• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1190
  • Last Modified:

Cannot access network shares over VPN

VPN is setup in RRAS on our Windows 2003 Small Business Server. I'm using only one network card. Internet access and DHCP are being supplied by a Cisco RV042 router.

A user can easily connect to the server using the built-in Windows VPN client. However, the user is unable to access any network resource not located on the VPN server.

From the command line of a clinet machine connected thru VPN I am able to correctly resolve namespaces of all network objects.  However, using Windows Explorer, I cannot access the content of various shares (I can on the VPN server). Additionally, while I can resolve namespaces, attempts to ping any network object other than the VPN server fail.

The VPN Server is the domain controller, is running DNS, and is running WINS. Accessing network resources fails using either ip address or name.

I'd like some advice on how to allow a user connected thru VPN client to access network shares.
0
manicsquirrel
Asked:
manicsquirrel
  • 7
  • 7
  • 2
1 Solution
 
rowcroftCommented:
Did you do the custom configuration when setting up RRAS? that's essential for 1 NIC.
0
 
manicsquirrelAuthor Commented:
I first ran the SBS Wizard for Remote Access. Then I configured RRAS manually. The result was the same both times. However, I'm not familiar with the custom configuration you are referring to. Can you enlighten me? You may have the answer.
0
 
rowcroftCommented:
Did you make it a PPTP connection type? If I remember L2TP traffic won't route over NAT connections.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
Rob WilliamsCommented:
Any chance the subnet used at the remote site and the SBS site are the same? For example might both be using 192.168.0.x?  They must be different for routing to take place, though it is possible to access the VPN server itself if the "use remote default gateway" is checked, and it is by default.
0
 
Rob WilliamsCommented:
To answer in more detail:

There are a couple of possible issues.
When you can ping the VPN server but no other device on the network, most often it is because there is a duplicate subnet used somewhere in the path between client and server.  Usually it is the client site and the server site using the same subnet.  Packets are routed based on the subnet to which they belong, if remote and local are the same, where is the packet to be delivered.  This is why it is never a good idea to use common subnets like 192.168.0.x or 192.168.1.x at the corporate site.  You will eventually run into a conflict with a client site such as a hotel that uses a router default.

If you can ping a remote device but not access a service it is usually due to the firewall on the device to which you are trying to connect.  By default when a service is enabled on a PC a firewall exception is usually created which allows access to that service, however often only from the local subnet.  Pings are usually allowed by default from any subnet so it can usually be used for testing.  You may need to add the remote subnet or allow all.  To do so using group policies see Pete Long’s blog:
http://www.petenetlive.com/KB/Article/0000193.htm

Though it is not likely your problem, the SBS should be you’re your DHCP server.  The SBS can use RRAS for DHCP but it wants to use the SBS DHCP service for monitoring.  In addition, though the RV042 can be properly configured to hand out only the SBS as a DNS server, add the domain suffix to clients, and if Server 2003 or earlier the WINS address, the SBS does it better, dynamically updates, and provides central management.  In addition you may find clients do not properly register in DNS using a router for DHCP.  I would recommend disabling DHCP on the router and enabling on the server.  Again this is not likely directly related to your current problem.
0
 
manicsquirrelAuthor Commented:
RRAS is using a DHCP Relay Agent. The subnet at the remote site is 10.0.0.0/24
0
 
Rob WilliamsCommented:
>>"The subnet at the remote site is 10.0.0.0/24"
I assume the SBS site and VPN client are using something different?

From a client machine could you please post the results of IPconfig /all and route print while connected to the VPN?
0
 
manicsquirrelAuthor Commented:
Sorry. Yes, the host network is 192.168.1.0/24

From the client:

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Carla Lewis>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Etherion-Carla
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : bestdrivers.local

PPP adapter Connect to Small Business Server:

   Connection-specific DNS Suffix  . : bestdrivers.local
   Description . . . . . . . . . . . : Connect to Small Business Server
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.142(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 192.168.1.1
   Primary WINS Server . . . . . . . : 192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetLink (TM) Gigabit Ethernet
   Physical Address. . . . . . . . . : B8-AC-6F-BE-7A-39
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::557:230d:1c71:9bd2%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.0.0.252(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, August 16, 2012 3:21:46 PM
   Lease Expires . . . . . . . . . . : Friday, August 17, 2012 3:21:46 PM
   Default Gateway . . . . . . . . . : 10.0.0.1
   DHCP Server . . . . . . . . . . . : 10.0.0.1
   DHCPv6 IAID . . . . . . . . . . . : 297315439
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B9-05-8F-B8-AC-6F-BE-7A-39

