Solved

VPN Connected with SBS 2011 but can't ping or access network resources

Posted on 2013-01-30
19
4,873 Views
Last Modified: 2013-12-02
Hi,

I just installed a new SBS 2011 essentials server and configured routing and remote access. I have opened the appropriate ports on the firewall.  I have done this many times with Server 2003 and 2008 but for some reason with this new server I can connect remotely via VPN but can't ping the server or any network computer or printer.  I can't access any network resource.  If I do an IP config all, I am getting the correct IP, subnet, GW, and DNS.  Also, I can't access any websites from my remote PC once I establish the VPN connection.  Am I missing something?
0
Comment
Question by:TeddyZ83
  • 11
  • 6
  • 2
19 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Did you enable VPN Access via the SBS console AND enable remote access for the relevant users via the SBS Console too?
0
 

Author Comment

by:TeddyZ83
Comment Utility
On SBS 2011, I only see "server manager" and "Dashboard."  I think "Dashboard" replaced the SBS 2008 console.  I would think VPN is activated seeing that I can successfully connect remotely and obtain an IP.  I have granted each user "allow access" to the network foor dial in for each AD account.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
This is SBS - you need to use the SBS console to enable VPN and VPN Access.  Manually setting things on SBS can open up a can of worms.

Start> All Programs> Windows SBS Console.

Enable VPN on the Network> Connectivity tab and then on the Users & Groups> Users Tab, select the relevant user you want to allow VPN Access for, double-click on them and on the Remote Access Tab, select User can access Virtual Private Network.
0
 

Author Comment

by:TeddyZ83
Comment Utility
Windows SBS Console is not listed.  I don't think it's an option with SBS 2011 Essentials.  I have read that VPN is configured using "Routing and Remote Access."
0
 

Author Comment

by:TeddyZ83
Comment Utility
I may have found something... Looking closer at the IPCONFIG /ALL, the subnet seems incorrect.  Will make some changes and update asap.  Thanks.
0
 

Author Comment

by:TeddyZ83
Comment Utility
After doing some research, it seems like the subnet may be ok.  The internal IP of the network is 192.168.1.x with subnet 255.255.255.0.  The VPN IP config is getting a 192.168.1.x but the subnet of 255.255.255.255.  According to several forums, this is normal.  I also tried the article below.  I'm lost here, not sure what to look for next.

http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/03383f88-b124-4be8-b310-1d352e644aec/
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 500 total points
Comment Utility
SBS 2011 Essentials doesn't have a wizard and it is not as simple as enabling RRAS as it also needs NPS.
Hopefully you only have 1 NIC enabled.  SBS will not support multiple NICs.
To configure the VPN please see my blog:
http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/

SBS 2011 standard and all previous versions had a wizard.
Server 2012 does have a wizard again, but it uses SSTP instead of PPTP
0
 

Author Comment

by:TeddyZ83
Comment Utility
I followed your blog step by step, with NPS.  The server only has 1 NIC.  Same issues though.  I connect successfully to the VPN from a remote computer (tried from my office and home) but as soon as I connect, I lose internet connectivity and cannot ping any devices on the VPN LAN.  Once I disconnect from the VPN, my internet is back.  I have been successful many times with the same configuration on previous versions of SBS.

I thought it may be an IP conflict as stated in your blog, my IP scheme was the same as the VPN LAN.  I updated my router at my office and did a flush DNS.  I tried the VPN again and still no luck.  Weird thing is that I'm getting a valid IP, subnet, GW, and DNS from the VPN LAN when I do an ipconfig /all.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Maybe I am not following correctly but I get the impression there are two issues:

Cannot connect to other resources on the SBS LAN:
If so this is usually due to one of two issues.  1)  a software firewall (windows or 3rd party) on the device (PC) allows only local subnet/domain access and therefore requires the exception's/firewall's rule scope be edited to allow the remote subnet access.  2) there is a duplicate subnet between client and host.  All subnets must be different in the path between client and host.  If not you can in some circumstances connect to the VPN server, but you will never be able to connect to other devices.

