Solved

RRAS server cannot access the internet, general failure

Posted on 2011-03-09
18
3,057 Views
Last Modified: 2012-06-21
I have a windows 2008 r2 server set up running RRAS as an incoming VPN server for remote clients. Everything works fine from the VPN side, clients can connect and gain access to the network correctly. However I have an odd issue. If one logs on to the VPN server it can ping the internal network just fine, but it cannot ping out to the internet. I get a "general failure" error.

I would not worry about this to much as the server is functional however it is preventing me from being able to do windows updates on this machine
0
Comment
Question by:mattolan
  • 10
  • 8
18 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Two possible options:
1) You can allow split tunneling, which will allow the client direct Internet access from their computer:  There is a security feature in the VPN client that blocks local connections, including local Internet access, to protect the office/remote network. You can disable this if you wish. To do so on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

2) You can enable "LAN and Demand dial routing" in RRAS by right clicking on the server name | choose properties | General Tab. This will allow routing through the VPN server to the Internet. I assume DNS is working properly for the client. If not see item #4 in the following link:
http://msmvps.com/blogs/robwill/archive/2008/05/10/vpn-client-name-resolution.aspx
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
Sorry, It looks like my question might not be that clear, The clients all work fine. it is the vpn server itself that is having an issue. If I am logged on locally to the vpn server as an administrator (not as a vpn client) I am unable to access th internet,  I get a "general failure" error.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
AH, sorry, different issue.

Try opening the DNS management console | right click on the server name and choose properties | under the interfaces tab make sure only the server's LAN IP is checked (both IPv4 & IPv6). i.e. make sure the VPN/PPP adapter's IP is not checked.

Also open the network connections window | on the menu bar choose advanced | advanced settings | adapters and bindings |make sure local area connection is at the top of the list.
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
I'm not sure where you want me to go for the dns management console?

for the second part the order of the connections are
External Connection (lan)
Internal Connection (lan)
Remote Access Connection
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Screen shot attached for DNS management console, and in the adapters and bindings use the arrows on the right to move LAN connection to the top. Should be:
Internal Connection (lan)
External Connection (lan)
Remote Access Connection
DNS-Interfaces.jpg
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
your screen shot appears to be for a small business server. My server is a stand alone vpn server with dns services being provided by a separate server, so  this would apply in my case
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
It does apply to any Windows server, not just SBS, but if DNS is on a different server than the VPN service, it should not be an issue. It still is critical, but there is no way for the VPN adapter to show up in the DNS management console if it is a different machine.

In re-reading, when you say; "cannot ping out to the internet. I get a "general failure" error.", are you pinging an IP or a FQDN? I have been assuming the latter as this is a common issue. If by IP is not working could you please post the results of     route print   from the VPN server, while a VPN client is connected.
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
I am attempting to ping www.google.com, and 74.125.53.105 (googles IP) bot result in "General Failure" errors

Here is the route print results


===========================================================================
Interface List
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
the 69.31.200.xxx network it the external LAN that has an internet gateway
and the
192.168.110.xx network is the internal LAN with no assigned gateway
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
It looks like the above was output when there was no VPN client connection. If that is the case is it possible to post the results with a client connected? That would add the VPN/PPP adapter routing to the output. I am assuming this is from the VPN server.
Thanks.
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
this is from the VPN server, here is it is again with a client attached



===========================================================================
Interface List
 21...........................RAS (Dial In) Interface
 13...00 50 56 ad 00 04 ......vmxnet3 Ethernet Adapter #3
 12...00 50 56 ad 00 12 ......vmxnet3 Ethernet Adapter
  1...........................Software Loopback Interface 1
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    69.31.200.202    69.31.200.205    261
    69.31.200.200  255.255.255.248         On-link     69.31.200.205    261
    69.31.200.205  255.255.255.255         On-link     69.31.200.205    261
    69.31.200.207  255.255.255.255         On-link     69.31.200.205    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.110.0    255.255.255.0         On-link     192.168.110.3    261
    192.168.110.3  255.255.255.255         On-link     192.168.110.3    261
   192.168.110.79  255.255.255.255   192.168.110.79   192.168.110.91     31
   192.168.110.91  255.255.255.255         On-link    192.168.110.91    286
  192.168.110.255  255.255.255.255         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link     192.168.110.3    261
        224.0.0.0        240.0.0.0         On-link     69.31.200.205    261
        224.0.0.0        240.0.0.0         On-link    192.168.110.91    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link     192.168.110.3    261
  255.255.255.255  255.255.255.255         On-link     69.31.200.205    261
  255.255.255.255  255.255.255.255         On-link    192.168.110.91    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0    69.31.200.202  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
anymore thoughts on this?
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
I am very sorry mattolan. I reviewed this as soon as you posted and was then distracted and forgot to come back to it.
The routing all looks fine. I am running out of ideas.
The only other thought I have is to run a  tracert to a remote IP like 4.2.2.2 from the server while a VPN client is connected. It will not complete but it might indicate the router being taken and the number of hops before it fails. Then again it may stop at the server and be no help at all :-)
0
 
LVL 2

Author Comment

by:mattolan
Comment Utility
tracert also just gives me a general failure error,

Thanks for the attempts
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Sorry I am out of ideas. I will "stay tunned in" though. Perhaps click the "request attention" link and ask the moderators to bring it to the attention of some other 'experts'. Where this has been open for a while it may not get that many views without doing so.
--Rob
0
 
LVL 2

Accepted Solution

by:
mattolan earned 0 total points
Comment Utility
I just stumbled accross an article that contained my answer

http://social.technet.microsoft.com/Forums/en/winserverPN/thread/076fa0fe-a320-42ee-a0bc-0f986bb20764

It seems by default that server 2008 applies a set of inbound and outbound filter on the externally connected network card when you set up RRAS, these filters where preventing any traffic from being allowed through except for vpn connections.
I modified the filters and everything works
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thank you very much for reporting your findings mattolan.
I am very interested as to the solution as the issue is somewhat common. However, in the past it always seems to have been related to the issues I pointed out; DNS interfaces and bindings.
Though inbound and outbound filtering can definitely cause this issue, I have not run into "default" filters before. This was not the case with Server 2003, and doesn't appear to be with single NIC configurations with 2008. In addition 2008 tends to rely more on NPS than any RRAS polices.
I am anxious to look into this with a dual NIC configuration.
Again thank you.
--Rob
0
 
LVL 2

Author Closing Comment

by:mattolan
Comment Utility
thanks
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Like many organizations, your foray into cloud computing may have started with an ancillary or security service, like email spam and virus protection. For some, the first or second step into the cloud was moving email off-premise. For others, a clou…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now