[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 313
  • Last Modified:

Can connect to VPN but then can't ping

Hi chaps,

I've got a problem with an SBS box here. It's been setup for VPN access for a while, but mysteriously seems to have stopped working for vpn clients. I have a feeling this is down to SP2 being installed a month or so ago, but I can't be sure and it's just a guess.

I can connect to the box from my vista machine, and my machine is assigned an IP address from the DHCP pool on the server as well as a DNS address of the SBS box itself. However the laptop isn't assigned a gateway address. While connected to the VPN I can't do a thing, not even ping the servers internal IP (comes up 'request timed out').

I can't see anywhere in Vista to manually set a gateway address. I also know that other vista and mac users are having the same thing happen (connected but not able to anything).

My home IP (where i'm testing from) is on the range 192.168.200.x and the server is on 192.168.1.x so it's not down to the client and server having the same range.

Anyone know what might be up ? Could it be an SP2 issue ?

Olly
0
stonneway
Asked:
stonneway
  • 6
  • 4
5 Solutions
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
After SP2 was installed, was the CEIEW and the RRAS wizards re-run? If not, do so as it helps realign a number of processes with the SBS server -- primarily focusing on DHCP, DNS, WINS, etc.

Did you also install the SBS/Vista Compatibility Update?

Windows Small Business Server 2003: Windows Vista and Outlook 2007 compatibility update
http://support.microsoft.com/?id=926505

0
 
stonnewayAuthor Commented:
Yep, CEIEW was run,and I've just done it again now, but still no joy.

As its also happening on XP and Mac clients I'm not convinced its down the vista update.
0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
A few follow-up questions...

1) Did you also re-run the RRAS as well? [The RRAS is what handles the VPN client sessions.]
2) What is handling the DHCP IP addresses -- SBS or a router?
3) Is this SBS server running ISA?
4) Has the SBS server and XP/Vista PCs been patched fully?
5) If you have a router in place, what ports do you have forwarded to the SBS server? Also, is VPN pass-through enabled on the router?

Also -- Cut/Paste an 'ipconfig /all' from both the SBS server and one of the PCs.

0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
stonnewayAuthor Commented:
1) Did you also re-run the RRAS as well? [The RRAS is what handles the VPN client sessions.]
Yes

2) What is handling the DHCP IP addresses -- SBS or a router?
SBS

3) Is this SBS server running ISA?
No - SBS Standard

4) Has the SBS server and XP/Vista PCs been patched fully?
Yes (just done it and tried it now)

5) If you have a router in place, what ports do you have forwarded to the SBS server? Also, is VPN pass-through enabled on the router?
Lots, but the only VPN orientated one is 1701. VPN passthrough is enabled.

Server IP Config
--------------------
Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-14-22-4D-1C-4A
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.121
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.121
   NetBIOS over Tcpip. . . . . . . . : Disabled

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.12
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Laptop
-------------------------
Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Atheros AR5006EXS Wireless Network Adapte
r
   Physical Address. . . . . . . . . : 00-17-F2-4F-B2-A3
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::31c1:aea1:2cab:cec8%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.200.15(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 04 February 2008 19:03:40
   Lease Expires . . . . . . . . . . : 08 February 2008 19:02:51
   Default Gateway . . . . . . . . . : 192.168.200.1
   DHCP Server . . . . . . . . . . . : 192.168.200.1
   DHCPv6 IAID . . . . . . . . . . . : 151001074
   DNS Servers . . . . . . . . . . . : 192.168.200.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
I noticed your PCs are pointing to the another box other than the SBS server as the DNS server. This is known to cause problems with the client PCs from time to time.

What is the IP address of 192.168.200.1 pointed to? SBS server looks like 192.168.1.121. Is the 192.168.200.1 a wireless AP with DHCP enabled?

---

Try turning off IPv6 on the Vista PCs (and Mac if its enabled there as well).

