Solved

RRAS PPTP can't ping server's subnet

Posted on 2013-01-18
7
4,125 Views
Last Modified: 2013-01-18
Hello,

I setup an RRAS server yesterday on Win2k12, and I can not figure out what's broken.

The network has a NAT/Router routing through various subnets and our public IP addresses (i'll pretend it's 1.1.1.1).

We have PPTP and Protocol 47 forwarded to the RRAS server. The RRAS server has the connection policy and "connect to other servers" policies enabled and permitted. I can open a PPTP tunnel to 1.1.1.1 (port-forwarded to 10.11.10.13), but once I am in, I can only ping a selection of hosts OUTSIDE the subnet that the RRAS server is in, with some exceptions.

Reproduction steps:

from my desktop on windows 7 -> new VPN connection to 64.4.88.242 using pptp. Login as my_mail@address.com (I'm part of domain admins and domain users).

I get an address that looks like this:

PPP adapter bombers vpn:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : company vpn
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.11.7.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 10.11.10.10
                                       10.11.10.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Open in new window




Symptoms:

I can ping 10.11.10.1 (The router's LAN IP on 10.11.10.x)
I can RDP to 10.11.10.13 (the RRAS server itself).
I can ping 10.11.6.41 (a printer in 10.11.6.x)
I can http to 10.11.6.41 (the same printer)
I can ping 10.10.10.10 (main switch) -> management zone
I can http to 10.10.10.10
I can ssh to 10.10.10.2 (Router's Management Interface)
I can http to 10.10.10.10
I can ping 10.15.0.20 (phone server)
I can ping google.com


I can use NSLookup against 10.11.10.10 or 10.11.10.11 (2 of our AD Domain Controllers/AD Integrated DNS Servers) to resolve any of the domain computers by FQDN

I can use NSLookup against 10.16.0.10 or 10.16.0.11 (non-domain joined DMZ DNS Caching servers)

I can not ping 10.16.0.10 or 10.16.0.11 (though this is expected -> router blocks ICMP to DMZ).

I can not ping 10.11.10.10 (AD/DC) -> that machine has explicit firewall exemptions permitting ICMP.
I can not RDP to 10.11.10.10 (AD/DC) -> remote desktop in is enabled
I can not SMB to wbb-file-01.bluebombers.com
I can not RDP to wbb-salto-01 (a 2008 R2 installation)
I can not run LDAP queries against 10.11.10.10 or 10.11.10.11

The only thing I can assess this behavior to is RRAS routing. All the behaviors that "work" are destination subnets other than 10.11.10.x.

Anything to 10.11.6.x seems to work;
Anything to 10.10.x.x seems to work;
Anything to 10.15.0.x seems to work;

Anything to 10.11.10.x seems to fail (except 10.11.10.13 which is the RRAS's local adapter AND 10.11.10.1 -> the router).

Thoughts?



Here's the RRAS server's routes and IP info:

C:\Users\Administrator.OUR_DOMAIN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WBB-RRAS-01
   Primary Dns Suffix  . . . . . . . : our_domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : our_domain.com

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.11.7.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #2
   Physical Address. . . . . . . . . : 00-15-5D-0B-33-18
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::905b:5eb:1f5a:641b%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.11.10.13(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.11.10.1
   DHCPv6 IAID . . . . . . . . . . . : 369104221
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-61-19-B8-00-15-5D-0B-34-11

   DNS Servers . . . . . . . . . . . : 10.11.10.10
                                       10.11.10.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Open in new window


C:\Users\Administrator.OUR_COMPANY>route print
===========================================================================
Interface List
 27...........................RAS (Dial In) Interface
 16...00 15 5d 0b 33 18 ......Microsoft Hyper-V Network Adapter #2
  1...........................Software Loopback Interface 1
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 14...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
 17...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.11.10.1      10.11.10.13    261
        10.11.7.2  255.255.255.255         On-link         10.11.7.2    286
        10.11.7.9  255.255.255.255        10.11.7.9        10.11.7.2     31
       10.11.10.0    255.255.255.0         On-link       10.11.10.13    261
      10.11.10.13  255.255.255.255         On-link       10.11.10.13    261
     10.11.10.255  255.255.255.255         On-link       10.11.10.13    261
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link       10.11.10.13    261
        224.0.0.0        240.0.0.0         On-link         10.11.7.2    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link       10.11.10.13    261
  255.255.255.255  255.255.255.255         On-link         10.11.7.2    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.11.0.1  Default
          0.0.0.0          0.0.0.0       10.11.10.1  Default
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 16    261 fe80::/64                On-link
 16    261 fe80::905b:5eb:1f5a:641b/128
                                    On-link
  1    306 ff00::/8                 On-link
 16    261 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window


Here is the configuration of my test machine while connected to the VPN:

C:\Users\ckluka>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : ckluka-mini
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter company vpn:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : our_company vpn
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.11.7.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 10.11.10.10
                                       10.11.10.11
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82579V Gigabit Network Connectio
n
   Physical Address. . . . . . . . . : C8-60-00-1E-A8-7B
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::a433:d400:a456:8c70%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Friday, January 18, 2013 10:13:18 AM
   Lease Expires . . . . . . . . . . : Friday, January 18, 2013 11:43:18 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 248012800
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-17-20-E9-F9-C8-60-00-1E-A8-7B

