yeah I think it's ok now, I'm almost POSITIVE the client side is rejecting the ping request at this time
0
JamesonJendreasAuthor Commented:
Thanks a bunch guys, lots of very useful info.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.