Also on Vista, you might need to turn off the Auto-Tuning feature...

netsh interface tcp set global autotuning=disabled
netsh interface tcp set global chimney=disabled
netsh interface tcp set global rss=disabled

Reference: http://silverstr.ufies.org/blog/archives/001035.html
0
 
stonnewayAuthor Commented:
Ahhh yes, thats the IP config of the laptop when NOT on the vpn, so thats the IP of the router here. :)
0
 
stonnewayAuthor Commented:
Heres the IP info of the laptop when it's connected;

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . : 192.168.1.77
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0

Ethernet adapter Bluetooth Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : mydomain.local

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :
   Link-local IPv6 Address . . . . . : fe80::31c1:aea1:2cab:cec8%9
   IPv4 Address. . . . . . . . . . . : 192.168.200.15
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.200.1
0
 
AngelGabrielCommented:
I had a similar problem with attempting to connect windows boxes to VPNs. There are two things to consider:-

The subnet mask, if you are using private IP addressing scheme similar to what you are using in the office, and two, make sure that the correct DNS server is used to resolve names of servers inside the VPN.

With regards to the subnet mask, this needs to be correct, so that traffic is sent to the correct device. The inability to ping devices by IP address, could be caused by a bad subnet mask, which is causing traffic to the IP address to be sent to the router at home, instead of across the VPN to the router in the office. This will result in request timed out.

With regards to the DNS, I would nearly always suggest to use a device other than windows server to manage your VPN connection. Some routers do this, and most linux based distros can do this. The reason I suggest this, is so that DNS information is correctly sent, and it's easier to maintain security. (Although going to a linux based VPN solution, is beyond the scope of this answer). There is a setting on the windows XP VPN connection dialog to get the correct DNS server, if the information is supplied via the VPN server, but it currently escapes me. I'll try and remember to put it in here.
0
 
stonnewayAuthor Commented:
I agree about not using windows for vpn and relying on using hardware instead. I've never been a fan of windows as the vpn box. However, in this instance, there is an adsl router in the office (note router not modem router) and that in turn goes in to another adsl ethernet modem in the buildings reception, so a change of hardware isn't an option.

Olly
0
 
stonnewayAuthor Commented:
I also meant to ask, if the subnet of the VPN connection is the issue is that something that can only be changed by changing the subnet mask for the entire office network ? (ie moving them from 255.255.255.0 to something like 255.255.0.0) ?

0
 
Michael WorshamInfrastructure / Solutions ArchitectCommented:
Subnet Mask is primarily used to determine if you are using a Class C or Class B network layout. If its a subnet issue (as in your case), changing the main Class C will most likely work using an IP range like 192.168.200.x and 192.168.201.x.

As for VPN instances, if you are doing gateway-to-gateway, I usually depend on the hardware VPN endpoints for this as they usually have a number of features server-side VPN endpoints don't have.

Example: Linksys RV082 has so many features I will just be nice and post a link to the site here instead:

I recommend for cost, ease of setup, configuration and reliability the business-class Linksys RV082 units as the hardware VPN endpoint. These units can handle up to 100 VPN tunnels (via free Firmware upgrade) and have special features like DNS pass-through, NetBIOS tunneling, DHCP relay, DDNS auto configuration. These units can also be setup for dual WAN needs, thus able to do load balancing and fail-over support.

The Linksys RV082 also has full IPSec Virtual Private Network (VPN) capability using DES and 3DES encryption algorithms, thus will work with the Juniper NetScreen-5 Series appliances.

I have set these up for all of my clients and I even use it for my personal Microsoft Small Business Server environment at home.

Linksys RV082:
http://www.linksys.com/servlet/Satellite?c=L_Product_C2&childpagename=US%2FLayout&cid=1115416833289&pagename=Linksys%2FCommon%2FVisitorWrapper&lid=3328956202B02

However when it comes to VPN clients connecting to a server environment, I found that the Microsoft VPN client actually works better connecting to the SBS server for setting up any mapped drives, DHCP, AD, NetBIOS needs, etc.
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

  • 6
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now