locked
VPN connection kills RRAS

    Question

  • OK here goes, I have installed EBS and all seems to be working, but the VPN.  At this point I can establish a VPN connection, after a few tries and obtain an IP from the DHCP server.  This is where is get hard, once I establish the connection I loose all internet connectivity to the Domain, still have Internet from the security server, and no routing on the VPN client.  I then need to restart the RRAS on the security server to restore Internet access to the Domain.  Config  WGFW>XXX.XXX.2.XX>SECSERVER>XXX.XXX.0.XXX>DOMAIN

    what you think?

    Wednesday, July 21, 2010 8:18 PM

All replies

  • Can you try a static pool instead of DHCP for VPN clients?

    When you make VPN connection , can you check what address the proxy server name resolves to for Domain clients?

    If your Browser proxy setting uses Security server's name , verify what name is resolves to from the proxy clients. Does it resolve to first IP of VPN pool?

     

     

     

     


    Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
    Friday, July 23, 2010 4:58 AM
  • I think you misunderstand.  My VPN connection connects, obtains the DHCP address, and ALLL connectivity include my network domain will not route.  In order for my internal machines to route to the INTERNET I need to restart RRAS.  This does 2 things kills the VPN connection and resets to allow INTERNET traffic to the outside world for my Domain users.  So in short when I establish a VPN connection all routing breaks.

    On the VPN client I have no connectivity either.

     

    Thanks

     

    Tom D

    Friday, July 23, 2010 2:37 PM
  • Hi Tom,

     

    Let's break it down a little bit. If i understand correctly:

    1. You're able to connect VPN from an external client successfully

    2. External client can't access internal resources and has no VPN routes

    3. Internal machines (Internal to TMG/EBS) loose connectivity to internet at this time

    4. Restarting RRAS restores internet connectivity for internal clients

    Please let me know in case we missed anything.

     

    Thank You,

    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security

    Tuesday, July 27, 2010 9:37 PM
  • yes, this is exactly the case
    Wednesday, July 28, 2010 2:20 PM
  • Hi Tom,

    Thanks for confirming my understanding of the issue. If internal clients are Web Proxy clients, please turn off “Automatically detect settings” and “Use automatic configuration script” in IE and enable "Use a proxy server for your LAN" to point the internal clients manually or via a GPO to the IP address or the name of the Security Server. In case the internal clients have Firewall Client/Forefront TMG Client installed, please turn off "Enable Web browser automatic configuration" in the Firewall Client configuration on the client machine.

    After the above has been done, connect the VPN client again and check if the internal clients can access internet. Also, test if your VPN client can access internal resources.

     

    Thank You,

    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security

    Thursday, July 29, 2010 6:31 PM
  • I have no web proxy on the inside, no Firewalls on the test machines turned on.  With all this not on I still kill internal LAN when connecting from the EBS TMG, and I still am unable to route internal or external when a connection is established VPN.

     

     

    Monday, August 02, 2010 12:01 PM
  • If the internal clients are not Web Proxy or Firewall clients, i'm assuming that they're pointing to the Security Server for Default Gateway. If that's the case, please do the following:

    1. Ensure that Default Gateway is configured only on the external interface of the Security Server
    2. Connect VPN from the external client
    3. Collect a network capture from an internal client while trying to access internet and check if it gets any response from the Security Server (check for both TCP and HTTP responses)
    4. Check routing table on Security Server at this time and ensure that the default route is listed correctly

    If the above doesn't reveal the root cause of this issue, we may need to get some data (Network Captures, BPA etc).


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, August 04, 2010 10:23 PM
  • thanks for the update and let me validate a few settings

    Security server

    ext xxx.xxx.4.2

    GW xxx.xxx.4.1

    Internal xxx.xxx.0.1

    GW None

    All IPV6 unchecked (other MS tech uncheck these, not sure if this is needed or not)

     

    XP VPN client set to external Firewall rule that I NAT to xxx.xxx.4.2, VPN type automatic

    Thursday, August 05, 2010 12:39 PM
  • IPV6 needs to remain enabled,...even if not used.
     

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Tom Davis" <=?utf-8?B?VG9tIERhdmlz?=> wrote in message news:5b48e2d4-bbc5-4cc3-84a2-62d1a06f080d...

    thanks for the update and let me validate a few settings

    Security server

    ext xxx.xxx.4.2

    GW xxx.xxx.4.1

    Internal xxx.xxx.0.1

    GW None

    All IPV6 unchecked (other MS tech uncheck these, not sure if this is needed or not)

     

    XP VPN client set to external Firewall rule that I NAT to xxx.xxx.4.2, VPN type automatic

    Monday, August 09, 2010 3:44 PM
  • Hi Tom,

     Thanks for the information. Your configuration looks good from what i see in your response. Were you able to check the routing table and the network captures?


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Monday, August 09, 2010 7:09 PM
  • I was not able to check things out yet, that is my plan for this week.  I assume we will need to gather some data, this has really been a pain since the install of EBS. 
    Tuesday, August 10, 2010 11:29 AM
  • Hi Tom,

    Any update on this?


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Wednesday, August 25, 2010 12:16 AM
  • Mohit,

    thanks for the follow up, I am going to run the capture tomorow morning.  I will post my results

    Thursday, August 26, 2010 12:37 AM
  • OK, here is what I have done

    I connected to the VPN using PPTP from outside our network.  Once the connection was made I lost all connection to the WWW from the inside, Security server still had WWW access.   The systems and routes all look OK, from here.  I do have a capture before, after and during, of both inside and security server, including route tables of each.

    I could send these

    Thursday, August 26, 2010 12:01 PM
  • Hi Tom,

    Please zip the captures and the routing table output and send them to me at mohitku@microsoft.com. Please include the relevant IP addresses (Internal machine used for testing, VPN client, Security Server etc) in your email.


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Tuesday, August 31, 2010 8:35 PM
  • Hi Tom,

    I haven't received the data yet. Any further updates?


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Tuesday, September 14, 2010 10:04 PM
  • I sent the data in a 10 MB zip format on 8/31 can your email accept that size?
    Wednesday, September 15, 2010 4:44 PM
  • Per my discussion with Tom, he'll be opening a support case to pursue this further.


    Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
    Friday, October 15, 2010 8:09 PM