Solved

VPN on SBS 2008 not working

Posted on 2014-01-23
16
1,479 Views
Last Modified: 2014-01-29
Hi,

Got a SBS 2008 server. VPN is used pretty well daily. No hardware/software has been added to the network/server and nothing has been configured on the server - I'm the only one with access.

external VPN users can get to the server shares by using \\server.domain.local.
The other day, they could only get access by using the IP address. Figured some sort of DNS issue.

Rebooted server.

After reboot, client's connect to VPN but get no IP (automatic IP address). DHCP is up and running fine and internal clients obtain IP ok.

I had a look at the settings in RRAS MMC and I changed from DHCP to static address pool. This works, however I can still only access server via IP UNC path and not with hostnames.

I cross checked settings with another client who has SBS 2008 and a working VPN. - All settings looked the same.

Any suggestions? Thanks

Server error log
20167
No IP address is available to hand out to the dial-in client.

20253
CoId={AC68E7BA-8718-4EEA-92D9-2C52ACD9116C}: The user domain\user connected to port VPN2-4 has been disconnected because no network protocols were successfully negotiated.
0
Comment
Question by:Talds_Alouds
  • 8
  • 5
  • 2
  • +1
16 Comments
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39802488
Did you run out of vpn connections it can hand out?
http://technet.microsoft.com/en-us/library/cc733687(v=ws.10).aspx

Olaf
0
 
LVL 22

Expert Comment

by:Olaf De Ceuster
ID: 39802496
SBS is not using your DHCP but are issuing IPs from the RA server. If you open up the properties of the VPN the IP range being used should be listed and can be changed.
Olaf
0
 

Author Comment

by:Talds_Alouds
ID: 39802516
Well from what I understand, RRAS can use DHCP but only when DHCP is on another server (via the DCHP relay protocol).

However, if I look at the DHCP list, I can see DHCP leases for internal and VPN clients, thus indicating that it comes out of DHCP.

As stated, another client's SBS 2008 uses the DHCP and not static addresses.

Also as stated, it connects with the static pool, but doesn't resolve hostnames.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39804216
Any errors in the DHCP logs?

How have you configured the remote clients DNS?

Add an entry into the client machines host files with the servers IP address.

Have you tried clearing a couple of the old DHCP leases of the VPN clients to see if they re-obtain them?
0
 

Author Comment

by:Talds_Alouds
ID: 39804612
Ok,

So there is two network adapters in the server. 1 was disabled and the other is the adapter that is actually used on the server. Because it's an IBM server, it has another USB over Ethernet adapter. I disabled this and it now gets an IP from the DHCP (which I can see in the DHCP leases).

When I run an IPconfig /all on the client, I see the IP address and DNS server...however, the client doesn't receive a default gateway address and I can't ping anything on the server network.
0
 
LVL 22

Accepted Solution

by:
David Atkin earned 500 total points
ID: 39804831
Having two NICs is common.  SBS will only want to use one though.  They aren't designed for dual NIC's really.  Trunking two NICs etc can upset them.

Are you running the ipconfig on the remote vpn client?  You wouldn't want the remote client using the office default gateway anyway, it wants to go out of the sites gateway.

Not sure about the USB over Ethernet adaptor :S.

Can you ping IPs? Could you previously?
0
 

Author Comment

by:Talds_Alouds
ID: 39805017
Thanks.

Well last night I was mucking around and was able to ping the server's internal IP via the VPN.

Since then, I don't know what's happened and now I can't ping anything.
IPconfig attached of the client attached as well as the server.

Now, I get an IP, minus the gateway - which seems to be correct. But there's no traffic flowing to the office network.

Tried disabling firewall on server and client - not that.
Any help would be great!

The USB over Ethernet is just an IBM thing and shouldn't be anything to worry about as it's been disabled now anyway - there's only one enabled adapter.
server.txt
client.txt
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39805804
Thanks for that.

The ipconfig looks ok.  I can see its getting an address successfully.

Can you confirm - Are you still able to access shares or is this also causing a problem as well?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Talds_Alouds
ID: 39805850
No so get no traffic through at all.
UNC path to IP of server - nothing
Ping server IP - nothing.

Previously I could ping the server's IP and get a response.

It's out of hours now and I can reboot/do whatever with the server so I'm open to more suggestions. Just installing a few updates then going to do a reboot.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39805901
Let us know the outcome of the reboot.

Can you do a route print from the client as well?

Any AV on the client that would be preventing traffic to the main site?  BullGuard is bad for this.
0
 

Assisted Solution

by:Talds_Alouds
Talds_Alouds earned 0 total points
ID: 39805934
Ok,
I've fixed it but not entirely sure how.
I ran some Windows updates, rebooted.
Tested - Computers were getting automatic private address
Changed IP allocations from DHCP to static range (I think that's what it was called).
Tested, IP assigned, can ping server, can access shares via hostnames.

I don't trust making changes and only restarting the service. Reboots seemed to be far more effective for me. Either that or there were just coincidences.

I'm not going to touch it again. But a default config for SBS 2008 RRAS is DHCP. Doesn't explain to me either why prior to the reboot, when set to DHCP, it was actually assigning addresses fine.

I'm done.
0
 

Author Comment

by:Talds_Alouds
ID: 39805935
Thanks for everyone's input.
0
 
LVL 22

Expert Comment

by:David Atkin
ID: 39805951
Thanks for letting us know.  You are right about the reboot as it restarts all dependencies etc.
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 39806630
Sorry I'm kind of late for this comment but hope it helps...

By restarting the server, you restart your main services... DNS, DHCP and RAS connections.

This mean you have no issues, but you will have then again soon.

Here are the facts, if you do not assign your RAS with a static IP pool that is out of your DHCP scope you will run out of IPs to hand out by your DHCP as it will keep them alive for some time to allow them to renew but when users connects using VPN they will get another.  Using a scope only for the RAS will prevent this as when the user disconnect the IP is released automatically.

Also, DNS errors could be caused by this as the server will have several names for the same IP.  Remember to keep servers with static IP and leave those IPs out of the DHCP scope.  In the same issue if the remote user remove or change the options to use DHCP and DNS from the connection settings; they will not be able to ping anything to the LAN they just connect to.
0
 

Author Comment

by:Talds_Alouds
ID: 39808025
Thanks Hecgomrec,

Great in depth info! SBS VPN was running fine for years with these guys and they were being allocated out of the main DHCP server's pool. I just enabled VPN on another server via the SBS console and the default options as my last sentence.

I notice in the DHCP leases, that I can see about 5/6 that are allocated under the server's name and they have a yellow phone on it to symbolise that it's for a VPN connection.

There's only around 10 users in total and only about 70 addresses in the lease list companywide and around 200 addresses in the total available pool.

I'm just curious on how that works because it doesn't make sense to me - but I'm sure you're right. Either way, the static pool is working for me now.
0
 

Author Closing Comment

by:Talds_Alouds
ID: 39817266
Partly self solved.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now