RRAS Vpn clients won't register route

Posted on 2009-07-03
Last Modified: 2012-05-07
Hello experts :)

I am trying to configure a Windows 2008 Server with RRAS on ONE SINGLE NIC.

My setup is as follows :
Internal Network :
DMZ Network :
DMZ Gateway :
RRAS Server :

I installed RRAS and enabled IPV4 Forwarding with an static address pool of : -

From the network I have access trough firewall at everything on my domain.

Now , I have also configured a static route on IPV4 as follows :
Interface : Local Area Connection
Destination :
Mask :
Gateway :

Now , my VPN clients can succesfully connect to the RRAS server and I can connect to any server on the DMZ but the route to my does not work so I can't get in touch with any of my domain server.
My client computer it's on / net so this might be a bit confusing.
Client has IP address :

After connecting to VPN I receive from my RRAS server the IP :

An ipconfig shows :
PPP adapter Fleggaard:

   Connection-specific DNS Suffix  . :
   IPv4 Address. . . . . . . . . . . :
   Subnet Mask . . . . . . . . . . . :
   Default Gateway . . . . . . . . . :

thernet adapter Local Area Connection:

  Connection-specific DNS Suffix  . : home.local
  Link-local IPv6 Address . . . . . : fe80::a877:e4f6:23e7:5873%8
  IPv4 Address. . . . . . . . . . . :
  Subnet Mask . . . . . . . . . . . :
  Default Gateway . . . . . . . . . :

If on the client I manually add the route everything works fine :
route ADD MASK

In the code area is the routing table of my client.

Any ideea what I configured wrong or what I forgot to configure ?

IPv4 Route Table
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
     10         On-link    266         On-link    266         On-link    266         On-link    306         On-link    306         On-link    306         On-link    286         On-link    266     12         On-link    267     11         On-link    306         On-link    267         On-link    306         On-link    266         On-link    267

Open in new window

Question by:George Sas
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
LVL 77

Expert Comment

by:Rob Williams
ID: 24777188
>>"If on the client I manually add the route everything works fine :
route ADD MASK"

You need to do this as the local router does not know the route to the remote site.
Four ways around this that should work are:
1) on the VPN client go to
Pre Vista:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | check  "Use default gateway on remote network"
control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | check  "Use default gateway on remote network")

2) On the router at the client site add your route (route ADD MASK, assuming it supports adding static routes.

3) Though I have never tried it, under the dial-in tab of the users profile in active directory, there is an option to add static routes for dial-in/VPN clients.

4) If the client machine is a member of the domain, it is possible to apply a logon script and have it automatically add the route to the client
LVL 13

Author Comment

by:George Sas
ID: 24777954
Rob , thank you for the answers but this does not help and let me tell you why.

1.I tried this before I posted the thread. If I use the default gateway on the remote network I will loose the connection to the internet. All the traffic will try to go out trough my VPN connection and this is a no go.

2. I can't do this manually for 200 clients :)

3. This will work only for actual dial-in clients. Tested and does not work.

4. Client computers are both domain computers and non domain computers and the client will logon on the the machine before the VPN is initiated.

What I am trying to achieve is to replace my old Cisco VPN Concentrator which is limited to 50 simultaneous users.(older model)

Thank you for the ideas but I've tried them all :(
LVL 77

Expert Comment

by:Rob Williams
ID: 24778160
Then the simple solution is change your VPN static address pool in RRAS. There is actually no need to assign an IP outside of the LAN subnet. Use a subset of your LAN subnet for the VPN clients. When doing so also enable LAN routing in RRAS and you will be all set. No need to create routes at the client or within RRAS. See my web site for the configuration steps.
You may also want to address name resolution if having issues. See my blog for that:
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

LVL 13

Author Comment

by:George Sas
ID: 24778187
The idea of assigning the VPN clients a free class from my private LAN came to me also after 3 days of tesing and poking the networking guy to make firewall changes but I did not tried it yet.(my networking guy is in vacation)
My physical setup is : LAN > Firewall1 > DMZ > Firewall2
LAN : /
DMZ: /

Right now I am using : > so from 11 up I have them free.... I could assign the VPN Clients the subnet but then I would need to reconfigure Firewall1 .. will check with my networking guy and see how happy he is about it.

What am I thinking is that my actual setup should work , and it does work if I manually add the route to my clients.
What bugs me is why the clients are not registering the manually created route on my RRAS server .. this is kind of a mistery for me.
LVL 77

Expert Comment

by:Rob Williams
ID: 24778307
The reason it doesn't work with the current configuration is the client has only 3 options. Send a packet to an IP belonging to their local LAN. Send a packet to the VPN subnet, or use their default gateway. Your packets for the subnet are sent to their local default gateway because no route is known, and lost. Absolutely nothing at the server end you can do to fix that. The client needs a route some how, or you need to change the addressing.
LVL 77

Accepted Solution

Rob Williams earned 500 total points
ID: 24779726
If stuck, I can provide a script that will create the route based on the dynamically assigned VPN adapter's IP. This has to be run on the client PC after they connect. I appreciate distributing this may be a nuisance, but it is an option.
LVL 13

Author Comment

by:George Sas
ID: 24781067
What I don't get is why would Microsoft add the option to add a static route to the IPV4 if it does not work ?
That option to add a static route is there for a reason.
Adding a static route to my clients on the Cisco VPN Concentrator works just fine but on MS's RRAS not...
Microsoft works in misterious ways.

I'll just award you the points because you took the time and discuss this with me and confirmed my fears :)
Still not working but  I will figure a way.

Thx Rob.
LVL 13

Author Closing Comment

by:George Sas
ID: 31599641
Did not make it work but the tech details were accurate and the time spent deserve the points.
LVL 77

Expert Comment

by:Rob Williams
ID: 24781214
The Microsoft VPN is definitely lacking, but comparing it to a cisco concentrator, is not really fair :-) The cisco is a dedicated appliance designed specifically for that and has far more options. Of course it is priced accordingly as well.

Should it be of any use I was involved in a discussing before where I proposed a script to add the route automatically. It could be applied to domain clients but non-domain machines would have to click on the batch file to run it:

Thanks GeoSs. Good luck with the project,

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question