none
Server 2012 RRAS VPN remote desktop not working RRS feed

  • Question

  • I have a server I set up to be a VPN server, but its also a file share (small budget for a small business)

    The PPTP works fine.  I can connect to the server using VPN.

    I can ping the server, but not RDP to it, or browse files.  All using the IP of the server, not name.

    But if I go on another computer inside the network, I can rdp and browse files.

    The vpn is set up to give 10 addresses in the same subnet as the server im trying to access.

    I disabled the anti virus firewall and the windows firewall.  

    Edit - I found in RRAS that under IPV4 there is the "internal" interface with IP 192.168.1.141 and I can actually connect to the server through the vpn using that IP address and not the servers actual IP address assigned to the actual network card.

    So what gives?  Should I not be able to connect to the servers actual IP address of 192.168.1.11?  Not having to use the "internal" ip address that RRAS created?



    • Edited by TwiztedTD Saturday, November 4, 2017 4:41 AM
    Saturday, November 4, 2017 3:51 AM

All replies

  •  Hi,

    >>found in RRAS that under IPV4 there is the "internal" interface with IP 192.168.1.141 and I can actually connect to the server through the vpn using that IP address and not the servers actual IP address assigned to the actual network card.

    I suppose 192.168.1.141 is a virtual interface.

    The GRE encapsulates your LAN traffic and it is that simple. Say your IP is 192.168.0.1 and the remote LAN IP you send data to is 192.168.1.1. When you send data to the remote IP the tunnel detects this and sends it through the PPTP virtual interface. At this point all packets are now encapsulated in a new IP packet this time containing the public IP address and port of the remote location and is sent on it’s way. Once the remote PPTP endpoint receives it, it strips off the GRE headers and finds the LAN IP headers for 192.168.1.1 and sends them on there way.

    More information about VPN,  please refer to the following article:

    https://technet.microsoft.com/en-us/library/cc958048.aspx

    >>I can ping the server, but not RDP to it

    Any errors or alerts?

    Please try to run command telnet  to the file server port 3389

    Best Regards,
    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, November 6, 2017 9:14 AM
  • Hi,
    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 8, 2017 9:31 AM
  • Hi,

    Was your issue resolved? 

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.
    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.
    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,
    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 13, 2017 10:00 AM
  • The server IP is 192.168.1.11

    I have set the RRAS VPN to give DHCP 192.168.1.141 to 192.168.1.149

    So when I connect to the VPN I get 192.168.1.142 for example.

    The "internal" IP address in RRAS manager gets 192.168.1.141.

    So the server essentially has two IPs, 192.168.1.11 which is the static address set on the network internface.  But then it also gets 192.168.1.141 set as its "internal" interface for RRAS.

    I can RDP to 192.168.1.141 but not 192.168.1.11.

    I am really stumped and need to get this working.

    Tuesday, November 14, 2017 9:33 PM
  • Hi,

    To have a better understanding, could you please provide the following:

    • A screen shot to IPv4\General in RRAS
    • The error message when RDP to 192.168.1.11
    • The result of “ipconfig /all” on the VPN server
    • The result of “route print” on the VPN server

    Besides, can the client access the file shares on other machines in the remote site?

    Based on my personal experience, VPN server and all its shares will take on the first valid address in the IP range in RRAS, which is 192.168.1.141; and you can access the VPN server by IP 192.168.141.

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 9:28 AM
  • Hi Frank

    You hit the nail on the head.  It does take the first valid address, 192.168.1.140 and I can browse using 192.168.1.140.

    Attached is an image of the screen shot of the IP config.

    We want to be able to browse the file server via 192.168.1.11 not 192.168.1.140 when on VPN.  I must be able to punch a hole somewhere that lets users talk to the server using 192.168.1.11 and not 192.168.1.140.

    Thursday, November 16, 2017 6:05 PM
  • Windows firewall is disabled.

    Is NPS doing something?

    Thursday, November 16, 2017 8:23 PM
  • Hi,

    From the picture, it looks like that the VPN server has single NIC, is that right?

    • If yes, please add another NIC and give a try.

    When the client is on VPN, what is the error message when RDP to the server by 192.168.1.11?

    What is the error message of access file shares by \\192.168.1.11?

    If possible, please provide screen shots of them

    Besides, please capture the network packet of the following:

    Download the packet capture tool “Network Monitor” in the link below:

    https://www.microsoft.com/en-sg/download/details.aspx?id=4865

    Then, start Network Monitor at the client side and server side

    • Click “New Capture” to create a capture
    • Click “start” to start capturing
    • On the client, ping server by 192.167.1.11; and access file share by \\192.168.1.11.
    • After failure, click “Stop” to stop capturing
    • At last, click “Save as” to save the two .cap file

    Also, please export the configurations of NPS server

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 17, 2017 10:11 AM
  • Thank you for the suggestions Frank.  I will do them and update this post over the weekend.
    Friday, November 17, 2017 9:12 PM
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 20, 2017 8:45 AM
  • Hi Frank,

    The server is sitting behind a netgear firewall with PPTP allow through.  I can connect to the PPTP server.  But NOW I cannot even ping 192.168.1.140.  It seems everything is blocked now.

    The windows firewall is turned off.

    Do I absolutely need a second nic?

    Here is the link to the CAP file of the network monitor from my pc trying to ping the 192.168.1.11 and 192.168.1.140

    https://drive.google.com/file/d/1m5wI0TtNMONdfEUSHWlmewo_QImA2gqN/view?usp=sharing

    Here is the XML file export of the NPS config.

    https://drive.google.com/file/d/10TTXJa2RO9h4Eqy9aHR3cQmc8qtdkykQ/view?usp=sharing

    Thank you again for your continued help Frank.  I really hope we can sort this out.

    Tuesday, November 21, 2017 2:57 PM
  • Hi ,

    For the second NIC, it is not necessary. For example, you can access file shares from 192.168.1.140 previously. However, it is recommended to have two NICs.

    From the network capture, there is no traffic to “192.168.1.11” or “192.168.1.140”

    Is this .cap file captured on the client PC? It seems that the client PC is not pinging the server on “192.168.1.11” or “192.168.1.140”.

    However, there are ICMPv6 packets sent out without replies. Could you please uncheck IPv6 in TCP/IP settins


    Currently, ping on 192.168.1.11 and 192.168.1.140 fails, please run “tracert 192.168.1.11” and “tracert 192.168.1.140” to check if the client PC can find a route to the server.

    If tracert fails, please provide the route table “route print”

    For NPS configurations, I found that Network Policies are set to deny access.

    Why it is deny access? I suppose this should be Grant Access

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 23, 2017 2:44 AM