   DNS Servers . . . . . . . . . . . : 10.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled


C:\Users\Carla Lewis>route print

C:\Users\Carla Lewis>route print
===========================================================================
Interface List
 32...........................Connect to Small Business Server
 13...b8 ac 6f be 7a 39 ......Broadcom NetLink (TM) Gigabit Ethernet
 11...00 11 95 4f ce 20 ......Bluetooth Device (Personal Area Network)
 21...08 00 27 00 04 f3 ......VirtualBox Host-Only Ethernet Adapter
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 15...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 18...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
 22...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.0.0.1       10.0.0.252   4235
          0.0.0.0          0.0.0.0         On-link     192.168.1.142     11
         10.0.0.0    255.255.255.0         On-link        10.0.0.252   4491
       10.0.0.252  255.255.255.255         On-link        10.0.0.252   4491
       10.0.0.255  255.255.255.255         On-link        10.0.0.252   4491
     68.143.9.148  255.255.255.255         10.0.0.1       10.0.0.252   4236
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
    192.168.1.142  255.255.255.255         On-link     192.168.1.142    266
     192.168.56.0    255.255.255.0         On-link      192.168.56.1   4501
     192.168.56.1  255.255.255.255         On-link      192.168.56.1   4501
   192.168.56.255  255.255.255.255         On-link      192.168.56.1   4501
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link      192.168.56.1   4502
        224.0.0.0        240.0.0.0         On-link        10.0.0.252   4492
        224.0.0.0        240.0.0.0         On-link     192.168.1.142     11
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link      192.168.56.1   4501
  255.255.255.255  255.255.255.255         On-link        10.0.0.252   4491
  255.255.255.255  255.255.255.255         On-link     192.168.1.142    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 21    276 fe80::/64                On-link
 13    266 fe80::/64                On-link
 13    266 fe80::557:230d:1c71:9bd2/128
                                    On-link
 21    276 fe80::2520:4b93:69d8:31a1/128
                                    On-link
  1    306 ff00::/8                 On-link
 21    276 ff00::/8                 On-link
 13    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

C:\Users\Carla Lewis>
0
 
Rob WilliamsCommented:
That all looks fine.
What is the 192.168.56.x network, a second NIC on the local PC?  If so have you tried disabling just as a test.

Also as a test, though it shouldn't be necessary, try adding a static route for the remote VPN network on the client PC:
route add  192.168.1.0  mask  255.255.255.0  192.168.1.142
to delete
route delete 192.168.1.0
0
 
manicsquirrelAuthor Commented:
No joy.
0
 
Rob WilliamsCommented:
What is the 192.168.56.x network?
0
 
manicsquirrelAuthor Commented:
It is a virtual adapter for VirtualBox. It is used when I launch a virtual OS.
0
 
Rob WilliamsCommented:
Very odd.
With the VPN connected, if you run tracert to a PC on the network which you are unable to access, such as:
tracert  192.168.1.123
What response do you get?  Since it is not working I would expect to see:
 1    22 ms    25 ms    20 ms  192.168.1.100  
 2     *        *        *     Request timed out.
(where 192.168.1.100 is the server's VPN/PPP address)
Assuming you do get that, it will at least confirm the correct gateway is being used.

One other thought....the PPTP VPN service is not enabled on the RV042?  If it is it will likely capture the packets and not forward them to the server.
0
 
manicsquirrelAuthor Commented:
Sorry, client turned off RRAS themself just a short time ago. They don't want any further attempts at correcting this issue because it's "slowing down their network". Uggh...

Rob, even though we didn't get this resolved you have been most helpful. Maybe the information will help someone else troubleshoot their VPN connection in the future.
0
 
manicsquirrelAuthor Commented:
While we didn't find a solution, the steps Rob outlined can be used by someone else in the future to troubleshoot their VPN connection.
0
 
Rob WilliamsCommented:
Thanks very much by: manicsquirrel.

I am surprised RRAS is slowing the services.  Might be that the VPN adapter has been added to the DNS interfaces.

An option would be to use the RV042 VPN features.  It's PPTP VPN only supports 5 users but work well.  It also offers the QuickVPN client which uses IPSec and allows at least 30 connections.  It can be a bit problematic in some situations depending on the client site configuration.  Personally i prefer a VPN appliance/router over RRAS as it is more secure and offloads all the VPN encryption/decryption to a dedicated device.

Cheers!
--Rob
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 7
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now