Announcement

Collapse
No announcement yet.

PPTP VPN Problem - No ping to remote access server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • PPTP VPN Problem - No ping to remote access server

    Hello everybody!

    This is my first message in these forums.

    Last week we made some major changes to our research center's IT infrastructure. More precisely, we bought 2 new servers, including one Dell with W2008 Standard. We configured the VPN (pptp and L2TP) on the W2008 machine. This machine has the IP: X.X.X.11. Ok then. That's a public IP, so, after forwarding the correct ports on the firewall, we can connect to the server and authenticate.

    The problem is that, once connected to the VPN (we have several VLAN, so we need to activate "send all traffic through the vpn connection" option on the client side), we cannot ping the VPN server itself. I mean, once connected ping is not working for X.X.X.11. but it works for X.X.X.10, another machine with public IP on the network. In fact, we can ping everywhere (even though through the different VLANs). As we are not able to reach the machine X.X.X.11 (which, btw, is the domain controller for our domain), we cannot access any service on this machine.

    But, we can ping and reach the other interface on this server, created by the remote access service, and with IP X.X.X.180. So, it seems that once connected, we can only access the VPN server's services through the other interface (X.X.X.180) for administering, Active Directory logon (this is not possible now, because it's not attached to an interface), and so on.

    Any of you have had the same situation??

    Any clues would be really appreciated!

    Thank you all!

    Eneko
    Last edited by enekoperez; 10th August 2010, 14:55.

  • #2
    Re: PPTP VPN Problem - No ping to remote access server

    VPN shouldn't be terminated on a DC, also a DC with multiple nics aren't supported.
    Can you post an ipconfig from the VPN server?
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: PPTP VPN Problem - No ping to remote access server

      Originally posted by Dumber View Post
      VPN shouldn't be terminated on a DC, also a DC with multiple nics aren't supported.
      Can you post an ipconfig from the VPN server?
      Hi Dumber,

      Thank you for answering back.

      Here it goes ipconfig of the server:

      Ethernet adapter Local Area Connection:

      IPv4 Address: X.X.X.11
      Subnet 255.255.255.0
      Default gateway: X.X.X.1

      PPP adapter RAS (Dial In) Interface:

      IPv4 Address: X.X.X.180
      Subnet Mask: 255.255.255.0
      Default Gateway: (blank...)

      Then, there is other information of Tunnel adapter, but Media is disconnected.

      Anyway, I hadn't these problems in the past with W2003 SBS and VPN, DC, etc, on the same machine.

      Would be the solution to have a separated VPN machine? I have a spare W2003SBS that I could use to setup the remote access...

      Thank you!

      Eneko

      Comment


      • #4
        Re: PPTP VPN Problem - No ping to remote access server

        This is expected behaviour in Server 2008, the "host" route to the VPN server is deliberately NOT sent to the clients so you can ping everything at the remote end except the VPN server. Took me an awful lot of time with about 10 Microsoft engineers to find this out, we had major issues getting site-to-site VPNs working.

        Check out this blog for more info.

        This is supposedly a "security feature" added to Server 2008, however I personally think it's a bug as the behaviour is not consistent.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: PPTP VPN Problem - No ping to remote access server

          Originally posted by cruachan View Post
          This is expected behaviour in Server 2008, the "host" route to the VPN server is deliberately NOT sent to the clients so you can ping everything at the remote end except the VPN server. Took me an awful lot of time with about 10 Microsoft engineers to find this out, we had major issues getting site-to-site VPNs working.

          This is supposedly a "security feature" added to Server 2008, however I personally think it's a bug as the behaviour is not consistent.
          Thank you Cruachan,

          I'll read the post on that blog. Is there a solution for that "security feature"?

          Cheers,

          Eneko

          Comment


          • #6
            Re: PPTP VPN Problem - No ping to remote access server

            Cruachan,

            If that is true, then it's IMHO a bug. If the rest of the network belongs to the same subnet, then it's kinda weird that you couldn't ping the VPN server itself.
            Do you know how TMG respond on this, since it uses the rras.dll for the VPN connectivity?
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: PPTP VPN Problem - No ping to remote access server

              Just tested it on our TMG in the office and it does respond to a ping over a VPN without adding static routes or using static address pools.

              I agree that it's a bug and I have voiced this to Microsoft as we had to log a support case to get to the bottom of the problem. It's not a well documented feature and is AFAIK only referenced in that blog post - there is no official KB article or hotfix for the issue.

              The official line I was given is below, pasted from an email from a Microsoft Networking specialist:-

              Why we need to add the static route?

              Answer: This is a design change for Windows Server 2008 and R2. If the route is automatically added, it allows the VPN client to access internal resources, which may not be the intent of the Admin, who may want the clients to only access the RRAS server itself and nothing past that. So the route must be added manually if this is intended. Note this behavior is the same in Windows server 2008 and R2.
              Now that is complete bollocks, as the behaviour I have seen is exactly the opposite of that: all internal resources are accessible except the RRAS server. That is also what enekoperez is getting.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: PPTP VPN Problem - No ping to remote access server

                Originally posted by cruachan View Post
                Just tested it on our TMG in the office and it does respond to a ping over a VPN without adding static routes or using static address pools.

                I agree that it's a bug and I have voiced this to Microsoft as we had to log a support case to get to the bottom of the problem. It's not a well documented feature and is AFAIK only referenced in that blog post - there is no official KB article or hotfix for the issue.

                The official line I was given is below, pasted from an email from a Microsoft Networking specialist:-



                Now that is complete bollocks, as the behaviour I have seen is exactly the opposite of that: all internal resources are accessible except the RRAS server. That is also what enekoperez is getting.
                Thank you very much Cruachan. Just one quick question. What is TMG? If that thing solves the problem, maybe I could give it a try...

                Anyway, I'll take a look to the "static routes" solution.

                Eneko

                Ok... I see what TMG is. I suppose I cannot implement that right now. So... maybe the static routes thing can fix this behavior...

                Thank you again!
                Last edited by enekoperez; 11th August 2010, 07:38.

                Comment


                • #9
                  Re: PPTP VPN Problem - No ping to remote access server

                  TMG is The next version of ISA Server
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: PPTP VPN Problem - No ping to remote access server

                    Originally posted by Dumber View Post
                    TMG is The next version of ISA Server
                    Ok. Thank you Dumber. Yeah, I searched for TMG and I found that is Threat Management Gateway. We are not going to install such a thing, so maybe the 'static route' solution is the best workaround.

                    Cheers,

                    Eneko

                    Comment

                    Working...
                    X