locked
VPN Server Unreachable after VPN Client disconnects RRS feed

  • Question

  • I have W2K8 domain controller.  We are small office with remote users and I need them to be able to connect to the domain controller.  So I have made the domain controller a RRAS server as well.  I know this isn't best practice but it is all we have.  The box is behind a router and only has a single NIC.  I have RRAS using a standard configuration.  We are using L2TP connections with PSK.  I have a test client machine with a VPN connection configured.

    I can connect the client over the vpn to the server no problem, however as soon as I have the client disconnect, I lose my RDP connection to the server and can no longer ping the server.  The only way to get the server back is to reboot.  I think this has something to due with GPOs as I was able to connect and disconnect via vpn fine before promoting the box to a DC.  Any help would be appreciated.

    Thanks

    Thursday, October 21, 2010 5:57 PM

Answers

  • Hi jack,

     

    Thanks for your update.

     

    As you can see, set dynamic IP address for internet interface on VPN server is not recommended , it would cause some routing issues.

    What I suggest you might like to consult with your ISP and asking for a static address to support VPN service.

     

    Configure TCP/IP on the VPN Server

    http://technet.microsoft.com/en-us/library/ff687698(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by KretzJakeM Friday, October 29, 2010 5:09 PM
    Friday, October 29, 2010 7:55 AM

All replies

  • Hi,

     

    Did You perform this test in internal network ? mean you established VPN via internal address of domain controller ?

    What if other clients ? also failed connect to DC with private address ?

    Can server connects to other host swhen this issue occurred ?

     

    Please check the event log and check if any VPN relate event there , and post the error event ID  ,“ipconfig /all” and “route print”result of both sides here for further investigation .

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 22, 2010 6:28 AM
  • Tiger,

    The DC is not on the local network.  The VPN is setup with a static IP range for clients(192.168.25.1 - 20).  When the VPN client connects, the server's Internal interface grabs 192.168.25.1 and the client gets 192.168.25.2.  Other clients can also connect.  However, as soon as a single client is disconnected, no other clients can vpn into the server.  Connected clients seems to remain connnected, but I did not investigate that much.  It seems like the disconnect if forcing the server nic to listen on it VPN interal ip (25.1) and not it's nic public ip.  Again the server only has a single nic and I can't add another one.  I don't know if the server can connect to other hosts because as soon as disconnect the client I loose the server and have to report.  The event log seems normal.

    Hope this helps


    Jake
    Friday, October 22, 2010 6:14 PM
  • Hi Jack,

    Thanks for update.

    Could you perform "route print" and "ipconfig /all"on that server when this issue occured ? and post the result here.

    Thanks.

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, October 25, 2010 9:06 AM
  • Tiger,

    Here is the info, sorry for the delay.

    The server route print pre vpn connection:

    ===========================================================================
    Interface List
     11 ...12 31 39 02 74 47 ...... RedHat PV NIC Driver
      1 ........................... Software Loopback Interface 1
     12 ...00 00 00 00 00 00 00 e0  isatap.compute-1.internal
     10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     10.248.122.1   10.248.123.181     10
         10.248.122.0    255.255.254.0         On-link    10.248.123.181    266
       10.248.123.181  255.255.255.255         On-link    10.248.123.181    266
       10.248.123.255  255.255.255.255         On-link    10.248.123.181    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link    10.248.123.181    266
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    ===========================================================================
    Persistent Routes:
      None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
     11    266 fe80::/64                On-link
     11    266 fe80::78ab:d857:bac7:9165/128
                                        On-link
      1    306 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    The ipconfig pre vpn connection:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : *computerName*
       Primary Dns Suffix  . . . . . . . : *domainName*.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : compute-1.internal
                                           us-east-1.ec2-utilities.amazonaws.com
                                           *domainName*.com
                                           *domainName*.com

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . : compute-1.internal
       Description . . . . . . . . . . . : RedHat PV NIC Driver
       Physical Address. . . . . . . . . : 12-31-39-02-74-47
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::78ab:d857:bac7:9165%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.248.123.181(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Lease Obtained. . . . . . . . . . : Thursday, October 21, 2010 6:03:16 PM
       Lease Expires . . . . . . . . . . : Tuesday, October 26, 2010 7:04:33 PM
       Default Gateway . . . . . . . . . : 10.248.122.1
       DHCP Server . . . . . . . . . . . : 169.254.1.0
       DNS Servers . . . . . . . . . . . : 172.16.0.23
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : compute-1.internal
       Description . . . . . . . . . . . : isatap.compute-1.internal
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    The route print post vpn connection(ie with client connected over vpn):

    ===========================================================================
    Interface List
     11 ...12 31 39 02 74 47 ...... RedHat PV NIC Driver
     13 ........................... RAS (Dial In) Interface
      1 ........................... Software Loopback Interface 1
     12 ...00 00 00 00 00 00 00 e0  isatap.compute-1.internal
     10 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
     18 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter #2
    ===========================================================================

