Remove From My Forums

VPN Server Unreachable after VPN Client disconnects

Question
0

Sign in to vote

I have W2K8 domain controller. We are small office with remote users and I need them to be able to connect to the domain controller. So I have made the domain controller a RRAS server as well. I know this isn't best practice but it is all we have. The box is behind a router and only has a single NIC. I have RRAS using a standard configuration. We are using L2TP connections with PSK. I have a test client machine with a VPN connection configured.

I can connect the client over the vpn to the server no problem, however as soon as I have the client disconnect, I lose my RDP connection to the server and can no longer ping the server. The only way to get the server back is to reboot. I think this has something to due with GPOs as I was able to connect and disconnect via vpn fine before promoting the box to a DC. Any help would be appreciated.

Thanks

Thursday, October 21, 2010 5:57 PM

Answers

0

Sign in to vote
Hi jack,

Thanks for your update.

As you can see, set dynamic IP address for internet interface on VPN server is not recommended , it would cause some routing issues.

What I suggest you might like to consult with your ISP and asking for a static address to support VPN service.

Configure TCP/IP on the VPN Server

http://technet.microsoft.com/en-us/library/ff687698(WS.10).aspx

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by KretzJakeM Friday, October 29, 2010 5:09 PM
Friday, October 29, 2010 7:55 AM

All replies

0

Sign in to vote

Hi,

Did You perform this test in internal network ? mean you established VPN via internal address of domain controller ?

What if other clients ? also failed connect to DC with private address ?

Can server connects to other host swhen this issue occurred ?

Please check the event log and check if any VPN relate event there , and post the error event ID ,“ipconfig /all” and “route print”result of both sides here for further investigation .

Thanks.

Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Friday, October 22, 2010 6:28 AM
0

Sign in to vote

Tiger,

The DC is not on the local network. The VPN is setup with a static IP range for clients(192.168.25.1 - 20). When the VPN client connects, the server's Internal interface grabs 192.168.25.1 and the client gets 192.168.25.2. Other clients can also connect. However, as soon as a single client is disconnected, no other clients can vpn into the server. Connected clients seems to remain connnected, but I did not investigate that much. It seems like the disconnect if forcing the server nic to listen on it VPN interal ip (25.1) and not it's nic public ip. Again the server only has a single nic and I can't add another one. I don't know if the server can connect to other hosts because as soon as disconnect the client I loose the server and have to report. The event log seems normal.

Hope this helps
Jake

Friday, October 22, 2010 6:14 PM
0

Sign in to vote

Hi Jack,

Thanks for update.

Could you perform "route print" and "ipconfig /all"on that server when this issue occured ? and post the result here.

Thanks.

Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Monday, October 25, 2010 9:06 AM
0

Sign in to vote

Tiger,

Here is the info, sorry for the delay.

The server route print pre vpn connection:

===========================================================================
Interface List
11 ...12 31 39 02 74 47 ...... RedHat PV NIC Driver
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.compute-1.internal
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0     10.248.122.1   10.248.123.181     10
     10.248.122.0    255.255.254.0         On-link    10.248.123.181    266
   10.248.123.181 255.255.255.255         On-link    10.248.123.181    266
   10.248.123.255 255.255.255.255         On-link    10.248.123.181    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    10.248.123.181    266
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
11    266 fe80::/64                On-link
11    266 fe80::78ab:d857:bac7:9165/128
                                    On-link
1    306 ff00::/8                 On-link
11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

The ipconfig pre vpn connection:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : *computerName*
   Primary Dns Suffix . . . . . . . : *domainName*.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : compute-1.internal
                                       us-east-1.ec2-utilities.amazonaws.com
                                       *domainName*.com
                                       *domainName*.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix . : compute-1.internal
   Description . . . . . . . . . . . : RedHat PV NIC Driver
   Physical Address. . . . . . . . . : 12-31-39-02-74-47
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::78ab:d857:bac7:9165%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.248.123.181(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Thursday, October 21, 2010 6:03:16 PM
   Lease Expires . . . . . . . . . . : Tuesday, October 26, 2010 7:04:33 PM
   Default Gateway . . . . . . . . . : 10.248.122.1
   DHCP Server . . . . . . . . . . . : 169.254.1.0
   DNS Servers . . . . . . . . . . . : 172.16.0.23
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : compute-1.internal
   Description . . . . . . . . . . . : isatap.compute-1.internal
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

The route print post vpn connection(ie with client connected over vpn):

