mattolan
asked on
RRAS server cannot access the internet, general failure
I have a windows 2008 r2 server set up running RRAS as an incoming VPN server for remote clients. Everything works fine from the VPN side, clients can connect and gain access to the network correctly. However I have an odd issue. If one logs on to the VPN server it can ping the internal network just fine, but it cannot ping out to the internet. I get a "general failure" error.
I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
ASKER
Sorry, It looks like my question might not be that clear, The clients all work fine. it is the vpn server itself that is having an issue. If I am logged on locally to the vpn server as an administrator (not as a vpn client) I am unable to access th internet, I get a "general failure" error.
AH, sorry, different issue.
Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.
Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.
Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
ASKER
I'm not sure where you want me to go for the dns management console?
for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
Screen shot attached for DNS management console, and in the adapters and bindings use the arrows on the right to move LAN connection to the top. Should be:
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
ASKER
your screen shot appears to be for a small business server. My server is a stand alone vpn server with dns services being provided by a separate server, so this would apply in my case
It does apply to any Windows server, not just SBS, but if DNS is on a different server than the VPN service, it should not be an issue. It still is critical, but there is no way for the VPN adapter to show up in the DNS management console if it is a different machine.
In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of route print from the VPN server, while a VPN client is connected.
In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of route print from the VPN server, while a VPN client is connected.
ASKER
I am attempting to ping www.google.com, and 74.125.53.105 (googles IP) bot result in "General Failure" errors
Here is the route print results
========================== ========== ========== ========== ========== =========
Interface List
13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
1......................... ..Software Loopback Interface 1
========================== ========== ========== ========== ========== =========
IPv4 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 69.31.200.202 69.31.200.205 261
69.31.200.200 255.255.255.248 On-link 69.31.200.205 261
69.31.200.205 255.255.255.255 On-link 69.31.200.205 261
69.31.200.207 255.255.255.255 On-link 69.31.200.205 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.110.0 255.255.255.0 On-link 192.168.110.3 261
192.168.110.3 255.255.255.255 On-link 192.168.110.3 261
192.168.110.255 255.255.255.255 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 69.31.200.205 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.110.3 261
255.255.255.255 255.255.255.255 On-link 69.31.200.205 261
========================== ========== ========== ========== ========== =========
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 69.31.200.202 Default
========================== ========== ========== ========== ========== =========
IPv6 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
Here is the route print results
==========================
Interface List
13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
1.........................
==========================
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 69.31.200.202 69.31.200.205 261
69.31.200.200 255.255.255.248 On-link 69.31.200.205 261
69.31.200.205 255.255.255.255 On-link 69.31.200.205 261
69.31.200.207 255.255.255.255 On-link 69.31.200.205 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.110.0 255.255.255.0 On-link 192.168.110.3 261
192.168.110.3 255.255.255.255 On-link 192.168.110.3 261
192.168.110.255 255.255.255.255 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 69.31.200.205 261
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.110.3 261
255.255.255.255 255.255.255.255 On-link 69.31.200.205 261
==========================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 69.31.200.202 Default
==========================
IPv6 Route Table
==========================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
==========================
Persistent Routes:
None
ASKER
the 69.31.200.xxx network it the external LAN that has an internet gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
It looks like the above was output when there was no VPN client connection. If that is the case is it possible to post the results with a client connected? That would add the VPN/PPP adapter routing to the output. I am assuming this is from the VPN server.
Thanks.
Thanks.
ASKER
this is from the VPN server, here is it is again with a client attached
========================== ========== ========== ========== ========== =========
Interface List
21........................ ...RAS (Dial In) Interface
13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
1......................... ..Software Loopback Interface 1
========================== ========== ========== ========== ========== =========
IPv4 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 69.31.200.202 69.31.200.205 261
69.31.200.200 255.255.255.248 On-link 69.31.200.205 261
69.31.200.205 255.255.255.255 On-link 69.31.200.205 261
69.31.200.207 255.255.255.255 On-link 69.31.200.205 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.110.0 255.255.255.0 On-link 192.168.110.3 261
192.168.110.3 255.255.255.255 On-link 192.168.110.3 261
192.168.110.79 255.255.255.255 192.168.110.79 192.168.110.91 31
192.168.110.91 255.255.255.255 On-link 192.168.110.91 286
192.168.110.255 255.255.255.255 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 69.31.200.205 261
224.0.0.0 240.0.0.0 On-link 192.168.110.91 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.110.3 261
255.255.255.255 255.255.255.255 On-link 69.31.200.205 261
255.255.255.255 255.255.255.255 On-link 192.168.110.91 286
========================== ========== ========== ========== ========== =========
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 69.31.200.202 Default
========================== ========== ========== ========== ========== =========
IPv6 Route Table
========================== ========== ========== ========== ========== =========
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
==========================
Interface List
21........................
13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
1.........................
==========================
IPv4 Route Table
==========================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 69.31.200.202 69.31.200.205 261
69.31.200.200 255.255.255.248 On-link 69.31.200.205 261
69.31.200.205 255.255.255.255 On-link 69.31.200.205 261
69.31.200.207 255.255.255.255 On-link 69.31.200.205 261
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.110.0 255.255.255.0 On-link 192.168.110.3 261
192.168.110.3 255.255.255.255 On-link 192.168.110.3 261
192.168.110.79 255.255.255.255 192.168.110.79 192.168.110.91 31
192.168.110.91 255.255.255.255 On-link 192.168.110.91 286
192.168.110.255 255.255.255.255 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.110.3 261
224.0.0.0 240.0.0.0 On-link 69.31.200.205 261
224.0.0.0 240.0.0.0 On-link 192.168.110.91 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.110.3 261
255.255.255.255 255.255.255.255 On-link 69.31.200.205 261
255.255.255.255 255.255.255.255 On-link 192.168.110.91 286
==========================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 69.31.200.202 Default
==========================
IPv6 Route Table
==========================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
==========================
Persistent Routes:
None
ASKER
anymore thoughts on this?
I am very sorry mattolan. I reviewed this as soon as you posted and was then distracted and forgot to come back to it.
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
ASKER
tracert also just gives me a general failure error,
Thanks for the attempts
Thanks for the attempts
Sorry I am out of ideas. I will "stay tunned in" though. Perhaps click the "request attention" link and ask the moderators to bring it to the attention of some other 'experts'. Where this has been open for a while it may not get that many views without doing so.
--Rob
--Rob
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thank you very much for reporting your findings mattolan.
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
ASKER
thanks
1) You can allow split tunneling, which will allow the client direct Internet access from their computer: There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check "Use default gateway on remote network")
2) You can enable "LAN and Demand dial routing" in RRAS by right clicking on the server name | choose properties | General Tab. This will allow routing through the VPN server to the Internet. I assume DNS is working properly for the client. If not see item #4 in the following link:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx