SSTP to Windows 2008 unable to ping private network
-
27 Şubat 2012 Pazartesi 03:10
I have the following setup.
Private Network Configuration:
There is a linux firewall on the perimeter. Port 443 and 80 has been opened for SSTP. The network is a 10.100.0.0/16. All servers have static IP in this network range. The gateway on the firewall has internal IP of 10.100.0.1
Windows Server 2008:
This server is configured as an AD, CA and RRAS (No NAT). SSTP is all setup and CLIENT IS ABLE TO CONNECT AND GET IP ADDRESS
This server has 2 NIC:
NIC1: 10.100.85.15
NIC2: 10.100.85.16 <-- configured to receive SSTP connection. adapter configured with IP and mask only.RRAS Static Pool : 10.100.77.250 - 254
RRAS Internal IP : 10.100.77.250No static routes added. Whatever RRAS puts by default is what there is.
Windows firewall is turned on and pretty much all ports are opened (just so that I can debug the issue)
RRAS inbound and outbound filters are pass through with no restrictions.
Windows 7 Client:
When the client connects it gets an IP from the static pool. Say it gets 10.100.77.251
Issue / Problem:
Once the client connects, the following is working and not working.
Ping Success: VPN client --> Firewall --> RRAS --> Any NIC on the RRAS server (10.100.85.15,10.100.85.16,10.100.77.250)
Ping Success: RRAS Server --> Firewall --> VPN Client
Ping Success: VPN client 1 --> RRAS --> VPN Client 2 and viceversaPing Fail: VPN Client --> Firewall --> Any server on private network
Ping Fail: Any server on private network --> Firewall --> VPN ClientMicrosoft Network Monitor Trace:
It looks like the ping ICMP Req from client reaches the private server and it responds with ICMP Reply back to 10.100.85.15. But, there is no routing happening inside RRAS.
Frame: Number = 4, Captured Frame Length = 74, MediaType = ETHERNET
- Ethernet: Etype = Internet IP (IPv4),DestinationAddress:[7A-DD-D0-EB-AF-8C],SourceAddress:[00-30-48-71-5D-A2]
+ DestinationAddress: 7ADDD0 EBAF8C [7A-DD-D0-EB-AF-8C]
+ SourceAddress: Supermicro Computer, Inc. 715DA2 [00-30-48-71-5D-A2]
EthernetType: Internet IP (IPv4), 2048(0x800)
+ Ipv4: Src = 10.100.20.10, Dest = 10.100.77.252, Next Protocol = ICMP, Packet ID = 9191, Total IP Length = 60
+ Icmp: Echo Reply Message, From 10.100.20.10 To 10.100.77.252
Client Routing Table When Connected: ==============================
Interface List
13...........................VPN
10...08 00 27 e9 14 91 ......Intel(R) PRO/1000 MT Desktop Adapter
1...........................Software Loopback Interface 1
11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
15...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
==============================================
IPv4 Route Table
===============================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.123.2 192.168.123.15 4235
0.0.0.0 0.0.0.0 On-link 10.100.77.252 11
10.100.77.252 255.255.255.255 On-link 10.100.77.252 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
192.168.123.0 255.255.255.0 On-link 192.168.123.15 4491
192.168.123.15 255.255.255.255 On-link 192.168.123.15 4491
192.168.123.255 255.255.255.255 On-link 192.168.123.15 4491
216.218.195.214 255.255.255.255 192.168.123.2 192.168.123.15 4236
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 192.168.123.15 4492
224.0.0.0 240.0.0.0 On-link 10.100.77.252 11
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 192.168.123.15 4491
255.255.255.255 255.255.255.255 On-link 10.100.77.252 266
=====================================================
Persistent Routes:
None
IPv6 Route Table
================================================
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
1 306 ff00::/8 On-link
==========================================
Persistent Routes:
NoneServer Routing Table When Client Connected:
========================================
Interface List
12 ...7a dd d0 eb af 8c ...... Citrix PV Ethernet Adapter #0
13 ...7e ab 6f 21 e8 30 ...... Citrix PV Ethernet Adapter #1
16 ........................... RAS (Dial In) Interface
1 ........................... Software Loopback Interface 1
14 ...00 00 00 00 00 00 00 e0 isatap.{4705FD1E-0998-43A4-9EBE-46776B90B205}
22 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3
15 ...00 00 00 00 00 00 00 e0 isatap.{BCF77165-229C-410C-AE43-D71B6D902F6A}
======================================================= IPv4 Route Table
==================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.100.0.1 10.100.85.16 110
0.0.0.0 0.0.0.0 10.100.0.1 10.100.85.15 110
10.100.0.0 255.255.0.0 On-link 10.100.85.16 266
10.100.0.0 255.255.0.0 On-link 10.100.85.15 266
10.100.77.250 255.255.255.255 On-link 10.100.77.250 286
10.100.77.252 255.255.255.255 10.100.77.252 10.100.77.250 31
10.100.85.15 255.255.255.255 On-link 10.100.85.15 266
10.100.85.16 255.255.255.255 On-link 10.100.85.16 266
10.100.255.255 255.255.255.255 On-link 10.100.85.16 266
10.100.255.255 255.255.255.255 On-link 10.100.85.15 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.100.85.16 266
224.0.0.0 240.0.0.0 On-link 10.100.85.15 266
224.0.0.0 240.0.0.0 On-link 10.100.77.250 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.100.85.16 266
255.255.255.255 255.255.255.255 On-link 10.100.85.15 266
255.255.255.255 255.255.255.255 On-link 10.100.77.250 286
=================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.100.0.1 100
0.0.0.0 0.0.0.0 10.100.0.1 Default
0.0.0.0 0.0.0.0 10.100.0.1 Default
================================================= IPv6 Route Table
============================================================ ===============
Active Routes:
If Metric Network Destination Gateway
1 306 ::1/128 On-link
12 266 fe80::/64 On-link
12 266 fe80::a8b1:77f:5eb0:d5a8/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
=============================================
Persistent Routes:
NoneAny help in pinging the internal private network is appreciated. Thank you.
- Düzenleyen TishonUs 27 Şubat 2012 Pazartesi 06:02 updating ping success for VPN client 1 --> RRAS --> VPN Client 2
Tüm Yanıtlar
-
27 Şubat 2012 Pazartesi 05:41
If you disabled the Windows Firewall on teh client, and any antivirus software on the client and the RRAS server, does it ping? Reason I mentioned AV, is because many of the new ones offer a 'network protection" feature that has been found to hinder normal domain communications, even DC replication.
As far as installing CA and RRAS on a DC, unless it's an SBS server (Small Business Server 2003, 2008 or 2011), it's not recommended. It's actually not recommended on an SBS server, but it can handle it. There are numerous caveats, too much to explain. For a detailed explanation, please read my blog in the following link. CA on a DC is not recommended due to complexity of recovery, if something were to occcur.
Multihomed DCs (with more than one unteamed NIC or multiple IPs) with DNS, RRAS, iSCSI, Clustering interfaces, and/or PPPoE adapters - A multihomed DC is not a recommended configuration, however there are ways to configure such a DC to work properly with lots of mods.
http://msmvps.com/blogs/acefekay/archive/2009/08/17/multihomed-dcs-with-dns-rras-and-or-pppoe-adapters.aspx.
Also, since the two NICs are on the same subnet, that could be a factor, too. That's not really a recommended strategy, besides the multihoming (due to the additional DNS records created that can cause problems with client communications), it may affect what you're seeing. I would suggest to single IP it, disable the other NIC, and port translate SSTP to the one NIC.
.
Ace
.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
27 Şubat 2012 Pazartesi 06:01
Ace, thank you for a reply. In the process I have been told about the multiple NICs on AD machine. I have noted your point, but also wanted to mention that I have configured the two NICs based on the article here .Prior to a dual NIC configuration, I did try out the single NIC configuration. The problem manifests in exactly the same pattern.
Yes, the client does have Microsoft Security Essentials installed. Firewall on client is disabled.
