Solved

RRAS server cannot access the internet, general failure

Posted on 2011-03-09
18
3,149 Views
Last Modified: 2012-06-21
I have a windows 2008 r2 server set up running RRAS as an incoming VPN server for remote clients. Everything works fine from the VPN side, clients can connect and gain access to the network correctly. However I have an odd issue. If one logs on to the VPN server it can ping the internal network just fine, but it cannot ping out to the internet. I get a "general failure" error.

I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
0
Comment
Question by:mattolan
  • 10
  • 8
18 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35118702
Two possible options:
1) You can allow split tunneling, which will allow the client direct Internet access from their computer:  There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

2) You can enable "LAN and Demand dial routing" in RRAS by right clicking on the server name | choose properties | General Tab. This will allow routing through the VPN server to the Internet. I assume DNS is working properly for the client. If not see item #4 in the following link:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 
LVL 2

Author Comment

by:mattolan
ID: 35128415
Sorry, It looks like my question might not be that clear, The clients all work fine. it is the vpn server itself that is having an issue. If I am logged on locally to the vpn server as an administrator (not as a vpn client) I am unable to access th internet,  I get a "general failure" error.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35128523
AH, sorry, different issue.

Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.

Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 
LVL 2

Author Comment

by:mattolan
ID: 35129010
I'm not sure where you want me to go for the dns management console?

for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35129124
Screen shot attached for DNS management console, and in the adapters and bindings use the arrows on the right to move LAN connection to the top. Should be:
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
0
 
LVL 2

Author Comment

by:mattolan
ID: 35129166
your screen shot appears to be for a small business server. My server is a stand alone vpn server with dns services being provided by a separate server, so  this would apply in my case
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35129246
It does apply to any Windows server, not just SBS, but if DNS is on a different server than the VPN service, it should not be an issue. It still is critical, but there is no way for the VPN adapter to show up in the DNS management console if it is a different machine.

In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of     route print   from the VPN server, while a VPN client is connected.
0
 
LVL 2

Author Comment

by:mattolan
ID: 35129314
I am attempting to ping www.google.com, and 74.125.53.105 (googles IP) bot result in "General Failure" errors

Here is the route print results


===========================================================================
Interface List
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Author Comment

by:mattolan
ID: 35129337
the 69.31.200.xxx network it the external LAN that has an internet gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35129716
It looks like the above was output when there was no VPN client connection. If that is the case is it possible to post the results with a client connected? That would add the VPN/PPP adapter routing to the output. I am assuming this is from the VPN server.
Thanks.
0
 
LVL 2

Author Comment

by:mattolan
ID: 35131184
this is from the VPN server, here is it is again with a client attached



===========================================================================
Interface List
 21...........................RAS (Dial In) Interface
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
   192.168.110.79  255.255.255.255   192.168.110.79   192.168.110.91     31
   192.168.110.91  255.255.255.255         On-link    192.168.110.91    286
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
        224.0.0.0        240.0.0.0         On-link    192.168.110.91    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link    192.168.110.91    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Author Comment

by:mattolan
ID: 35141657
anymore thoughts on this?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35143172
I am very sorry mattolan. I reviewed this as soon as you posted and was then distracted and forgot to come back to it.
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a  tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
0
 
LVL 2

Author Comment

by:mattolan
ID: 35147660
tracert also just gives me a general failure error,

Thanks for the attempts
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35148464
Sorry I am out of ideas. I will "stay tunned in" though. Perhaps click the "request attention" link and ask the moderators to bring it to the attention of some other 'experts'. Where this has been open for a while it may not get that many views without doing so.
--Rob
0
 
LVL 2

Accepted Solution

by:
mattolan earned 0 total points
ID: 35149600
I just stumbled accross an article that contained my answer

http://social.technet.microsoft.com/Forums/en/winserverPN/thread/076fa0fe-a320-42ee-a0bc-0f986bb20764

It seems by default that server 2008 applies a set of inbound and outbound filter on the externally connected network card when you set up RRAS, these filters where preventing any traffic from being allowed through except for vpn connections.
I modified the filters and everything works
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 35149826
Thank you very much for reporting your findings mattolan.
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
0
 
LVL 2

Author Closing Comment

by:mattolan
ID: 35178785
thanks
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Microsoft VPN Access - Routing and Remote Access 2 29
AWS Design\Cisco Meraki 4 22
Windows Password recovery 7 35
Problem to setup GUI 11 28
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question