Avatar of kitchj
kitchj asked on

VPN connects but no communication

I had a single Windows 2000 server for my domain which also hosted a VPN for a few offsite workers. That server crashed and my new server is 2008. I made sure all of my firewall ports were switched to the new IP address, and checked all of the user accounts to make sure the "dial in" permissions transferred over. After setting up the RRAS in Windows 2008, I am able to connect to the VPN, but I can not connect to anything. That includes not being able to even ping the ip address of the server.

Any help is GREATLY appreciated :)

Thank you,
Jared
Windows Server 2008

Avatar of undefined
Last Comment
Amit Bhatnagar

8/22/2022 - Mon
Amit Bhatnagar

Make sure that Windows network is selected to Private (Not Public) if the Server is NOT in Domain. Enable File and Printer Sharing within Windows Firewall.
Is this Server single NIC based or multihomed?
Are the clients getting Off Subnet IP or On Subnet (Same as Internal LAN)?
Can you take a trace on Windows 2008 Server to see if the packets are reaching in..and if they are..why are they getting lost?
ASKER
kitchj

Most users are connecting from XP, so they are not selecting Public or Private, but when I connect from Vista, I have been selecting Work.

The server is in a domain and it's firewall is disabled.

There is a single NIC.

Server's IP address - 192.168.100.1

Assigned to me via VPN - 192.168.100.100 (this is from a DHCP Relay to the router)

And a tracert to 192.168.100.1 comes back Request timed out
Amit Bhatnagar

Ok...the setup looks pretty straight forward. It should work...Any third party Software on the Windows VPN Server that could cause this. Are you comfortable taking Network traces? If you can take a trace on the VPN Server, it will be very helpful cause it will tell us if the packets are even reaching the Server or not.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
ASKER
kitchj

I have not done much tracing, and I do not have any tracing software installed.  What would you suggest?

Just for more info.... the server lies behind a Linksys router.  But as I said, the ports were opened and working on the previous server.

(I increased the points.  I don't have many, but this seems to be a bigger problem than I had anticipated.)
Amit Bhatnagar

You can use Network Monitor 3.2

http://www.microsoft.com/downloads/details.aspx?familyid=f4db40af-1e08-4a21-a26b-ec2f4dc4190d&displaylang=en

Install the Software on the VPN Server. Start the trace by clicking on New Capture tab and then Play Button. Once it has started, try and reproduce the issue. Connect with VPN then try multiple things...Like RDP, Ping and Access share using a \\. Once the error has appeared, stop the trace. Save it. Compress it using Winzip etc and attach it here. You might have to rename the file to doc. or bmp etc.
ASKER
kitchj

Here is the .cap file (yes, I had to rename it to .txt).  I tried to ping the ip address and browse to the name.  Both failed.
VPNPingAndBrowseTestsToServer.zip
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Amit Bhatnagar

Ok...Now, some of the information that I require.
What all IPs did you try and Ping?
What share did you try and access?
Did you try \\Share Access or some other method?

This is required so that I can filter the trace accordingly. Do you remember the IP that was assigned to the Client?
ASKER
kitchj

What all IPs did you try and Ping?
   I just tried 192.168.100.1
What share did you try and access?
   \\main  and  \\192.168.100.1  (same server)
Did you try \\Share Access or some other method?
   just trying to pull up the share list on \\main
Do you remember the IP that was assigned to the Client?
   I believe it was 192.168.100.114, but I can't swear to it :s
markzz

Are you aware you need to put in 2 port forward rules on the linksys port 47 and 1723 to your VPN authentication point.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
markzz

OH from a tracing perspecive, wire shark (ethereal) is very easy to use.
ASKER
kitchj

markzz - Yes, I am aware.  This was running fine on an old server, and I merely went in and changed the IP address for the forward.  You made me second guess myself though :)  I just went back and double checked, and yes, 1723 and 47 are forwarded to 192.168.100.1
ASKER CERTIFIED SOLUTION
Amit Bhatnagar

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ASKER
kitchj

Interesting.  That worked.  I added 4 rules - all tcp inbound, all tcp outbound, all udp inbound, all udp outbound - and enabled them for all profiles.  Then I turned on the Domain profile (it looked like the default), and it appears to be working now.

Why would turning off the firewall, not actually turn off the firewall?? :s  I originally turned it off due to a problem with Peachtree.  I planned on figuring out the ports and reenabling it anyway.  I guess I just need to get that worked out.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Amit Bhatnagar

Great  !!

On Windows 2008 Server when you disable the Firewall, it enters a blockmode. this is another security feature in which if a hacker is able to disable the Firewall somehow then the System is not exposed...rather it becomes more secure...till the time some Admin fixes the Firewall issue. This feature has been taken out of ISA2004. ISA2000 was a complete mess cause of lack of this feature. Now, since it is working..You can disable these rules if you want. Make sure File and Print Sharing is enabled...cause it also contains ICMP within the rule. Also, create rules for the traffic which you require like RDP etc.

Amit Bhatnagar.
ASKER
kitchj

Thank you very much for all of your help.  I may not have to work tomorrow now! :D
Amit Bhatnagar

Ur welcome !! :D
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23