One other thing to note here is that if I have 2 clients connected via SSTP, then the two clients can ping each other through the RRAS. Also, from RRAS server I am able to ping VPN client directly. I will update the main question with this info.
Tishon Us
-
27 Şubat 2012 Pazartesi 06:07
That article does not address the records registered by the Netlogon service. WHen you disable "Register this connection," the Netlogon service ignores it, because it uses it's own mechanism to make sure it registers each and every IP in DNS to identify the DC. And the netlogon service registers this every 60 minutes.
The two main SRV records it's registering that must be stopped are the LdapIpAddress (the one that starts with "same as parent"), and the GcIpAddress (under the GC folder under _msdcs.yourdomain.com).
My blog explains this all, and how to alter the netlogon registry settings to alter its default behavior.
.
I would also disable MSE to help during diagnostics.
Also, one more suggestion - on the client side, disable "use remote gateway" settign in the VPN connectoid. See if that helps.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
27 Şubat 2012 Pazartesi 13:59Ace, I tried with MSE disabled but no luck. Please note my earlier reply : "One other thing to note here is that if I have 2 clients connected via SSTP, then the two clients can ping each other through the RRAS. Also, from RRAS server I am able to ping VPN client directly." I stiill think there is something going on in RRAS. I have already taken care of the SRV as you mentioned.
Tishon Us
-
27 Şubat 2012 Pazartesi 14:05
Ace, I tried with MSE disabled but no luck. Please note my earlier reply : "One other thing to note here is that if I have 2 clients connected via SSTP, then the two clients can ping each other through the RRAS. Also, from RRAS server I am able to ping VPN client directly." I stiill think there is something going on in RRAS. I have already taken care of the SRV as you mentioned.
Tishon Us
Hi Tishon Us,
That was why I suggested to disable the client side remote gateway setting. Curious, have you tried that yet?
Ace
.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
27 Şubat 2012 Pazartesi 16:00Ace, if you are referring to the setting on the client for its IPv4 where there is a check box to use default gateway, then yes, I disabled (unchecked) this option. What this gets going is that I can reach the internet but not the resources in the private network. Sorry I should have mentioned in the reply earlier. As you can see I have tried all permutations of settings - but no result. I am sure there is something minor that I need to adjust - but not sure what that is.
Tishon Us
-
27 Şubat 2012 Pazartesi 17:24
Then that seems like something is up with routing on the client. The setting is designed so you can still get to company resources, but for internet traffic, it will use the client's own gateway. If you're saying you are losing the ability to get to the network, then something is misconfiged. When you uncheck that setting, re-run a route orint and compare that to the following in the previous route print you posted:
216.218.195.214 255.255.255.255 192.168.123.2 192.168.123.15 4236
.
Also, it looks like the client has two IPs, not including the VPN IP?
0.0.0.0 0.0.0.0 192.168.123.2 192.168.123.15 4235
0.0.0.0 0.0.0.0 On-link 10.100.77.252 11
10.100.77.252 255.255.255.255 On-link 10.100.77.252 266 <---- VPN assigned IP
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
192.168.123.0 255.255.255.0 On-link 192.168.123.15 4491
192.168.123.15 255.255.255.255 On-link 192.168.123.15 4491 <----- What is this IP?
192.168.123.255 255.255.255.255 On-link 192.168.123.15 4491
216.218.195.214 255.255.255.255 192.168.123.2 192.168.123.15 4236 <----- What is this IP?
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Düzenleyen Ace Fekay [MCT]MVP 27 Şubat 2012 Pazartesi 17:54
-
27 Şubat 2012 Pazartesi 19:13Ace, the client is actually a virtual box vm instance. The NATed IP that it gets from Virtual Box is 192.168.123.15. I don't think the client is having an IP of 216.218.195.214. This is a public IP that is on a firewall through which SSTP is created. If the following question is whether this virtual box instance can make ping requests - then yes it can. I am able to ping to msn.com and other public sites.