===========================================================================
Interface List
11 ...12 31 39 02 74 47 ...... RedHat PV NIC Driver
13 ........................... RAS (Dial In) Interface
1 ........................... Software Loopback Interface 1
12 ...00 00 00 00 00 00 00 e0 isatap.compute-1.internal
10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
18 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface Metric
          0.0.0.0          0.0.0.0     10.248.122.1   10.248.123.181     10
     10.248.122.0    255.255.254.0         On-link    10.248.123.181    266
   10.248.123.181 255.255.255.255         On-link    10.248.123.181    266
   10.248.123.255 255.255.255.255         On-link    10.248.123.181    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1 255.255.255.255         On-link         127.0.0.1    306
127.255.255.255 255.255.255.255         On-link         127.0.0.1    306
     192.168.25.1 255.255.255.255         On-link      192.168.25.1    296
     192.168.25.2 255.255.255.255     192.168.25.2     192.168.25.1     41
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    10.248.123.181    266
        224.0.0.0        240.0.0.0         On-link      192.168.25.1    296
255.255.255.255 255.255.255.255         On-link         127.0.0.1    306
255.255.255.255 255.255.255.255         On-link      192.168.25.1    296
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination      Gateway
1    306 ::1/128                  On-link
11    266 fe80::/64                On-link
18    306 fe80::5efe:192.168.25.1/128
                                    On-link
11    266 fe80::78ab:d857:bac7:9165/128
                                    On-link
1    306 ff00::/8                 On-link
11    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
None

The ipconfig post vpn connection:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : *computerName*
   Primary Dns Suffix . . . . . . . : *domainName*.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : compute-1.internal
                                       us-east-1.ec2-utilities.amazonaws.com
                                       *domainName*.com
                                       *domainName*.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix . : compute-1.internal
   Description . . . . . . . . . . . : RedHat PV NIC Driver
   Physical Address. . . . . . . . . : 12-31-39-02-74-47
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::78ab:d857:bac7:9165%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.248.123.181(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Monday, October 25, 2010 8:27:13 PM
   Lease Expires . . . . . . . . . . : Thursday, October 28, 2010 9:27:12 AM
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 169.254.1.0
   DNS Servers . . . . . . . . . . . : 172.16.0.23
   NetBIOS over Tcpip. . . . . . . . : Enabled

PPP adapter RAS (Dial In) Interface:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : RAS (Dial In) Interface
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.25.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . : compute-1.internal
   Description . . . . . . . . . . . : isatap.compute-1.internal
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 9:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Connection-specific DNS Suffix . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::5efe:192.168.25.1%18(Preferred)
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Couple of things:

1) When I run ipconfig /all on the server post vpn connection, it kills my rdp session, just like the vpn client disconnect.

Jake
Jake

Wednesday, October 27, 2010 9:02 PM
0

Sign in to vote

Hi jack,

Thanks for update.

Is this server obtain IP address via DHCP server ?

Please hardcode network settings (IP address, mask ,default gateway, DNS...etc.) for Local Area Connection 2 and make this interface top of binding order list.

•             Click Start, click Run, type ncpa.cpl , and then click OK.

•             You can see the available connections in the LAN and High-Speed Internet section of the Network Connections window.

•             press “Alt” to show Advanced menu , click Advanced Settings, and then click the Adapters and Bindings tab.

•             In the Connections area, select remote access connections. Use the arrow buttons to move Local Area Connection 2 to the top of binding order list.

After that please test again.

Thanks.

Tiger Li
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thursday, October 28, 2010 8:09 AM
0

Sign in to vote

Tiger,

The server is in a hosted environment and I can't set static network settings permanently. I did set the network settings statically temporaryly and it worked. I checked the binding order and LAC2 is first. When I reverted back to DHCP the problem occurred again as expected. What should I try next?

Thanks for the help.

Jake
Jake

Thursday, October 28, 2010 3:37 PM
0

Sign in to vote
Hi jack,

Thanks for your update.

As you can see, set dynamic IP address for internet interface on VPN server is not recommended , it would cause some routing issues.

What I suggest you might like to consult with your ISP and asking for a static address to support VPN service.

Configure TCP/IP on the VPN Server

http://technet.microsoft.com/en-us/library/ff687698(WS.10).aspx

Thanks.

Tiger Li

Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked as answer by KretzJakeM Friday, October 29, 2010 5:09 PM
Friday, October 29, 2010 7:55 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

VPN Server Unreachable after VPN Client disconnects

Question

Answers

All replies