RRAS server cannot access the internet, general failure

I have a windows 2008 r2 server set up running RRAS as an incoming VPN server for remote clients. Everything works fine from the VPN side, clients can connect and gain access to the network correctly. However I have an odd issue. If one logs on to the VPN server it can ping the internal network just fine, but it cannot ping out to the internet. I get a "general failure" error.

I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
LVL 2
mattolanAsked:
Who is Participating?
 
mattolanConnect With a Mentor Author Commented:
I just stumbled accross an article that contained my answer

http://social.technet.microsoft.com/Forums/en/winserverPN/thread/076fa0fe-a320-42ee-a0bc-0f986bb20764

It seems by default that server 2008 applies a set of inbound and outbound filter on the externally connected network card when you set up RRAS, these filters where preventing any traffic from being allowed through except for vpn connections.
I modified the filters and everything works
0
 
Rob WilliamsCommented:
Two possible options:
1) You can allow split tunneling, which will allow the client direct Internet access from their computer:  There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

2) You can enable "LAN and Demand dial routing" in RRAS by right clicking on the server name | choose properties | General Tab. This will allow routing through the VPN server to the Internet. I assume DNS is working properly for the client. If not see item #4 in the following link:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 
mattolanAuthor Commented:
Sorry, It looks like my question might not be that clear, The clients all work fine. it is the vpn server itself that is having an issue. If I am logged on locally to the vpn server as an administrator (not as a vpn client) I am unable to access th internet,  I get a "general failure" error.
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
Rob WilliamsCommented:
AH, sorry, different issue.

Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.

Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
0
 
mattolanAuthor Commented:
I'm not sure where you want me to go for the dns management console?

for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
0
 
Rob WilliamsCommented:
Screen shot attached for DNS management console, and in the adapters and bindings use the arrows on the right to move LAN connection to the top. Should be:
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
0
 
mattolanAuthor Commented:
your screen shot appears to be for a small business server. My server is a stand alone vpn server with dns services being provided by a separate server, so  this would apply in my case
0
 
Rob WilliamsCommented:
It does apply to any Windows server, not just SBS, but if DNS is on a different server than the VPN service, it should not be an issue. It still is critical, but there is no way for the VPN adapter to show up in the DNS management console if it is a different machine.

In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of     route print   from the VPN server, while a VPN client is connected.
0
 
mattolanAuthor Commented:
I am attempting to ping www.google.com, and 74.125.53.105 (googles IP) bot result in "General Failure" errors

Here is the route print results


===========================================================================
Interface List
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
mattolanAuthor Commented:
the 69.31.200.xxx network it the external LAN that has an internet gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
0
 
Rob WilliamsCommented:
It looks like the above was output when there was no VPN client connection. If that is the case is it possible to post the results with a client connected? That would add the VPN/PPP adapter routing to the output. I am assuming this is from the VPN server.
Thanks.
0
 
mattolanAuthor Commented:
this is from the VPN server, here is it is again with a client attached



===========================================================================
Interface List
 21...........................RAS (Dial In) Interface
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
   192.168.110.79  255.255.255.255   192.168.110.79   192.168.110.91     31
   192.168.110.91  255.255.255.255         On-link    192.168.110.91    286
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
        224.0.0.0        240.0.0.0         On-link    192.168.110.91    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link    192.168.110.91    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
mattolanAuthor Commented:
anymore thoughts on this?
0
 
Rob WilliamsCommented:
I am very sorry mattolan. I reviewed this as soon as you posted and was then distracted and forgot to come back to it.
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a  tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
0
 
mattolanAuthor Commented:
tracert also just gives me a general failure error,

Thanks for the attempts
0
 
Rob WilliamsCommented:
Sorry I am out of ideas. I will "stay tunned in" though. Perhaps click the "request attention" link and ask the moderators to bring it to the attention of some other 'experts'. Where this has been open for a while it may not get that many views without doing so.
--Rob
0
 
Rob WilliamsCommented:
Thank you very much for reporting your findings mattolan.
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
0
 
mattolanAuthor Commented:
thanks
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.