Cannot access local resources while connected to the VPN.
Loss of local LAN access is normal and by default.  VPN's have one major security flaw which is a wide open tunnel allowing ALL traffic, viruses, hackers, etc. between a remote uncontrolled PC/local network, and a remote corporate network.  The VPN in an effort to protect the corporate network blocks access to any local resources, including Internet, so that "Johny in the next room" cannot gain access to the corporate network through your PC.  In order to retain local and VPN access you have to enable split-tunneling.  On a business class VPN such as Cisco, Juniper, Watchguard, etc. you have no control over this it has to be enabled by the VPN appliance manager, but on a Windows VPN you can do so by unchecking “use remote default gateway”.   This is the correct way to do so, and has been the appropriate way to do so since NT4, but for some reason I have seen it not work on some Win 7 & 8 machines.  I am still trying to find out why.

To ‘uncheck remote default gateway’ on the client/connecting PC, go to:
control panel | network connections | right click on the VPN/Virtual adapter and choose properties | Networking | TCP/IP -properties | Advanced | General | un-check  "Use default gateway on remote network"
For Vista: control panel | network & sharing center | connections | manage network connections | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")
For Win 7: control panel | network & sharing center | change adapter settings | right click on the VPN/Virtual adapter and choose properties | Networking | Internet Protocol Version 4 (TCP/IP v4) -properties | Advanced | IP settings | un-check  "Use default gateway on remote network")

Next issue; "I updated my router at my office "
Do you mean you changed the LAN subnet?  Not recommended with a DC/DHCP server, etc. but if doing so re-run the SBS network wizards to clean up.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:TeddyZ83
Comment Utility
I disabled the firewall both on my PC at my office and also the firewall on the new server at remote VPN location just for testing and still no go.

I have unchecked "remote default gateway" and now I have internet when logged into the VPN (thanks).

What I meant when I said I updated my router was that I'm at my office at a remote location on a small network using a standard Netgear router (not the VPN network).  I changed from 192.168.1.1 to 192.168.0.1 subnet.  It didn't help regardless.  

Anyways, I did an IP config /all while connected to the VPN and pasted below.  Not sure if it helps.

----------------------------------------------------------------

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\pc>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SERVER
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

PPP adapter HSI:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HSI
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.24(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.1.2
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controlle
r
   Physical Address. . . . . . . . . : 00-19-B9-31-87-40
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::281f:c1e6:2747:698b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.0.5(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, January 31, 2013 9:39:40 AM
   Lease Expires . . . . . . . . . . : Friday, February 01, 2013 9:39:40 AM
   Default Gateway . . . . . . . . . : 192.168.0.1
   DHCP Server . . . . . . . . . . . : 192.168.0.1
   DHCPv6 IAID . . . . . . . . . . . : 234887609
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-16-73-49-7A-00-19-B9-31-87-40

   DNS Servers . . . . . . . . . . . : 192.168.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{52E66391-FABF-4679-866C-04F7FE1EED13}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:8dc:198c:b8f6:6dc9(Prefe
rred)
   Link-local IPv6 Address . . . . . : fe80::8dc:198c:b8f6:6dc9%11(Preferred)
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{CB1D894D-B0FB-4C9A-9E17-6510D58E0621}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\pc>
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Can you post IPconfig /all from the server as well, and if possible while a VPN client is connected.
Thanks
0
 

Author Comment

by:TeddyZ83
Comment Utility
Yes, but I will have to go there.  It's about 15 min away.  I was logged in through RDP from a logmein PC on there network.  After I disabled the firewall, I re-enabled it but restored the defaults and got kicked off RDP.  Now can't connect and VPN won't connect.  I'm going there now to physically sit in front of the server and will post the ipconfig /all of the server.  Thanks.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
OK.  I am headed out for a couple of hours, but I will check back.
0
 

Author Comment

by:TeddyZ83
Comment Utility
Here is the ipconfig /all from the server;