   DNS Servers . . . . . . . . . . . : 64.59.176.13
                                       64.59.177.226
   NetBIOS over Tcpip. . . . . . . . : Enabled

Open in new window


C:\Users\ckluka>route print
===========================================================================
Interface List
 20...........................our_company vpn
 11...c8 60 00 1e a8 7b ......Intel(R) 82579V Gigabit Network Connection
  1...........................Software Loopback Interface 1
 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
 14...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter
 21...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1     192.168.0.10   4235
          0.0.0.0          0.0.0.0         On-link         10.11.7.9     11
        10.11.7.9  255.255.255.255         On-link         10.11.7.9    266
      64.4.88.242  255.255.255.255      192.168.0.1     192.168.0.10   4236
        127.0.0.0        255.0.0.0         On-link         127.0.0.1   4531
        127.0.0.1  255.255.255.255         On-link         127.0.0.1   4531
  127.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
      192.168.0.0    255.255.255.0         On-link      192.168.0.10   4491
     192.168.0.10  255.255.255.255         On-link      192.168.0.10   4491
    192.168.0.255  255.255.255.255         On-link      192.168.0.10   4491
        224.0.0.0        240.0.0.0         On-link         127.0.0.1   4531
        224.0.0.0        240.0.0.0         On-link      192.168.0.10   4492
        224.0.0.0        240.0.0.0         On-link         10.11.7.9     11
  255.255.255.255  255.255.255.255         On-link         127.0.0.1   4531
  255.255.255.255  255.255.255.255         On-link      192.168.0.10   4491
  255.255.255.255  255.255.255.255         On-link         10.11.7.9    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
 13     58 ::/0                     On-link
  1    306 ::1/128                  On-link
 13     58 2001::/32                On-link
 13    306 2001:0:9d38:953c:388c:25df:f5f4:f8f6/128
                                    On-link
 11    266 fe80::/64                On-link
 13    306 fe80::/64                On-link
 13    306 fe80::388c:25df:f5f4:f8f6/128
                                    On-link
 11    266 fe80::a433:d400:a456:8c70/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    306 ff00::/8                 On-link
 11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Open in new window


Any thoughts as to why I can't access any of the servers in the same subnet as the RRAS server, but I can access pretty much any server in any other subnet?
0
Comment
Question by:ckluka
  • 4
  • 3
7 Comments
 
LVL 5

Author Comment

by:ckluka
ID: 38793870
Upon closer inspection, this seems odd, does it not:

Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0        10.11.0.1  Default
          0.0.0.0          0.0.0.0       10.11.10.1  Default

Open in new window


?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38794823
Can you do a traceroute to the address of the test VPN client from one of the servers you can't get to, and post the output?
0
 
LVL 5

Author Comment

by:ckluka
ID: 38794852
http://snag.gy/1hL77.jpg

2 things are in this screenshot;

I put wireshark on the RRAS server and on a file server, started listening, ran a ping from my desktop connected to the VPN server (pinging the file server).

You can see the ICMP Echo Requests going from the RRAS server to the file server;

You can see the ICMP Echo Requests arrive at the file server;

You can see the ICMP Replies leave the file server headed towards the RRAS server

The RRAS server never receives the ICMP Replies... ?


Also, I can ping from file server to client, but not the other way around.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 45

Accepted Solution

by:
Craig Beck earned 500 total points
ID: 38794867
Ok so you've got a bit of a dodgy routing issue going on there.

Just to test, put a static route on the server you just tested from like this...

route add 10.11.7.4 mask 255.255.255.255 10.11.10.13

...and try the connection again from the client.
0
 
LVL 5

Author Comment

by:ckluka
ID: 38794871
Works; I can now ping the server from the client;

Any thoughts as to what is going on or, more importantly, how to resolve?
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 38794888
Yep, the servers on the RRAS network aren't using the RRAS server as their default gateway, so when they try to get to the 10.11.7.0 network they go to their default router first.  That then forwards to the RRAS server.

This causes a problem sometimes, and results in one-way comms, as you've seen.

You can either assign IP addresses to VPN clients in the 10.11.10.0 range, or add static routes to the servers to point all comms to the 10.11.7.0 network via the RRAS server directly.

So, if you want to add a static route (like you just did) you should use something like...

route -p add 10.11.7.0 mask 255.255.255.0 10.11.10.13

The -p switch will make the route persistent, so if you reboot the servers they will keep the route.  Also, if you don't want certain servers to be available you can just not put the static route on those servers, and make sure the firewall blocks traffic to the 10.11.7.0 subnet.
0
 
LVL 5

Author Comment

by:ckluka
ID: 38794928
Our router is 4 devices away from our servers; (hyper-v machines running on blades with flex-fabric networking back to core switching back to inter-subnet routers).

I ended up just plugging static routes to 10.11.7.x into the servers and into group policy.

Thanks!!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now