kitchj
asked on
VPN connects but no communication
I had a single Windows 2000 server for my domain which also hosted a VPN for a few offsite workers. That server crashed and my new server is 2008. I made sure all of my firewall ports were switched to the new IP address, and checked all of the user accounts to make sure the "dial in" permissions transferred over. After setting up the RRAS in Windows 2008, I am able to connect to the VPN, but I can not connect to anything. That includes not being able to even ping the ip address of the server.
Any help is GREATLY appreciated :)
Thank you,
Jared
Any help is GREATLY appreciated :)
Thank you,
Jared
ASKER
Most users are connecting from XP, so they are not selecting Public or Private, but when I connect from Vista, I have been selecting Work.
The server is in a domain and it's firewall is disabled.
There is a single NIC.
Server's IP address - 192.168.100.1
Assigned to me via VPN - 192.168.100.100 (this is from a DHCP Relay to the router)
And a tracert to 192.168.100.1 comes back Request timed out
The server is in a domain and it's firewall is disabled.
There is a single NIC.
Server's IP address - 192.168.100.1
Assigned to me via VPN - 192.168.100.100 (this is from a DHCP Relay to the router)
And a tracert to 192.168.100.1 comes back Request timed out
Ok...the setup looks pretty straight forward. It should work...Any third party Software on the Windows VPN Server that could cause this. Are you comfortable taking Network traces? If you can take a trace on the VPN Server, it will be very helpful cause it will tell us if the packets are even reaching the Server or not.
ASKER
I have not done much tracing, and I do not have any tracing software installed. What would you suggest?
Just for more info.... the server lies behind a Linksys router. But as I said, the ports were opened and working on the previous server.
(I increased the points. I don't have many, but this seems to be a bigger problem than I had anticipated.)
Just for more info.... the server lies behind a Linksys router. But as I said, the ports were opened and working on the previous server.
(I increased the points. I don't have many, but this seems to be a bigger problem than I had anticipated.)
You can use Network Monitor 3.2
http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en
Install the Software on the VPN Server. Start the trace by clicking on New Capture tab and then Play Button. Once it has started, try and reproduce the issue. Connect with VPN then try multiple things...Like RDP, Ping and Access share using a \\. Once the error has appeared, stop the trace. Save it. Compress it using Winzip etc and attach it here. You might have to rename the file to doc. or bmp etc.
http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en
Install the Software on the VPN Server. Start the trace by clicking on New Capture tab and then Play Button. Once it has started, try and reproduce the issue. Connect with VPN then try multiple things...Like RDP, Ping and Access share using a \\. Once the error has appeared, stop the trace. Save it. Compress it using Winzip etc and attach it here. You might have to rename the file to doc. or bmp etc.
ASKER
Here is the .cap file (yes, I had to rename it to .txt). I tried to ping the ip address and browse to the name. Both failed.
VPNPingAndBrowseTestsToServer.zip
VPNPingAndBrowseTestsToServer.zip
Ok...Now, some of the information that I require.
What all IPs did you try and Ping?
What share did you try and access?
Did you try \\Share Access or some other method?
This is required so that I can filter the trace accordingly. Do you remember the IP that was assigned to the Client?
What all IPs did you try and Ping?
What share did you try and access?
Did you try \\Share Access or some other method?
This is required so that I can filter the trace accordingly. Do you remember the IP that was assigned to the Client?
ASKER
What all IPs did you try and Ping?
I just tried 192.168.100.1
What share did you try and access?
\\main and \\192.168.100.1 (same server)
Did you try \\Share Access or some other method?
just trying to pull up the share list on \\main
Do you remember the IP that was assigned to the Client?
I believe it was 192.168.100.114, but I can't swear to it :s
I just tried 192.168.100.1
What share did you try and access?
\\main and \\192.168.100.1 (same server)
Did you try \\Share Access or some other method?
just trying to pull up the share list on \\main
Do you remember the IP that was assigned to the Client?
I believe it was 192.168.100.114, but I can't swear to it :s
Are you aware you need to put in 2 port forward rules on the linksys port 47 and 1723 to your VPN authentication point.
OH from a tracing perspecive, wire shark (ethereal) is very easy to use.
ASKER
markzz - Yes, I am aware. This was running fine on an old server, and I merely went in and changed the IP address for the forward. You made me second guess myself though :) I just went back and double checked, and yes, 1723 and 47 are forwarded to 192.168.100.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Interesting. That worked. I added 4 rules - all tcp inbound, all tcp outbound, all udp inbound, all udp outbound - and enabled them for all profiles. Then I turned on the Domain profile (it looked like the default), and it appears to be working now.
Why would turning off the firewall, not actually turn off the firewall?? :s I originally turned it off due to a problem with Peachtree. I planned on figuring out the ports and reenabling it anyway. I guess I just need to get that worked out.
Why would turning off the firewall, not actually turn off the firewall?? :s I originally turned it off due to a problem with Peachtree. I planned on figuring out the ports and reenabling it anyway. I guess I just need to get that worked out.
Great !!
On Windows 2008 Server when you disable the Firewall, it enters a blockmode. this is another security feature in which if a hacker is able to disable the Firewall somehow then the System is not exposed...rather it becomes more secure...till the time some Admin fixes the Firewall issue. This feature has been taken out of ISA2004. ISA2000 was a complete mess cause of lack of this feature. Now, since it is working..You can disable these rules if you want. Make sure File and Print Sharing is enabled...cause it also contains ICMP within the rule. Also, create rules for the traffic which you require like RDP etc.
Amit Bhatnagar.
On Windows 2008 Server when you disable the Firewall, it enters a blockmode. this is another security feature in which if a hacker is able to disable the Firewall somehow then the System is not exposed...rather it becomes more secure...till the time some Admin fixes the Firewall issue. This feature has been taken out of ISA2004. ISA2000 was a complete mess cause of lack of this feature. Now, since it is working..You can disable these rules if you want. Make sure File and Print Sharing is enabled...cause it also contains ICMP within the rule. Also, create rules for the traffic which you require like RDP etc.
Amit Bhatnagar.
ASKER
Thank you very much for all of your help. I may not have to work tomorrow now! :D
Ur welcome !! :D
Is this Server single NIC based or multihomed?
Are the clients getting Off Subnet IP or On Subnet (Same as Internal LAN)?
Can you take a trace on Windows 2008 Server to see if the packets are reaching in..and if they are..why are they getting lost?