Announcement

Collapse
No announcement yet.

RRAS/VPN Problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • RRAS/VPN Problem

    Hi,

    I'm having problems setting up RRAS on our 2008 DC server, I've got to the point where I can connect to the VPN but access is limited to the RRAS server only. Once connected I cannot ping/RDC to any other machine on the network. The current working configuration is a Draytek 3300 which terminates the VPN and uses RADIUS server authentication. We have found this to be somewhat flaky and users regularly say they can't connect but a few minutes later they can. Some users cannot connect at all so I decided to go back to RRAS which we used to use in the old 2003 server. I followed these instructions last night ***won't allow link - thread 1888 on itechtalk dot com*** which looked promising but on trying to connect the authentication failed and kept asking for my password. I also noticed that when switching on RRAS I was receiving alerts from the firewall saying that the DC/RRAS server IP address had changed. I've searched high and low for a solution on this but nothing seems to work, I certain its either RRAS or NPS that's causing the problem. Can anyone help?

    Thanks

    Mick

  • #2
    Re: RRAS/VPN Problem

    It sounds like you configured the server to be a VPN server only ('Enable security on the selected interface by setting up static filters). I made the same mistake. Check out this thread and see if it helps:

    http://forums.petri.com/showthread.php?t=55998

    Reply #11
    Last edited by Blood; 16th October 2012, 16:23. Reason: Added relevant info
    A recent poll suggests that 6 out of 7 dwarfs are not happy

    Comment


    • #3
      Re: RRAS/VPN Problem

      Hi,

      Thanks for the reply, I checked this and all I have enabled is "Enable IP router manager", no inbound/outbound filters are defined.

      Mick

      Comment


      • #4
        Re: RRAS/VPN Problem

        Where is RRAS getting it's IP address from? Our RRAS server (on a domain controller), also hosts DHCP and gets its address from the DHCP server, which gives the interface an additional IP. This results in a multi-homed server which opens up another can of worms.

        Regarding the Draytek, we use one too and I gave up with the VPN application as it rarely worked and when it did the connection/authentication phase took an age, and as you describe was horribly intermittent. I had a Draytek engineer look at it, but because he could connect the single time he looked at it, he said there was nothing wrong (when there was).

        Have you set up the shared secret between your RRAS and the Draytek? Is the port forwarding on the Draytek set up correctly so that remote connection requests are forwarded to the correct server?
        A recent poll suggests that 6 out of 7 dwarfs are not happy

        Comment


        • #5
          Re: RRAS/VPN Problem

          Hi,

          This maybe the issue, the server running RRAS is the Domain Controller/DHCP/DNS/NPS server as well. I can't figure out though why the server changes IP address when RRAS is enabled? I has a static IP assigned of xxx.xxx.xxx.44 which changes to an automatic IP in the range xxx.xxx.xxx.50 and above.

          Mick

          Comment


          • #6
            Re: RRAS/VPN Problem

            The address does not change. It gets an additional address. Look at your DNS server and check through the list of addresses when you sort them by name.

            Also, check out WINS, if you have it installed.

            The problem with this, which affects a lot of people who setup RRAS on a domain controller is that it results in a multi-homed server.

            Do you use DFS? If so, you may experience problems as we do. There are a couple of things that you can do to mitigate their effects, and I'll post them when I get to work if you do use DFS.
            A recent poll suggests that 6 out of 7 dwarfs are not happy

            Comment


            • #7
              Re: RRAS/VPN Problem

              Check out this blog by Ace Fekay

              http://blogs.dirteam.com/blogs/acefe...-adapters.aspx
              A recent poll suggests that 6 out of 7 dwarfs are not happy

              Comment


              • #8
                Re: RRAS/VPN Problem

                Thanks for the link, after reading I didn't get much further. After checking my technet subscription I found out we had 2 MS support calls available so I logged it with them. Got a call from the support team and 4 hours later still no joy, the tech support guy went off to look into further options and while I was waiting for the callback I decided to try forwarding the router to one of our 2003 servers and enabling RRAS on there, guess what - worked straight away, VPN connected and full network access was available. The tech guy called back and I told him what the situation was, he said there wasn't much difference between RRAS on 2003 and 2008, he's now asked me to un-install the RRAS and NPS on the 2008 server and install only the RRAS element back on, I did try RRAS on another 2008 server but got the same "limited access" problem so I guessing doing this in the DC will give me the same problem. Surely this can only mean the RRAS on 2008 is a lot tighter on security and that's where the problem lies?

                Comment


                • #9
                  Re: RRAS/VPN Problem

                  There is one other possibility.

                  What NPS policies have you set up? I have ours configured so that only staff who are members of a group named VPN can connect. 2008 changed the default dial-in properties for AD accounts so that NPS determines who connects.

                  When I get to work I'll upload a pdf that shows how to configure this policy and that the default policies have been disabled.

                  [Edit]
                  I've uploaded this to mediafire as it is too large for the forum. This is how NPS is set up in our environment and shows the custom policy that was created to allow users to login via the VPN/NPS. It is taken from my network documentation doc. I hope it helps.

                  Note this is only meant to be used as a guide and is not meant to be used as 'the correct way' to setup NPS - it deviates from best practices in that no health policies are setup so anyone using this does so at their own risk.

                  Let me know when you have downloaded it.

                  Thanks.


                  http://www.mediafire.com/view/?8kc9mz4cf8ub7bd
                  Last edited by Blood; 31st October 2012, 09:43.
                  A recent poll suggests that 6 out of 7 dwarfs are not happy

                  Comment


                  • #10
                    Re: RRAS/VPN Problem

                    Thanks, I've downloaded and will take a look.

                    Mick

                    Comment


                    • #11
                      Re: RRAS/VPN Problem

                      Had another call from Microsoft today and after another couple of hours on the phone he found the problem. Nothing to do with RRAS/NPS, the problem is down to the Citrix Xen tools used by Xen. I uninstalled the tools and reset the adapter settings and vpn now works correctly with full network access

                      It seems Xen 6 tools cause problems with the network card and RRAS.

                      Thanks for the help.

                      Mick

                      Comment


                      • #12
                        Re: RRAS/VPN Problem

                        Amazing. Still, at least you have solved your issue
                        A recent poll suggests that 6 out of 7 dwarfs are not happy

                        Comment

                        Working...
                        X