none
RDP, Windows server 2012 and site-site VPN

    Question

  • Hi,

    I am having a strange issue. For several years we are using several networks connected through VPN site-to-site tunnels, using Cisco ASA appliances. I am in the central office, we have a Windows 2008R2 server and people can remotely connect into it from local net, over the site-to-site VPN or over a personal tunnel created with AnyConnect. On one remote site ( Taiwan) we have another Windows 2008R2 server installed long ago that can be access from anywhere. All servers are inside, none in DMZ. Recently they installed a 2012 server in the Taiwan office. It can be accesses ( ping, RD) from the local net or from a tunnel opened with AnyConnect. But I cannot access it over the site-to-site tunnel! Not even the ping.

    I have no experience with 2012 servers and ... it is installed with Chinese interface that I cannot read anyway. I was thinking the Windows firewall was preventing the connection, but the local admin told me he turned it off.

    Any idea where to look for? The only difference between accessing the firewall over the site-to-site VPN and locally or client based VPN is the IP address, the server net is 10.30.10.0/24, client VPN is getting 10.30.254.0/24 and the computers over the site-to-site VPN are using 10.10.0.0/16 addresses.

    Thanks for any advice

    Mugurel

    Tuesday, April 01, 2014 6:57 PM

Answers

  • Thank a lot for the answers. The only gateways are the Cisco appliances and I don't think the server should be responsible of any routing. Finally my colleague found the issue: a bad mask in the network card settings. Changed it to the right one and all went well. The idea of the bad setting came after I discovered that the tracert was giving me 2 hops to the working server ( my gateway and the server) while it was getting plenty of timeouts after my gateway for the bad one. It is interesting it was working while I was opening a VPN with a client to the other site!

    Mugurel

    Friday, April 04, 2014 6:41 AM

All replies

  • Hi, ensure that either the default gateway of the new 2012 server is the ASA firewall with the site-site VPN configured on it, or put routes on the 2012 server pointing traffic destined for the 10.10.0.0/16 network to the ASA with the site-site VPN configured on it.

    • Proposed as answer by wilbera Tuesday, April 01, 2014 7:36 PM
    Tuesday, April 01, 2014 7:31 PM
  • Hi,

    Thank you for your posting in Windows Server Forum.

    Site to site routing works fine if the VPN routers are the default routers fo both sites. If your machines are using some other device, such as the D-Link, as their default router (or default gateway, which means the same thing), site to site routing will fail. You will need extra routing to get the traffic to the VPN router. Otherwise the private traffic will try to cross the Internet unencrypted and un-encapsulated. This traffic will be dropped by the Internet router.”(Quoted from this thread).

    In addition you can check below thread and article for more information.
    1. Windows Server 2012 Site-to-Site VPN
    2. Multi-tenant Site-to-Site (S2S) VPN Gateway with Windows Server 2012 R2

    Hope it helps!

    Thanks,
    Dharmesh
    Thursday, April 03, 2014 6:14 AM
    Moderator
  • Thank a lot for the answers. The only gateways are the Cisco appliances and I don't think the server should be responsible of any routing. Finally my colleague found the issue: a bad mask in the network card settings. Changed it to the right one and all went well. The idea of the bad setting came after I discovered that the tracert was giving me 2 hops to the working server ( my gateway and the server) while it was getting plenty of timeouts after my gateway for the bad one. It is interesting it was working while I was opening a VPN with a client to the other site!

    Mugurel

    Friday, April 04, 2014 6:41 AM
  • Hi,

    Glad to hear that you got it working.

    Thank you for sharing your experience here. It will be very beneficial for other community members who have similar questions.

    If you want any more solution in future, kindly place your post in Forum.

    Thanks,
    Dharmesh
    Friday, April 04, 2014 5:34 PM
    Moderator