One question I have is: How can I on client or on RRAS know that a packet destined for a vpn client has been dropped? Is this logged anywhere? I tried the MS Network Monitor to capture packets but due to SSL nothing much can be seen. As I mentioned in my question, the ICMP reply from private server reached RRAS on its internal address 10.100.85.15. Now either one of this could have happened (1) RRAS dropped it or (2) Cient got it but something in client dropped the packet. Any hint on how I can know what could have happened?Tishon Us
-
28 Şubat 2012 Salı 05:28
That 216 IP is showing up in the client's routing table, therefore it's configured with it, since the way the table reads, to get to , 216.218.195.214 use 192.168.123.2's interface to get to its gateway of 192.168.123.15.
Curious, let's check the client's ipconfig /all, NIC properties, etc.
Also, probably the best way to capture packets, is run netmon or Wireshark (free) from the client side.
Are there any RRAS filters set?
As for "Virtual Box," which is a specific vendor brand name virtualization host/service (such as HyperV, VMware, etc). I am not familiar with how it handles networking configs, and that question would be best suited to ask Virtual Box's vendor support or forums.
Ace
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
06 Mart 2012 Salı 08:08
Ace, my apologies for not responding. Trust me I was having some sleepless nights to figure the problem out. I stumbled upon this thread.
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/56a26c21-4c3f-4628-95da-931a34013cb0/?prof=required
Strangely, I have the exact same issue. Pings with buffer size -l 1400 works for me. but a regular ping of 32 bytes times out. I do not see a solution posted. would you know what could be the problem. I think at this point routing can be ruled out as I am able to ping from client to private network and vice versa. The windows 2008 RRAS is on a citrix xen server and the xen server tools/drivers for the NICs are loaded. Thanks.
Tishon Us
-
08 Mart 2012 Perşembe 01:08
Tishon,
This is starting to sound like an MTU thing on the router or VPN connecting your sites/locations. Can you confirm the MTU is set at 1500, and not less, on the router/VPN tunnel connection?
.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
-
08 Mart 2012 Perşembe 06:55Ace, that is a good point. How do I check the MTU size? Would it be on the driver? Sorry for the ignorance.
Tishon Us
-
08 Mart 2012 Perşembe 12:04
That would be in your firewall/VPN Tunnel configuration, not the client machines. What alerted that possibility is your ping test using the fragmentation -f option where it works at 1400. That's kind of low. MTU 1500 is default.
.
MTU Ping Test
http://help.expedient.com/broadband/mtu_ping_test.shtml.
When I see that, it either means it was altered on the client, or in the firewall VPN tunnel. I doubt you altered it in the client. I've seen in the past where some firewall/VPN tunnels drop it to 1492, such as when there is a PPPoE involved, or it's just their IOS. I know for a fact it affects LDAP PDU communications causing replication problems among DCs. I remember that from one customer using a SonicWall a few years back. THey updated it, and the new update changes the MTU from default 1500 to 1492, and we couldn't change it back to 1500, it wouldn't allow us. It caused a heck of a lot of problems. SonicWall told us to roll it back, and when we did, everything started working again.
.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
- Düzenleyen Ace Fekay [MCT]MVP 08 Mart 2012 Perşembe 12:05
-
08 Mart 2012 Perşembe 23:02Ace, yesterday I tried all stunts to change the MTU on client but no luck. As you mentioned it could be an issue on the server/firewall. I will try that tonite. I am yet to find out how to change the MTU on the windows 2008 RRAS. Also, should this be changed for the physical NIC adapters or the PPP adapter that is the SSL connection?
Tishon Us
-
09 Mart 2012 Cuma 00:59
No, no! Let's leave all the Windows machines, clients and servers alone!! Sorry if I wasn't clear about this in my earlier posts. There is no need to alter that setting in Windows.
.
I meant on the firewall and/or VPN TUNNELS in the firewalls, not Windows!! If you have VLANs, check them, too.
What type of infrastructure firewalls/routers/VPN do you have? Maybe get their tech support enginners involved, too.
.
Ace Fekay
MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.phpThis posting is provided AS-IS with no warranties or guarantees and confers no rights.
.png)
