Windows Server 2012 R2 Access Anywhere VPN connects but does not give access to remote resources.

Alan Bateman
Alan Bateman used Ask the Experts™
on
I have a server running Windows Server 2012 R2 Essentials and Access Anywhere VPN is setup and WAS working. Now everyone who attempts to access this server remotely using the VPN gets the following symptoms. The VPN connects (apparently) but all access to the Internet goes down at the same time. Disconnecting the VPN restores Internet access. I have tried unchecking the tick box to 'use remote network default gateway'. This restores connectivity locally but I cannot access anything on the remote end of the VPN - the whole point of the VPN! I have other servers setup similarly and they are working fine, but I cannot determine what is causing this VPN connection to fail. I have also tried adding a route to the remote server in my routing table but that also doesn't work. How should I troubleshoot this. I have been looking for differences in RRAS / VPN setup between a server that works and the one that fails but cannot determine anything different. I can access the server via RDC and I can get the Remote web access website up using the external address (same as VPN uses. Ports are forwarded same as working system. VPN using same SSL certificate as default website in IIS. VPN is SSTP.  Some users report it stopping nearly 3 weeks ago (maybe?) . Can anyone help?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
So to test things out, keep the VPN connection split tunneled by unchecking the "use remote network default gateway" like you did.  Next, after you establish a VPN connection, write down your local IP network that you want to access over VPN, and open up a command prompt.  (Let's assume your internal network is 10.0.10.0/24 and your default gateway for that network is 10.0.10.1) Type in the following:

Route add 10.0.10.0 mask 255.255.255.0 10.0.10.1

Now after you add that, see if you can access the internal network over VPN.

If you can, I would suggest using CMAK to create a VPN package.  You can create a .bat file with all the routes you want users to hit and add that in the CMAK package to create those routes after the VPN is established.  When the VPN disconnects, it will remove those routes.

Or, if you want to do it the easy way, create the .bat file and have users run it after they VPN.

http://www.isaserver.org/img/upl/vpnkitbeta2/cmak.htm
Alan BatemanDirector

Author

Commented:
Hi.  Thanks. I unchecked 'use remote network default gateway' and I connected the VPN . I then tried - Route add 192.168.6.0 mask 255.255.255.0 192.168.6.2 . It took the command but unfortunately made no difference to my situation.  The internal IP address of the server is 192.168.6.2.  The default gateway is my router on 192.168.6.1.  When I connect with the VPN link it issues me with a DHCP address on this network like 192.168.6.13 .  I can ping that single address only.  I still cannot ping 192.168.6.1 or 192.168.6.2 or any other 6.x except 6.13 . When I check the 'use remote network default gateway' which is usually checked by default, I lose all Internet connection until I disconnect VPN.

Commented:
So, you get VPN'd in and can only ping yourself and nothing else on the network.

Questions:

1. Is your policy blocking access to anything?
2. Are you using Network Policy Server (NPS) to control who goes where?  Check it to see.
Director
Commented:
OK, Sorry about the delay. I have spent a large part of the weekend trying to resolve this problem, which included frequent negotiation with a maintenance electrician who was booked for the weekend and kept wanting to remove my power for an hour at a time !!  However, it seems I have finally fixed it.  If you navigate to Administrative tools and select Computer management. then expand services and applications to show Routing and Remote access, Right-click and show properties.  On the General tab, Enable this computer as a:  IPv4 Router.  was ticked!!  I have no idea why it was ticked or who or what ticked it, but when I unticked it , my VPN connections started working again. If I hadn't had a good similar server running the same configuration elsewhere (for a different customer) to compare things with, I would NEVER have found this. Not entirely satisfactory since I'll never know how it happened . (I am the only admin on this server.) But, at least the customer can access his shared files from remote locations again.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial