Avatar of mattolan
mattolan
Flag for Canada asked on

RRAS server cannot access the internet, general failure

I have a windows 2008 r2 server set up running RRAS as an incoming VPN server for remote clients. Everything works fine from the VPN side, clients can connect and gain access to the network correctly. However I have an odd issue. If one logs on to the VPN server it can ping the internal network just fine, but it cannot ping out to the internet. I get a "general failure" error.

I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
VPNWindows Server 2008Remote Access

Avatar of undefined
Last Comment
mattolan

8/22/2022 - Mon
Rob Williams

Two possible options:
1) You can allow split tunneling, which will allow the client direct Internet access from their computer:  There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

2) You can enable "LAN and Demand dial routing" in RRAS by right clicking on the server name | choose properties | General Tab. This will allow routing through the VPN server to the Internet. I assume DNS is working properly for the client. If not see item #4 in the following link:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
mattolan

ASKER
Sorry, It looks like my question might not be that clear, The clients all work fine. it is the vpn server itself that is having an issue. If I am logged on locally to the vpn server as an administrator (not as a vpn client) I am unable to access th internet,  I get a "general failure" error.
Rob Williams

AH, sorry, different issue.

Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.

Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
Your help has saved me hundreds of hours of internet surfing.
fblack61
mattolan

ASKER
I'm not sure where you want me to go for the dns management console?

for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
Rob Williams

Screen shot attached for DNS management console, and in the adapters and bindings use the arrows on the right to move LAN connection to the top. Should be:
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
mattolan

ASKER
your screen shot appears to be for a small business server. My server is a stand alone vpn server with dns services being provided by a separate server, so  this would apply in my case
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Rob Williams

It does apply to any Windows server, not just SBS, but if DNS is on a different server than the VPN service, it should not be an issue. It still is critical, but there is no way for the VPN adapter to show up in the DNS management console if it is a different machine.

In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of     route print   from the VPN server, while a VPN client is connected.
mattolan

ASKER
I am attempting to ping www.google.com, and 74.125.53.105 (googles IP) bot result in "General Failure" errors

Here is the route print results


===========================================================================
Interface List
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
mattolan

ASKER
the 69.31.200.xxx network it the external LAN that has an internet gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Rob Williams

It looks like the above was output when there was no VPN client connection. If that is the case is it possible to post the results with a client connected? That would add the VPN/PPP adapter routing to the output. I am assuming this is from the VPN server.
Thanks.
mattolan

ASKER
this is from the VPN server, here is it is again with a client attached



===========================================================================
Interface List
 21...........................RAS (Dial In) Interface
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
   192.168.110.79  255.255.255.255   192.168.110.79   192.168.110.91     31
   192.168.110.91  255.255.255.255         On-link    192.168.110.91    286
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
        224.0.0.0        240.0.0.0         On-link    192.168.110.91    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link    192.168.110.91    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
mattolan

ASKER
anymore thoughts on this?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Rob Williams

I am very sorry mattolan. I reviewed this as soon as you posted and was then distracted and forgot to come back to it.
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a  tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
mattolan

ASKER
tracert also just gives me a general failure error,

Thanks for the attempts
Rob Williams

Sorry I am out of ideas. I will "stay tunned in" though. Perhaps click the "request attention" link and ask the moderators to bring it to the attention of some other 'experts'. Where this has been open for a while it may not get that many views without doing so.
--Rob
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
ASKER CERTIFIED SOLUTION
mattolan

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Rob Williams

Thank you very much for reporting your findings mattolan.
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
mattolan

ASKER
thanks