----------------------------------------------------------

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\HSIADMIN>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SERVER
   Primary Dns Suffix  . . . . . . . : HSI.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : HSI.local

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.24(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : D4-AE-52-C4-A3-D4
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.2(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1
                                       192.168.1.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2D566554-E0F9-40BE-B8BD-E0974CDC0D0B}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\HSIADMIN>
0
 

Author Comment

by:TeddyZ83
Comment Utility
Also, I read this article; http://serverfault.com/questions/209139/sbs-2008-connected-via-vpn-but-cant-access-anything.  It looks like a similar issue that I'm having.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Those IP selections should work.  There are a couple of issue though, but should be unrelated to routing:
1) The SBS should point ONLY to itself for DNS.  Currently it points to 127.0.0.1 and the router.  The first is not wrong, but ideally should be 192.168.1.2, and remove the router.  With the router added local DNS will often fail and slow logons and file access will result
2) I would never use a local subnet of 192.168.0.x, 192.168.1.x, 192.168.2.x, 10.0.0.x, 10.x.x.x  These are far two common and mobile users will sooner or later run into conflicts with local LAN’s using defaults in places like hotels and Internet cafe’s.  In your case anyone visiting a site with a local subnet of 192.168.1.x will fail.
3) Presumably the SBS is the DHCP server? It should be.

The issue in the link you posted is again overlapping subnets.  I pointed out before that each site needs to use a different subnet (not subnet mask).  That is not actually accurate.  They need to use a different network ID so that no IP in the subnet overlaps with an IP.  The network ID is a function of the IP and the subnet mask.  Some examples:
192.168.1.1  /  255.255.255.0   subnet ID =  192.168.1.0  and encompasses  192.168.1.0  to  192.168.1.255
192.168.1.2  /  255.255.255.0   subnet ID =  192.168.1.0  and encompasses  192.168.1.0  to 192.168.1.255
192.168.2.1  /  255.255.255.0   subnet ID =  192.168.2.0  and encompasses  192.168.2.0  to  192.168.2.255
192.168.2.1  /  255.255.0.0   subnet ID =  192.168.0.0  and encompasses  192.168.2.0  to  192.168.255.255

VPN/PPP adapter  (they use a single IP in the local subnet)
192.168.1.24  /  255.255.255.255   subnet ID =  192.168.1.24  and encompasses  192.168.1.24 to 192.168.1.24

In the link you provided:
10.10.0.0  /  255.0.0.0        subnet ID =  10.0.0.0   and encompasses  10.0.0.0  to  10.255.255.255
10.1.1.0  /  255.255.255.0  subnet ID =   10.1.1.0  and encompasses  10.1.1.0  to  10.1.1.255
You can see one subnet is a subset of the other and thus overlap.
Network ID’s must be different, and not overlap, for routing to take place between different network segments.

Suggestions:
I assume for testing you are pinging by IP, not FQDN?
Also when you configured the VPN did you enable LAN routing as in the instructions; see image:
http://lantechca.files.wordpress.com/2012/01/image19.png
Try running a tracert to another IP on the SBS network from a remote client such as:
Tracert  192.168.1.101
Maybe we can see where it is failing.
0
 

Author Comment

by:TeddyZ83
Comment Utility
Sorry for the delay... I went back and started from scratch again following your blog; http://blog.lan-tech.ca/2012/01/28/sbs-2011-essentials-configuring-vpn-access/, and there was one step I did not do.  "Under the IPv4 tab select Static Address Pool, Add, and then enter a range of IP’s to be assigned to the VPN clients" had resolved my problem!  Thank you so much.  Very strange, I have setup VPN in the past without doing this and it had worked before.  Thanks again!
0
 

Author Closing Comment

by:TeddyZ83
Comment Utility
Great advice.  Thank you.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Thanks TeddyZ83.  There are some minor differences with 2011, and more with 2012.
Glad to hear you were able to resolve.
Cheers!
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now