Solved

Cannot ping any device from the DC when a PPTP VPN connection is established.

Posted on 2013-06-30
15
678 Views
Last Modified: 2013-12-09
This is interesting....I have a client where they currently cannot ping any device in the network if a VPN connection is established.

This all seemed to occur then I removed SEP from the DC as Network Threat Protection was preventing remote user from mapping drives to the file server, thou over night when I tried to connect to the file server to move files I noticed the mapped drive I had on the DC to the file server was not available, I tried to ping the file server and the default gateway but no good.

I disconnected my VPN session and I accessed the DC via logmein, ran a continuous ping test to the file server, then reconnected my VPN connection, this is where I notice the ping test stop responding, I then disconnected the VPN connection, the ping tests became successfully again..

I only found the below event in the log:
Event ID: 32009

Im thinking of reinstalling SEP but then I'll just be back to my original problem, thou the current situation is not a good one either.

If you require any logs\details attached please advise.

Please help! Thanks!!
0
Comment
Question by:neryre
  • 8
  • 5
  • 2
15 Comments
 
LVL 2

Expert Comment

by:eexchangetech
ID: 39288706
Goto VPN properties (control panel--Network Connections)>>>tab "Networking">>>TCP/IP properties>>>Advanced. Here, uncheck "Use default gateway on remote network"
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39288894
I assume a Windows/RRAS VPN?

Are you trying to ping by FQDN?  If so open the DNS management console and make sure the VPN adapter is not included under interfaces when you choose properties of the DNS server.

If pinging by IP fails, make sure NAT is not enabled in the RRAS console.
0
 
LVL 1

Author Comment

by:neryre
ID: 39289282
Hi exchangeTech - I followed your instructions on my client laptop but same problem occurred.

Hi Robwill - I ping by FQDN for the file server and ping via IP on the default gateway from the domain controller which is a Telstra modem.

I'm not sure what you mean by the "VPN adapter"?

I opened up DNS Manager and went to the "Interfaces" tab "Listen on" value is currently the ip address of the local server (Domain Controller). Does this look fine?
0
Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

 
LVL 2

Expert Comment

by:eexchangetech
ID: 39291675
1. After establishing the vpn connection, Open same properties and verify "Use default gateway on remote network" is still in UNCHECKED state. If it's so, proceed with below two points

2. Before establishing vpn, start CMD prompt>>> tracert <any IP on LAN>

3. After establishing vpn the ping, start CMD prompt>>> tracert <any IP on LAN>

Let me know the output, this way, we'll get to know how the connection is going out from the system
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39291804
>>"I opened up DNS Manager and went to the "Interfaces" tab "Listen on" value is currently the ip address of the local server (Domain Controller). Does this look fine? "
Yes it should show onlt 1 IPv4 IP and 2 IPv6 ips, which are all those of the server.  Assuming the Server is the VPN server (using RRAS) it will create a virtual adapter named PPP in an ipconfig.  You do not want this IP in the DNS interfaces list.

Can you confirm you are using RRAS and not the router as the VPN server?

I would do all testing by pinging using the IP for now.
0
 
LVL 1

Author Comment

by:neryre
ID: 39292510
Hi RobWill - I can confirm I am using RRAS as the VPN server. The router is just allowing pass-through to the server.
0
 
LVL 1

Author Comment

by:neryre
ID: 39292644
Ok, now this is strange...

I used a different account for the VPN credentials and while watching the server console via logmein and perform a continuous ping test from the server to the default gateway, the ping results come back fine and don't drop..

Looks like the account I used for vpn previous has some sort of a cause to the issue..Need to know why.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39293161
The account needs to be granted permissions within RRAS, AD user account, and/or NPS (if used).  Might they be denied?  However if so they should not be able to connect.
0
 
LVL 1

Author Comment

by:neryre
ID: 39295167
Its really strange, this morning they have mail routing problems, I see mail pending in the queues, and remote users are have problems with vpn now..

Yet, last night everything looked fine, I tested with 2 remote users and they were able to log in and work. Ping testing from the DC to other devices in the office worked fine.

Question - If  I dont have SEP installed what other process could be using ipnat.sys? I was thinking Windows Firewall was causing this problem but each time i try to enable it, a message pops up saying another program is using ipnat.sys.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39295261
If you try to enable the firewall when RRAS is enabled you will get an ipnat.sys error.  You cannot enable the firewall.

What server version is it?  Might it be SBS 2003?
What subnet does the server site use?  such as 192.168.1.x

With those other problems make sure NAT is not enabled in RRAS.
0
 
LVL 1

Author Comment

by:neryre
ID: 39295589
Its SBS2003, using subnet 192.168.81.x

Just rebooted the server, will check NAT in RRAS when it comes back up.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 39295604
SBS 2003 assumes 1 of two NIC configurations
1) a single NIC
2) 2 NIC's, one connected to LAN, the other connected to WAN and the server acts as the gateway/firewall for all PC's.
In configuartion 2 RRAS is enabled.  As a result when RRAS is enabled it assumes a 2 NIC configuration, the Windows firewall is not necssary, and posts an ipnat.sys error.

The subnet is fine, I had a long shot idea if it was a common subnet like 192.168.1.x or 192.168.0.x
0
 
LVL 1

Author Comment

by:neryre
ID: 39296320
Its only a single NIC config.

I cant see NAT config anywhere in RRAS console, so I'm assuming its not enabled when it was first setup.
0
 
LVL 1

Accepted Solution

by:
neryre earned 0 total points
ID: 39317415
I reinstalled SEP and modified the firewall settting in Network threat protection to allow access from the DC to the secondary server. All is good now, both servers are accessible via VPN.

The mail flow issue and VPN connection issue was due to the routers public IP being black listed on CBL, as the public ip is used for VPN pass thru and outbound mail.

Problem now is I cant find the infected machine CBL talks about, I've checked the firewall logs on the router, SEP logs but none of the IPs CBL mentions is identified. Will open a separate question for this, hopefully someone can help.
0
 
LVL 1

Author Closing Comment

by:neryre
ID: 39329090
Fixed the issue with my own investigation.
0

Featured Post

Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DNS and NSLOOKUP 21 79
VPN connection 7 23
EmsisoftAntiMalware is it trusted reliable 4 25
Routing certain SSLVPN Traffic to CDN 1 9
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question