Solved

Unable to map a drive XP on VPN

Posted on 2009-03-30
35
452 Views
Last Modified: 2012-05-06
I run remote backup to am XP machine at home, connected to the office via a Sonicwall hardware VPN.  I just upgraded the home machine, but am unable to map the shared drive on the server in the office, through the VPN.  Here are some details:
1. Home machine IP is 192.168.0.201, part of the office domain.
2. Office SBS2003 server is 172.25.25.100
3. Can ping either direction, both with IP and machine names.  Can also RDP either way.
4. The home machine can map drives that are on the server.
5. The server, or any other machines in office, are unable to map any drives on the home machine.
6.  The home machine sharing is set up as follows:
Share name: Backup-Drive
Allow this number of users: 5
Permissions: administrator and backup operator for domains have full control
Security tab; administrator and backup operator have full control.

7. I noticed on the windows firewall log of the remote machine that UDP from ports 4480, 4481 from the server were being blocked.  So I disabled the windows firewall and these log entries ended.

8.  When trying to map the drive, the error is "network path not found".  The event log on both machines shows nothing.

 At this point, I am not sure what do try next.
0
Comment
Question by:sgarson1
  • 15
  • 8
  • 5
  • +2
35 Comments
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24022813
What client software are you uisng for the Sonicwall?  Is the dns for the vpn client configured correctly?  i
0
 

Author Comment

by:sgarson1
ID: 24022839
Using the hardware firewall, not the Global VPN client.  The VPN works fine and the mapping was not a problem until i upgraded from the old Windows 2000 box that was replaced by this one.
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24022902
Check out Sharing permissions on your shared directory. Set it to everyone full permissions. In Sharing tab, not security tab.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24022907
Hardware VPN? do you mean the Sonicwall SSL NetExtender software or are there two sonicwall devices managing the ? can you give the model of the vpn device?   The dns configuration between the two computers may be different.  Do you still have access to he old 2000 box to check its configuration?    
0
 

Author Comment

by:sgarson1
ID: 24022942
No difference, but some additional info.  When I select to browse for folder when mapping, it shows my domain name, but not the machine that I cannot map to.
0
 
LVL 6

Expert Comment

by:vand
ID: 24022978
From the server are you able to browse to \\192.168.0.201\rpc$
0
 
LVL 6

Expert Comment

by:vand
ID: 24022981
Sorry IPC$
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24023021
Do you have "File an printers sharing" enabled in you Network connections --> LAN?
0
 
LVL 6

Expert Comment

by:vand
ID: 24023037
Some other things to look at:

Is "Client for Microsoft Networks" checked on the connection?

Is the Computer Browser service started and set to auto?

Try to force enable NetBios over TCP/IP.

If none of these work run netsh winsock reset from a command prompt.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24023152
Assuming there is no difference between the 2000 and XP boxes DNS configuration.

  Are pings reliable between the two boxes?  I note you are using IP addresses that says to me that your dns may not be working?   I find the only time i get a "network path was not found" error with net use is because the IP address is unreachable.  That is either routing, client firewall or rules on your vpn device.  


Do you get prompted  
0
 

Author Comment

by:sgarson1
ID: 24023419
The only reason I list the IPs is because I know them.  The names resolve through DNS.  I wrote down the network config settings from the old machine before I shut it down.

Pings are reliable at 30ms with no packet loss.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24023551
try using the fqdn in the statement when you try and map the server
0
 

Author Comment

by:sgarson1
ID: 24023698
do you mean: domain.local\machine-name ?

That gave the same not found result.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24024697
domain.local\username
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24024719
your ping error says there is something causing a network communication issue as best as i can tell.  Can you review the access rules in your vpn device? Could the old pc been given a special rule? Maybe you could make sure your new pc is the same IP as your old one.
0
 

Author Comment

by:sgarson1
ID: 24027961
The new PC is the same IP as the old one.  That's what puzzles me.
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24029788
Are you using an antivirus solution on the xp box?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 4

Expert Comment

by:anvanster
ID: 24030582
Check correct time setting on your PC and Domain controller. Big difference can cause network sharing problems
0
 

Author Comment

by:sgarson1
ID: 24032580
Shut off my anti-virus.  Checked that the time on home and server are the same.

I just ran an ethereal trace from the home machine in the home that this information might help understand the problem.  The trace is attached as a text file since the site restricts uploads.
BCC-Wiretrace.txt
0
 
LVL 3

Expert Comment

by:rbeckerdite
ID: 24032970
192.168.0.1           192.168.0.201     are these the vpn interface and destination ip? If so it appears that this error is getting generated by the vpn/firewall "Broadcast packet dropped"  I wonder if this is the product.  I would check the VPN device for errors.   There is something different on the firewall from what i can see but it would take me sometime to get familiar enough to get deep in the wiretrace.
0
 

Author Comment

by:sgarson1
ID: 24033326
192.168.0.1 is the VPN interface and 192.168.0.201 is the machine in question.

