locked
RRAS VPN routing issue RRS feed

  • Question

  • Hi all,

    Wondering if anyone can assist me with the following issue:

    I have a PPTP VPN on my TMG server, when I connect to the VPN I can access all LAN resources just fine.  The problem is I have a VLAN on a switch called test network  that I cannot always access from the VPN, I say always as sometimes I connect and can ping servers that are in that subnet, I'll disconnect the VPN, reconnect and then I can't ping them.

    The config is as follows:

    LAN: 10.0.0.0/16 (Default Vlan on HP switch)  Gateway 10.0.0.254 (Juniper SRX)

    Test network: 172.16.28.0/24 (Test Vlan on same HP switch)  gateway 172.16.28.254 (which is on the HP switch 10.0.0.9)

    My TMG server has a DMZ adapter (external) for published load balanced web servers, and an internal adapter.  The Internal adapter has no gateway set, the DMZ (external) adapter has a gateway of 192.168.168.254 (Juniper SRX).

    On the TMG server there is a static route for 172.16.28.0 with gateway of the HP Switch 10.0.0.9.  The 172.16.28.0/24 address range is also in the internal interface on the TMG console.

    I can ping any server on 172.16.28.0 from the TMG server,  some times when I connect to the RRAS VPN I can ping the 172 network,  as soon as I disconnect and reconnect the VPN I can't get to it again (it does resolve the name) it just times out on ping.  I can see within logging that the ping is allowed and has reached the TMG server yet I get no reply.

    Additional info, the RRAS has a DHCP relay so my VPN clients get the DNS suffix etc.  I added a static route in the RRAS console for 172,  the VPN could then reach the 172 network,  but when I reconnected nothing again.

    I do also have a firewall rule that allows all outbound  from internal and vpn to internal,vpn,external.

    I know it's not an ideal setup and I am looking to move the Test network gateway to the Juniper SRX,  I just really wanted to figure out why this isn't working, or more to the point why it sometimes is and sometimes isn't.

    When I do a tracert to a 172 address on the TMG server it goes to the switch 10.0.0.9 and then the server as expected.  When doing the same from a VPN client it (when not working) first goes to the RRAS adapter address and then it will timeout.

    If anyone could give me any tips that would be great.

    Thanks

    Ross

    Tuesday, February 11, 2014 9:42 PM

Answers

  • Doh!  I have resolved it already.  The issue was the DHCP relay, addresses were overlapping with others in the LAN as the VPN client gets a new one each time.  I changed the RRAS configuration to a static range that is out of the internal LAN DHCP scope and it worked multiple times in a row.
    • Marked as answer by Ross1986 Tuesday, February 11, 2014 10:28 PM
    Tuesday, February 11, 2014 10:28 PM

All replies

  • Doh!  I have resolved it already.  The issue was the DHCP relay, addresses were overlapping with others in the LAN as the VPN client gets a new one each time.  I changed the RRAS configuration to a static range that is out of the internal LAN DHCP scope and it worked multiple times in a row.
    • Marked as answer by Ross1986 Tuesday, February 11, 2014 10:28 PM
    Tuesday, February 11, 2014 10:28 PM
  • Hi,

    Thank you for your sharing. If you need assistance in future, you can feel free to contact us.

    Best Regards

    Quan Gu

    Wednesday, February 12, 2014 5:59 AM
    Moderator