No announcement yet.

Windows 2008 SP2 Site to Site VPN traffic problem

  • Filter
  • Time
  • Show
Clear All
new posts

  • Windows 2008 SP2 Site to Site VPN traffic problem

    Hello all,

    we have a site to site PPTP VPN with 3 w2003 servers (2 remote branches connected to main office). Everything is working fine and traffic flows (with the proper static routes) from the branches to the main office and back. We replaced the main office access server with a windows 2k8 server and configure RRAS as usual. The "branch servers" connect but traffic flows only one way, that is from the w2k8 server to the remote offices and not back - at least it seems so: main office to branch pings ok but not viceversa. However from the branch office server we can "browse" the main office servers using their IPs. However we cannot connect to the intranet webserver for example.
    Reconnecting the old w2k3 access server of course solves the problem and everything works.
    Additionally, without SP2 installed on the 2k8 server, it would blue screen when enabling or disabling the integrated firewall (!). It seems though that SP2 solved this. We tried also between 2 2k8SP2 servers and another 2k3 server, but exactly the same behaviour occurs. The RRAS reports the VPN connection up as usual (not as a one sided client - server connection but as a proper site to site). We have tried removing the role and re-adding it, we tried even another 2k8 server but nothing changes. As stated above, we just hook up the old 2k3 server and everything is fine (no changes are made on the remote access servers).
    Any pointers on what I should check? This seems very odd to me.

    Thanks in advance.

  • #2
    Re: Windows 2008 SP2 Site to Site VPN traffic problem

    So you are creating the VPN's using RRAS at both ends or RRAS in main office tobranch.

    E.g. Main office the client, branch the pptp server? Or the other way around?

    Or are you creating a pptp connection using RRAS on the main server to a pptp server on a router at the branch office?

    I guess some things to try & see if it resolves is:

    1) Try deleting & recreating the connection at the branch office end.
    2) So you disabled the inbuilt W2K8 firewall or made some rules in it?
    3) Does the route table reflect the correct entries?
    4) At the branch office end, if you do a route print, there isnt an old route or a route preventing the packets from taking the coreect path. Remove any additional static routes at the branch office side & try again, adding back any necessary ones if it didnt work.
    5) What if you initiate the pptp connection from the branch side?


    • #3
      Re: Windows 2008 SP2 Site to Site VPN traffic problem


      the connections are site to site, using RRAS at both ends. It is initiated at the branch offices towards the main office. The connections appear "connected" correctly in RRAS (and not connected on one side and WAN miniport on the other as in monodirectional client-VPN). We have already tried all your suggestions unfortunately:
      1) We deleted all connections and recreated them
      2) We disabled the built in W2k8 firewall and we have no specific rules
      3) the route table reflects correctly the "paths"
      4) I double checked old routes and everything is fine. I even deleted the static routes from the RRAS and recreated them and route print reflects this correctly
      5) Connections are initiated from RRAS server on branch side by default

      Additionally, we tried another w2k8 server and the same happened so it's not something on that specific machine. Without modifiying any configuration on the branch offices, by reconnecting the old 2k3 server everything works fine so the routing tables on the branch offices are ok.
      Any additional ideas?

      Thanks for any further insight.


      • #4
        Re: Windows 2008 SP2 Site to Site VPN traffic problem

        There is a change in Windows 2008 that causes this issue.

        You will also be unable to ping from one end of the tunnel to the other, but you can ping across the tunnel from a machine not at the end of the tunnel.

        If you packet capture, you will see that the src addr of the ping packet appears to originate from the local endpoint of the tunnel, and the response will be unable to route back.

        The following article suggests one workaround:

        And here is the official MS response.

        None of the workarounds that I have found are very good.

        Last edited by Ann Ominous; 2nd November 2009, 18:55. Reason: updated information from Microsoft