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     10.248.122.1   10.248.123.181     10
         10.248.122.0    255.255.254.0         On-link    10.248.123.181    266
       10.248.123.181  255.255.255.255         On-link    10.248.123.181    266
       10.248.123.255  255.255.255.255         On-link    10.248.123.181    266
            127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
            127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
      127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
         192.168.25.1  255.255.255.255         On-link      192.168.25.1    296
         192.168.25.2  255.255.255.255     192.168.25.2     192.168.25.1     41
            224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
            224.0.0.0        240.0.0.0         On-link    10.248.123.181    266
            224.0.0.0        240.0.0.0         On-link      192.168.25.1    296
      255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
      255.255.255.255  255.255.255.255         On-link      192.168.25.1    296
    ===========================================================================
    Persistent Routes:
      None

    IPv6 Route Table
    ===========================================================================
    Active Routes:
     If Metric Network Destination      Gateway
      1    306 ::1/128                  On-link
     11    266 fe80::/64                On-link
     18    306 fe80::5efe:192.168.25.1/128
                                        On-link
     11    266 fe80::78ab:d857:bac7:9165/128
                                        On-link
      1    306 ff00::/8                 On-link
     11    266 ff00::/8                 On-link
    ===========================================================================
    Persistent Routes:
      None

    The ipconfig post vpn connection:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : *computerName*
       Primary Dns Suffix  . . . . . . . : *domainName*.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : compute-1.internal
                                           us-east-1.ec2-utilities.amazonaws.com
                                           *domainName*.com
                                           *domainName*.com

    Ethernet adapter Local Area Connection 2:

       Connection-specific DNS Suffix  . : compute-1.internal
       Description . . . . . . . . . . . : RedHat PV NIC Driver
       Physical Address. . . . . . . . . : 12-31-39-02-74-47
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::78ab:d857:bac7:9165%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.248.123.181(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Lease Obtained. . . . . . . . . . : Monday, October 25, 2010 8:27:13 PM
       Lease Expires . . . . . . . . . . : Thursday, October 28, 2010 9:27:12 AM
       Default Gateway . . . . . . . . . :
       DHCP Server . . . . . . . . . . . : 169.254.1.0
       DNS Servers . . . . . . . . . . . : 172.16.0.23
       NetBIOS over Tcpip. . . . . . . . : Enabled

    PPP adapter RAS (Dial In) Interface:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : RAS (Dial In) Interface
       Physical Address. . . . . . . . . :
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 192.168.25.1(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.255
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Tunnel adapter Local Area Connection* 8:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . : compute-1.internal
       Description . . . . . . . . . . . : isatap.compute-1.internal
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 02-00-54-55-4E-01
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 11:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::5efe:192.168.25.1%18(Preferred)
       Default Gateway . . . . . . . . . :
       NetBIOS over Tcpip. . . . . . . . : Disabled

    Couple of things:

    1) When I run ipconfig /all on the server post vpn connection, it kills my rdp session, just like the vpn client disconnect.

    Jake


    Jake
    Wednesday, October 27, 2010 9:02 PM
  • Hi jack,

     

    Thanks for update.

     

    Is this server obtain IP address via DHCP server ?

     

    Please hardcode network settings (IP address, mask ,default gateway, DNS...etc.) for Local Area Connection 2 and make this interface top of binding order list.

     

                 Click Start, click Run, type ncpa.cpl , and then click OK.

                 You can see the available connections in the LAN and High-Speed Internet section of the Network Connections window.

                 press “Alt” to show  Advanced menu , click Advanced Settings, and then click the Adapters and Bindings tab.

                 In the Connections area, select remote access connections. Use the arrow buttons to move  Local Area Connection 2 to the top of binding order list.

     

    After that please test again.

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 28, 2010 8:09 AM
  • Tiger,

    The server is in a hosted environment and I can't set static network settings permanently.  I did set the network settings statically temporaryly and it worked.  I checked the binding order and LAC2 is first. When I reverted back to DHCP the problem occurred again as expected.  What should I try next?

    Thanks for the help.

    Jake


    Jake
    Thursday, October 28, 2010 3:37 PM
  • Hi jack,

     

    Thanks for your update.

     

    As you can see, set dynamic IP address for internet interface on VPN server is not recommended , it would cause some routing issues.

    What I suggest you might like to consult with your ISP and asking for a static address to support VPN service.

     

    Configure TCP/IP on the VPN Server

    http://technet.microsoft.com/en-us/library/ff687698(WS.10).aspx

     

    Thanks.

     

    Tiger Li


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by KretzJakeM Friday, October 29, 2010 5:09 PM
    Friday, October 29, 2010 7:55 AM