I looked at the firewall logs and nothing is being blocked

212      03/31/2009 15:41:56.400      VPN TCP SYN      172.25.25.110, 3389      192.168.0.201, 2008              
213      03/31/2009 15:44:07.656      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2015              
214      03/31/2009 15:45:30.560      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2020              
215      03/31/2009 15:49:16.208      VPN TCP SYN      172.25.25.150, 3389      192.168.0.201, 2102              
216      03/31/2009 15:52:05.896      VPN TCP SYN      172.25.25.110, 135      192.168.0.201, 2188              
217      03/31/2009 15:53:09.832      VPN TCP SYN      172.25.25.150, 3389      192.168.0.201, 2260              
218      03/31/2009 15:55:12.384      VPN TCP SYN      172.25.25.110, 135      192.168.0.201, 2264              
219      03/31/2009 16:02:33.224      VPN TCP PSH      172.25.25.150, 3389      192.168.0.201, 2260              
220      03/31/2009 16:07:47.944      VPN TCP SYN      172.25.25.110, 445      192.168.0.201, 2280
0
 

Author Comment

by:sgarson1
ID: 24033468
Just confirmed that I can map from another machine in the 192.168.0.0 subnet.
0
 
LVL 6

Expert Comment

by:vand
ID: 24038705
Some other things to look at:

Is "Client for Microsoft Networks" checked on the connection?

Is the Computer Browser service started and set to auto?

Try to force enable NetBios over TCP/IP.

If none of these work run netsh winsock reset from a command prompt.
0
 
LVL 6

Expert Comment

by:vand
ID: 24038817
Also, verify Anvanster's question:
Do you have "File an printers sharing" enabled in you Network connections --> LAN?

Seeing how the Domain is registering but the PC is not and you are able to map the other direction, it seems to be PC/configuration  based.

0
 

Author Comment

by:sgarson1
ID: 24039296
vand:

Thanks for your suggestions.  File and print sharing is activated and I am able to map to the drive if I am on the same subnet, i.e. on my home network.

Perhaps I should try simply removing TCP/IP from the network settings,rebooting, and then adding it back.
0
 
LVL 4

Expert Comment

by:anvanster
ID: 24039389
Try adding your network server to "hosts" file.
0
 

Author Comment

by:sgarson1
ID: 24041052
I added the network server to the remote hosts file.

In checking the server, the remote machine is registered in the WINS database.  In looking in the active directory, the remote machine is NOT listed in the domain.local under the Computers folder.  But it IS listed under the domain.local\MyBusiness\Computers\SBSComputers.

I would expect that it should be in both places.
0
 

Author Comment

by:sgarson1
ID: 24041184
A new revelation:  from the remote machine, I can browse the HQ network and see all the computers, including the remote machine.

Browsing from the server, I do not see the remote machine on the network.
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
ID: 24044145
A couple of thoughts:
-Is the Windows or similar firewall enabled on the machine to which you are trying to connect? If so, by default if file and print sharing are enabled, it will create an exception, but only for the local subnet. Any other subnet will be blocked for that service. You need to add the remote subnet for TCP 139 & 445, UDP 137 & 138, or choose, "allow all computers even those on the Internet" under edit scope options of the firewall.
-not being able to browse over a VPN is common. If there is no WINS server at one end, browsing relies on NetBIOS broadcasts. These are not routable, and therefore not forwarded over a VPN.
-though name resolution works, use the IP for mapping as name resolution over a VPN can be inconsistent
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
-how are you mapping the drive? I assume the home computer it is not a member of the same domain. If so you need to provide credentials, so I would recommend doing so from a command line:
 net use x: \\192.168.0.201\Backup-Drive  password  /USER:domainORcomputer\username
(USER is not a variable and domainORcomputer is the name of the home computer, assuming not a member of the domain)
0
 

Author Comment

by:sgarson1
ID: 24044336
Rob:  I think you are onto the solution.  I am looking at the windows firewall advanced settings.  How would I add a remote subnet, rather than open those ports to the internet?

I am mapping with the IP: //192.168.0.201/BACKUP-MACHINE  where BACKUP-MACHINE is the share name.  The machine is on the domain and the machine from which we are mapping has credentials on this one.

I'll try this tonight.  I didn't have the problem with the previous Windows2000 machine because it didn't have the windows firewall.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24044413
Where the computer is behind a firewall you are not really opening it to the Internet so there is little risk. You might want to do this even just as a test, or even switch off the firewall for testing. However, if you want to manually add the exceptions you need to do so for each of the 4 ports; TCP 139 & 445, UDP 137 & 138. There is an example for port 3389 on my web site:
http://www.lan-2-wan.com/RD-FW.htm

I assume  //192.168.0.201/BACKUP-MACHINE   is a typo? It should be: \\192.168.0.201\BACKUP-MACHINE  
If the home machine is a member of the domain you shouldn't have a credential problem.

0
 

Author Comment

by:sgarson1
ID: 24044895
When I went to add each port exception, windows said that the port already is an exception.  Is there a way to see what the XP firewall is actually configured?
0
 

Author Comment

by:sgarson1
ID: 24044940
I shut down the firewall service on the XP machine and can now map to the machine.  So you are the man!  For what ever reasons, the exceptions didn't do the trick.

THANK YOU SO MUCH!!!
0
 

Author Closing Comment

by:sgarson1
ID: 31565592
The key solution is that you need to open the firewall ports.  I couldn't manage that, but simply shut off the firewall service.  Mission accomplished.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 24045602
Sorry I was off-line for a while. If you want to leave the firewall enabled, you don't add a port exception. As the message stated there is a port exception already, however it is likely defined as for "local subnet only". To change go to control panel | windows firewall | exceptions | highlight "file and print sharing" and click edit | for each port highlight and choose change scope | then enter the changes; either "any computer (including those on the Internet)" or 192.168.0.0/255.255.255.0,172.25.25.0/255.255.255.0 [note no spaces]
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The articles for turning off the Client firewall policy on the internet are for SBS 2008 and don't really help for SBS 2011. They actually moved the Client firewall policy. In 2011, the client firewall policy has moved to the SBS computers conta…
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now