Solved

Unable to map a drive XP on VPN

Posted on 2009-03-30
35
454 Views
Last Modified: 2012-05-06
I run remote backup to am XP machine at home, connected to the office via a Sonicwall hardware VPN.  I just upgraded the home machine, but am unable to map the shared drive on the server in the office, through the VPN.  Here are some details:
1. Home machine IP is 192.168.0.201, part of the office domain.
2. Office SBS2003 server is 172.25.25.100
3. Can ping either direction, both with IP and machine names.  Can also RDP either way.
4. The home machine can map drives that are on the server.
5. The server, or any other machines in office, are unable to map any drives on the home machine.
6.  The home machine sharing is set up as follows:
Share name: Backup-Drive
Allow this number of users: 5
Permissions: administrator and backup operator for domains have full control
Security tab; administrator and backup operator have full control.

7. I noticed on the windows firewall log of the remote machine that UDP from ports 4480, 4481 from the server were being blocked.  So I disabled the windows firewall and these log entries ended.

8.  When trying to map the drive, the error is "network path not found".  The event log on both machines shows nothing.

 At this point, I am not sure what do try next.
0
Comment
Question by:sgarson1
  • 15
  • 8
  • 5
  • +2
35 Comments
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24022813
What client software are you uisng for the Sonicwall?  Is the dns for the vpn client configured correctly?  i
0
 

Author Comment

by:sgarson1
ID: 24022839
Using the hardware firewall, not the Global VPN client.  The VPN works fine and the mapping was not a problem until i upgraded from the old Windows 2000 box that was replaced by this one.
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24022902
Check out Sharing permissions on your shared directory. Set it to everyone full permissions. In Sharing tab, not security tab.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24022907
Hardware VPN? do you mean the Sonicwall SSL NetExtender software or are there two sonicwall devices managing the ? can you give the model of the vpn device?   The dns configuration between the two computers may be different.  Do you still have access to he old 2000 box to check its configuration?    
0
 

Author Comment

by:sgarson1
ID: 24022942
No difference, but some additional info.  When I select to browse for folder when mapping, it shows my domain name, but not the machine that I cannot map to.
0
 
LVL 6

Expert Comment

by:vand
ID: 24022978
From the server are you able to browse to \\192.168.0.201\rpc$
0
 
LVL 6

Expert Comment

by:vand
ID: 24022981
Sorry IPC$
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24023021
Do you have "File an printers sharing" enabled in you Network connections --> LAN?
0
 
LVL 6

Expert Comment

by:vand
ID: 24023037
Some other things to look at:

Is "Client for Microsoft Networks" checked on the connection?

Is the Computer Browser service started and set to auto?

Try to force enable NetBios over TCP/IP.

If none of these work run netsh winsock reset from a command prompt.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24023152
Assuming there is no difference between the 2000 and XP boxes DNS configuration.

  Are pings reliable between the two boxes?  I note you are using IP addresses that says to me that your dns may not be working?   I find the only time i get a "network path was not found" error with net use is because the IP address is unreachable.  That is either routing, client firewall or rules on your vpn device.  


Do you get prompted  
0
 

Author Comment

by:sgarson1
ID: 24023419
The only reason I list the IPs is because I know them.  The names resolve through DNS.  I wrote down the network config settings from the old machine before I shut it down.

Pings are reliable at 30ms with no packet loss.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24023551
try using the fqdn in the statement when you try and map the server
0
 

Author Comment

by:sgarson1
ID: 24023698
do you mean: domain.local\machine-name ?

That gave the same not found result.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24024697
domain.local\username
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24024719
your ping error says there is something causing a network communication issue as best as i can tell.  Can you review the access rules in your vpn device? Could the old pc been given a special rule? Maybe you could make sure your new pc is the same IP as your old one.
0
 

Author Comment

by:sgarson1
ID: 24027961
The new PC is the same IP as the old one.  That's what puzzles me.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24029788
Are you using an antivirus solution on the xp box?
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24030582
Check correct time setting on your PC and Domain controller. Big difference can cause network sharing problems
0
 

Author Comment

by:sgarson1
ID: 24032580
Shut off my anti-virus.  Checked that the time on home and server are the same.

I just ran an ethereal trace from the home machine in the home that this information might help understand the problem.  The trace is attached as a text file since the site restricts uploads.
BCC-Wiretrace.txt
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24032970
192.168.0.1           192.168.0.201     are these the vpn interface and destination ip? If so it appears that this error is getting generated by the vpn/firewall "Broadcast packet dropped"  I wonder if this is the product.  I would check the VPN device for errors.   There is something different on the firewall from what i can see but it would take me sometime to get familiar enough to get deep in the wiretrace.
0
 

Author Comment

by:sgarson1
ID: 24033326
192.168.0.1 is the VPN interface and 192.168.0.201 is the machine in question.

I looked at the firewall logs and nothing is being blocked

212      03/31/2009 15:41:56.400      VPN TCP SYN      172.25.25.110, 3389      192.168.0.201, 2008              
213      03/31/2009 15:44:07.656      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2015              
214      03/31/2009 15:45:30.560      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2020              
215      03/31/2009 15:49:16.208      VPN TCP SYN      172.25.25.150, 3389      192.168.0.201, 2102              
216      03/31/2009 15:52:05.896      VPN TCP SYN      172.25.25.110, 135      192.168.0.201, 2188              
217      03/31/2009 15:53:09.832      VPN TCP SYN      172.25.25.150, 3389      192.168.0.201, 2260              
218      03/31/2009 15:55:12.384      VPN TCP SYN      172.25.25.110, 135      192.168.0.201, 2264              
219      03/31/2009 16:02:33.224      VPN TCP PSH      172.25.25.150, 3389      192.168.0.201, 2260              
220      03/31/2009 16:07:47.944      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2280
0
 

Author Comment

by:sgarson1
ID: 24033468
Just confirmed that I can map from another machine in the 192.168.0.0 subnet.
0
 
LVL 6

Expert Comment

by:vand
ID: 24038705
Some other things to look at:

Is "Client for Microsoft Networks" checked on the connection?

