Ping router through MS VPN on demand

Hi. I am having a small issue pinging a router from a remote network. There are two networks (subnets) connected together using MS Site-to-Site VPN (dial on demand). Each site has its own subnet. Here is a description of the environment:

Site 1
Subnet: 172.17.16.x
Line: full T1 with 2 static addresses activated
Main router: (for Canadian VPN)
Second router : (for global VPN)
w2k3 Server:
DHCP: present with range within 172.17.16.x
Gateway for w2k3 server:
static routes: using and using MSVPN interface

Site 2
Subnet: 172.17.18.x
Line: DSL with one fixed IP
Main router: (for Canadian VPN)
w2k3 Server:
DHCP: present with range within 172.17.18.x
Gateway for w2k3 server:
static routes: using MSVPN interface

Both sites can ping each other (including client PCs) except for three devices: and from site 2 and from site 1.

I have experienced this issue before using MS VPN but until now, I didn't need to use these remote routers. I am now trying to reach the router from site 2 in order to connect site 2 to all other global sites from this client.

Any clue or possibility to fix this? A static route?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Site 2:
Gateway for w2k3 server:

This is suspect. You should use a local default gateway, 172.17.18.x.
Anyway, I can't see the reason as the information is not detailed enough. You could try to use
   tracert -d -w 50
from Site 2 to see which way the packet goes, whether it's a routing issue.

benjilafouineAuthor Commented:
Oups! I made a small address mistake. Gateway for site 2 is (and not Cut and paste error...
benjilafouineAuthor Commented:
Tracert result was a complete "Request timed out".

I have several clients (even my own company) and using MS VPN, I am never capable of pinging remote routers at remote sites. This is probably a route or gateway problem (but I'm not certain)..
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
As I always use NAT on RRAS, I cannot tell whether this is normal behaviour. But I remember the routers are not appearing in traceroute of any client.

The RRAS servers build an own network for VPN?
benjilafouineAuthor Commented:
No, it doesn't. Here's how it works:

Each VPN server gets an address from the facing network. Ex.: Server on Site 1 has IP A virtual VPN dial-in adapter is created with address (assigned from Site A DHCP). A second virtual PPP adapter is created and is assigned address (from Site 2 DHCP).

The same reversed scenario is created in the facing server (site 2 server gets a site 1 address)

Two static routes are created (one per server) to route to the corresponding server.

I have the feeling that this whole process causes the routers to be not visible from the other side, but a I do not understand why. A RIP problem maybe?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Did you try to reach the routers by their virtual addresses yet?

RIP is the wrong path here for sure. It is only responsible for propagating dynamic routes across routing devices.

benjilafouineAuthor Commented:
What do you mean by virtual address? The routers (physical and distinct routers) have two addresses each: one public address facing the Internet and one private address facing the internal network.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Sorry, mixed something up. You do not try to reach the RRAS server themselves, but other routers.

As you use Class B addresses, the routers' netmask could be instead of, so the might blow the answer into to network instead of addressing the W2k3 (& RRAS) servers for routing.

benjilafouineAuthor Commented:
I don't think that it changes anything? I agree that it could be but I was given this range and mask by my head office. I think that there is subnetting involved.

My own company has two subnets in the 192.168.x.x range with a netmask of and I am observing the exact same behavior with MS VPN. I may have to bring this up with MS directly.

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
As I told before, I always use NAT with RRAS. I know why ;-)

I can't believe the two problems are the same. Why should you be able to reach any computer on the other site, but not some? The difference must be in the routers' network setup.
benjilafouineAuthor Commented:
So what should I do? The routers are not different than any PCs in terms of IP address, if we exclude the fact that their gateway is not the same (the gateway is provided by the line provider).

Looks like I will have to verify against Microsoft.
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Can you set static route info on the routers? That would be enough ...
benjilafouineAuthor Commented:
Yes I could setup a static route on one router to test. However, one of the router is managed by a third party (and they are expensive!). What route are you thinking of?
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Site 1: with gateway
Site 2: with gateway
(is there a typo in Site 2 config for W2k3 gateway = Should be
benjilafouineAuthor Commented:
I will try this outside working hours in case it causes a router reboot.
benjilafouineAuthor Commented:
Problem solved (sort of). It seems that the problem lies within the VPN link itself: it is unstable. Sometimes it pings, sometimes it don't.

MS VPN is far from being as stable as a hardware VPN solution. I am currently using it as a temporary measure.

Thanks all for you help.
benjilafouineAuthor Commented:
Problem sovled completely. VPN was unstable due to WINS service being present on the same server (as per a Microsoft KB).

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Please post MS KB link here, and then close the question accepting the link as solution.
benjilafouineAuthor Commented:
This solved the problem completely:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.