?
Solved

VPN clients getting wrong IPs from DHCP server (ISA 2006)

Posted on 2010-01-06
7
Medium Priority
?
1,217 Views
Last Modified: 2012-08-13
I have an unusual setup that I am trying to get working correctly and have not found anything posted that quite fits my scenario, so here goes.

SETUP:
ISA 2006 server, standard.
Two physical NICs, the one facing "in" is setup to use two VLANs, and those show up fine as network adapters to Windows and ISA also recognizes them fine.  Call them Vlan101 (10.2.1.0/24, my VPN vlan) and Vlan102 (10.2.0.0/24, my general user vlan).  When I tell ISA to provide my VPN clients an IP from a DHCP server, I only have two options for the "Use the following network to obtain DHCP, etc, etc", the logical networks "internal" and "external" that ISA uses.  I have this set to internal.  The "internal" network address range I have spanning the whole 10.0.0.0/8 range.
I also have DHCP relay agent setup in RRAS.  The Interface listed for this relay agent is the virtual adapter associated with VLAN 101, my vpn vlan.  The relay agent is pointing to my DHCP server, which is on a completely different vlan altogether and I have verified that I have good route/connectivity to this server from the ISA server.  DHCP server is setup and servicing multiple vlans successfully.
I also verified that the virtual adapter for vpn101, the vpn vlan, is at the top of the list for "..the order in which they are accessed by network services" under the Adapters and Bindings tab of the Network Connections>Advanced Settings function.

MY ISSUE:
If I have both virtual adapters enabled (10.2.1.x and 10.2.0.x) and a vpn client connects in from outside (that is all I allow), they are getting an IP from vlan102, i.e. 10.2.0.100.  This is not what I want, I want them to get an IP from vlan101, 10.2.1.x.  If I disable the virtual network card associated with vlan102, then restart RRAS, the ISA server then grabs from the correct scope, 10.2.1.x.  If I undo this change, then the ISA server goes back to pulling from the wrong scope again.  I am assuming that the DHCP server is just providing IPs to the ISA server based on the address of the DHCP relay agent.

MY QUESTION:
How the heck do I get ISA/RRAS to use the correct adapter for the DHCP Relay Agent so that the DHCP server is providing the correct IPs???
0
Comment
Question by:Bill_Huber
  • 6
7 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26191676
The ISA is likely passing across an address from the first dhcp server that responds rather than being selective. Does ISA need to see the dhcp server on the 10.2.0.0 subnet? if not, you have said that ISA is recognising both vlans (as opposed the to host operating system of the ISA) therefore in the ISA system policy (not the firewall policy)you may be able to block dhcp requests/replies to vlan2.
0
 
LVL 1

Author Comment

by:Bill_Huber
ID: 26191686
simple diagram showing logical network connectivity.
Drawing1.jpg
0
 
LVL 1

Author Comment

by:Bill_Huber
ID: 26191716
Keith...I have a static route for the 10.0.0.0/8 network to use the vlan101 gateway, so I would think that it should then be using that interface...
  Network Address          Netmask  Gateway Address  Metric
         10.0.0.0        255.0.0.0         10.2.1.2       1
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:Bill_Huber
ID: 26191742
there is only one dhcp server at this physical location and it is providing IPs for all vlans.  it is on a vlan that is different that both vlan101 and 102.
0
 
LVL 1

Author Comment

by:Bill_Huber
ID: 26191751
I just re-read your post and will look at blocking DHCP to vlan2
0
 
LVL 1

Accepted Solution

by:
Bill_Huber earned 0 total points
ID: 26191911
The problem seems to be in the RRAS, under the server properties, IP tab, "use the following adapter..." keeps getting forcibly changed to the wrong adapter.  I can change the adapter to the vlan101 adapter, save the settings and then it works fine.  but as soon as I restart the RRAS service, it is changed automatically back to the vlan102 adapter.  I am going to try the following:
delete the vlan102 adapter, change the RRAS setting mentioned above to the correct adapter, reboot, recreate the vlan102 adapter and then see what happens.
0
 
LVL 1

Author Comment

by:Bill_Huber
ID: 26193206
well, that did it for us.  for some reason, RRAS was ignoring everything else and insisted on using the wrong NIC to talk to the DHCP server for VPN client IPs.  Removed that NIC, set everything up correctly, rebuilt the NIC, all is working fine now.  Thanks for the help, keith, but this way seems to be a more "correct" solution.  I think yours would have worked, if it had come to that, but this is working now.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question