Is the Computer Browser service started and set to auto?

Try to force enable NetBios over TCP/IP.

If none of these work run netsh winsock reset from a command prompt.
0
 
LVL 6

Expert Comment

by:vand
ID: 24038817
Also, verify Anvanster's question:
Do you have "File an printers sharing" enabled in you Network connections --> LAN?

Seeing how the Domain is registering but the PC is not and you are able to map the other direction, it seems to be PC/configuration  based.

0
 

Author Comment

by:sgarson1
ID: 24039296
vand:

Thanks for your suggestions.  File and print sharing is activated and I am able to map to the drive if I am on the same subnet, i.e. on my home network.

Perhaps I should try simply removing TCP/IP from the network settings,rebooting, and then adding it back.
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24039389
Try adding your network server to "hosts" file.
0
 

Author Comment

by:sgarson1
ID: 24041052
I added the network server to the remote hosts file.

In checking the server, the remote machine is registered in the WINS database.  In looking in the active directory, the remote machine is NOT listed in the domain.local under the Computers folder.  But it IS listed under the domain.local\MyBusiness\Computers\SBSComputers.

I would expect that it should be in both places.
0
 

Author Comment

by:sgarson1
ID: 24041184
A new revelation:  from the remote machine, I can browse the HQ network and see all the computers, including the remote machine.

Browsing from the server, I do not see the remote machine on the network.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24044145
A couple of thoughts:
-Is the Windows or similar firewall enabled on the machine to which you are trying to connect? If so, by default if file and print sharing are enabled, it will create an exception, but only for the local subnet. Any other subnet will be blocked for that service. You need to add the remote subnet for TCP 139 & 445, UDP 137 & 138, or choose, "allow all computers even those on the Internet" under edit scope options of the firewall.
-not being able to browse over a VPN is common. If there is no WINS server at one end, browsing relies on NetBIOS broadcasts. These are not routable, and therefore not forwarded over a VPN.
-though name resolution works, use the IP for mapping as name resolution over a VPN can be inconsistent
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
-how are you mapping the drive? I assume the home computer it is not a member of the same domain. If so you need to provide credentials, so I would recommend doing so from a command line:
 net use x: \\192.168.0.201\Backup-Drive  password  /USER:domainORcomputer\username
(USER is not a variable and domainORcomputer is the name of the home computer, assuming not a member of the domain)
0
 

Author Comment

by:sgarson1
ID: 24044336
Rob:  I think you are onto the solution.  I am looking at the windows firewall advanced settings.  How would I add a remote subnet, rather than open those ports to the internet?

I am mapping with the IP: //192.168.0.201/BACKUP-MACHINE  where BACKUP-MACHINE is the share name.  The machine is on the domain and the machine from which we are mapping has credentials on this one.

I'll try this tonight.  I didn't have the problem with the previous Windows2000 machine because it didn't have the windows firewall.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24044413
Where the computer is behind a firewall you are not really opening it to the Internet so there is little risk. You might want to do this even just as a test, or even switch off the firewall for testing. However, if you want to manually add the exceptions you need to do so for each of the 4 ports; TCP 139 & 445, UDP 137 & 138. There is an example for port 3389 on my web site:
http://www.lan-2-wan.com/RD-FW.htm

I assume  //192.168.0.201/BACKUP-MACHINE   is a typo? It should be: \\192.168.0.201\BACKUP-MACHINE  
If the home machine is a member of the domain you shouldn't have a credential problem.

0
 

Author Comment

by:sgarson1
ID: 24044895
When I went to add each port exception, windows said that the port already is an exception.  Is there a way to see what the XP firewall is actually configured?
0
 

Author Comment

by:sgarson1
ID: 24044940
I shut down the firewall service on the XP machine and can now map to the machine.  So you are the man!  For what ever reasons, the exceptions didn't do the trick.

THANK YOU SO MUCH!!!
0
 

Author Closing Comment

by:sgarson1
ID: 31565592
The key solution is that you need to open the firewall ports.  I couldn't manage that, but simply shut off the firewall service.  Mission accomplished.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24045602
Sorry I was off-line for a while. If you want to leave the firewall enabled, you don't add a port exception. As the message stated there is a port exception already, however it is likely defined as for "local subnet only". To change go to control panel | windows firewall | exceptions | highlight "file and print sharing" and click edit | for each port highlight and choose change scope | then enter the changes; either "any computer (including those on the Internet)" or 192.168.0.0/255.255.255.0,172.25.25.0/255.255.255.0 [note no spaces]
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Can I legally transfer my OEM version of Windows to another PC?  (AKA - Can I put a new systemboard in my OEM PC?) Few of us are both IT and legal experts but we all have our own views of Microsoft's licensing rules and how they apply.  There are…
I've often see, or have been asked, the question about the difference between the Exchange 2010 SP1 version, available as part of Small Business Server (SBS) 2011, and the “normal” Exchange 2010 SP1 Standard. The answer to the question is relativ…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Although Jacob Bernoulli (1654-1705) has been credited as the creator of "Binomial Distribution Table", Gottfried Leibniz (1646-1716) did his dissertation on the subject in 1666; Leibniz you may recall is the co-inventor of "Calculus" and beat Isaac…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now