Solved

User with VPN Can't UNC to the server but can ping FQDN and ip and can UNC to iIP Address

Posted on 2009-05-14
12
1,134 Views
Last Modified: 2012-06-21
A user of ours is using watchguards Mobile user VPN latest version on windows XP SP3 to connect into our network. the network is a class b the firewall that he connects to being 10.32.1.10 and the SBS 2003 Server being 10.32.2.10

he is on a 192.168.1.0 range class c at home.

the VPN connects succesfully to the work network, his exchange mailbox with outlook connects and updates mail. from his PC i can Ping the firewall and the server via IP, i can also Ping the Server by its name "fsl-is01" and fsl-is01.domain.co.uk etc

the problem is if i try to run a UNC path to the server from his desktop (say to view mapped drives) we get errors.

if i go to start run and type \\fsl-is01 we get the error:

\\fsl-is01

The network Path was not found

if i open an explorer window and type \\fsl-is01 into the explorer bar we get the error

Windows cannot find \\fsl-is01'. Check the spelling and try again, or try searching for the item by clicking the start button and then clicking Search.

Up untill reacently the user was using offline files which have now been switched off because of the VPN access he should be getting.

I have tried to flush dns, Nsl lookup finds the server correctly.

For all intents and purposes i cant find anything wrong at all with the connection but it still wont work.

does anyone have any suggestions?

Thanks
0
Comment
Question by:datafocus
  • 7
  • 5
12 Comments
 

Author Comment

by:datafocus
ID: 24384838
just noticed something while looking into this.
when i tired to copy the login script to his desktop from netlogon, i got the message
"Do you want to move or copy files from this zone?"  yes / no
ive not seen this before
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24393485
So your network configuration for the server is:
IP: 10.32.2.10
SM: 255.255.0.0
GW: 10.32.1.10
Is that correct?
Are you really using .co.uk on the server's internal domain name instead of the default .local or other non-TLD like .pvt or such? That can cause a lot of problems for remote connections right there.
Make sure that in the VPN setup on the watchguard that you specify the internal DNS and WINS server to be assigned to the client as being the IP of your internal server. You may also need to specify the connection specific dns suffix. Set the virtual adapter setting to Prefered as well (default is disabled). Also ensure that the subnet mask on the firewall is set correctly. With these settings applied, download a new .wgx file for the user and try to import it into the client (or if you are comfortable with the client software you can just re-create these settings by using the client security profile editor.)
The zone issue in IE means that it is not recognizing the server as being part of the intranet or trusted security zones - likely because of using a public TLD for the internal domain. You can manually add the domain *.domain.co.uk into the intranet security zone, close all browser/explorer instances, and reopen to see if that solves that issue.
0
 

Author Comment

by:datafocus
ID: 24393528
yes the ip info is correct and yes they are using fedsig.co.uk.
i should have said thatthere are perhaps 4 or 5 other users succesfully using vpn most days without any issues ill check the firewall settings as suggested, but i have a feeling its a client issue
 
cheers
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24393545
Are the other clients on XP SP2? The "move or copy files from this zone" issue shows up after security enhancements added by SP3.
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24393560
Also, are you using the new 10.1 or 10.2 client on these systems, or the old 7.x client? Is everyone using the same MUVPN client?
0
 

Author Comment

by:datafocus
ID: 24393562
yes 90% of them are on sp3 if not all of them, i did try a fix for the move or copy file issue i found online adding them to the domain but it didnt seem to stop the message, altho i wasnt able to reboot at that time
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:datafocus
ID: 24393570
he was using 10.1 client but i uninstalled that and then installed 10.2 to try to fix the issue but it was still the same. i would imagine that they are still mostly on 10.1 there
7x how shite was that compared lol
0
 
LVL 2

Expert Comment

by:HFVgally
ID: 24393674
If you confirm firewall settings, and can confirm at least one other system with SP3, 10.1 or 10.2 of MUVPN using either identical settings or fresh .wgx file for the user's profile works as intended, then I would confirm generall TCP/IP settings between them and ensure that any WINS or DNS settings in particular on the problem machine match that of the known working system. Perhaps the working systems are using an LMHOSTS entry?
If there are no differences in the IP configuration, then you might try checking something (this is a longshot, but it's starting to feel like a NetBIOS issue if all the IP and vpn client settings match up):
HKLM/System/CurrentControlSet/Serivces/NetBT/Parameters/DhcpNodeType
The default should be set to 8. I have seen instances where some networks will set this to 2 (in the case of laptops that go traveling) and it screws up name resolution).
However, I'm more inclined to think there is some jiggery pokery going on with the other clients configurations to make them prefer to pass traffic across the VPN where they would by default be trying to pass it over the internet to a server.domain.co.uk address. Perhaps their VPN client configuration (or the configuration in the firewall for the user) dictates all traffic to use the tunnel?
0
 

Author Comment

by:datafocus
ID: 24393927
well just to add a little more history to the situation
all the clients were setup with default settings as i set them all up with version 10, so ive not done anything different in any of the configurations, and there is no one else who would have changed the configs. i also setup the firebox x20e the only issue is the firebox is on version 8.. were in the process of renewing the live security to get it to version 10 but it takes a few days to get these things through.
unless computer crash or other has happened its unlikely that any settings will have been changed deliberatly.
this users laptop is brand new so only reacently setup, and as i say i have turned off ofline files reacently which i thought was causing the issue, ill run through the suggestions anyway and see what i come up with
0
 
LVL 2

Accepted Solution

by:
HFVgally earned 500 total points
ID: 24403587
I don't believe that either the current version of the firmware on the firewall or the version of your client is the issue really.
If you are confident that the client and computer configurations are the same (since you did them all). The only other thing I can think of that might be creating the problem is the ISP.
I've seen this kind of issue where the ISP does some kind of DNS redirect feature which tries to give you suggestions for "valid" domain names when you give them an address that doesn not return a valid DNS response.  Try nslookup fsl-is01 and see what comes back. It should report that it is a non-existent domain. If not, if it appends the connection specific dns suffix, and if it replies with IP addresses at all, then the ISP is using DNS redirect services. You can probably contact the ISP to tell them to turn it off.
Is it possible to test this laptop from another remote connection (preferably one that uses a different ISP).
0
 

Author Comment

by:datafocus
ID: 24411710
it might be possible i will look into that and see what results i get
thanks
0
 

Author Closing Comment

by:datafocus
ID: 31581437
ISP
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now