locked
RRAS Server Doesn't Get Initial 10 IP Allotment from DHCP Server RRS feed

  • Question

  • Hi all,

    I installed RRAS on a VM (Hyper-V) server, in a network in which all computers belong to the same Windows Domain. I only installed VPN - not Dialup or Direct Access. Another VM on the same machine, the PDC, is running the DHCP.

    When the RRAS service is started, I see that the DHCP does not allocate the expected 10 addresses. In the Remote Access Management Console, "VPN Addressing" has a red X next to it, and its "operations state" is "DHCP Address Assignment".
    Of course, any client trying to connect fails, and the RRAS server shows in its log that there are no IP addresses available to allocate.

    The details show:

    ERROR: The VPN server cannot obtain IP addresses for VPN clients from the DHCP server
    CAUSES: The VPN server cannot obtain IP addresses for VPN clients from the DHCP server.
    RESOLUTION:
    1. Check network connectivity of the VPN server.
    2. Verify DHCP settings.

    I tried installing RRAS on 2 other VM on the same Hyper-V box, and sometimes they work, and sometimes they don't.

    All hosts can ping each other. If I assign the problematic servers' NICs to get an address from DHCP, they successfully get the address. I assume this proves that there is no problem getting addresses in general.

    I also tried shutting down all servers except the DHCP, and then starting the others - but it still didn't help.

    I would appreciate it if someone could please help me out here.

    TIA,
    mlavie58

    Thursday, December 13, 2018 2:42 PM

All replies

  • Hi,

    Would you please disable VLAN ID first in settings and then check your RRAS server's NICs

    You can also try to configure a static address pool for the vpn clients.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.




    Friday, December 14, 2018 7:26 AM
  • Hi Zoe,

    Assigning a static IP Address works, but I assume the fact that DHCP doesn't work means I have some fundamental flaw in my setup.

    I was also wondering if this has anything to do with ipv6.

    Here is the result of ipconfig /all, before the RRAS service is started:

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : CONTOSO28
       Primary Dns Suffix  . . . . . . . : contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : contoso.com
                                           mynet
    
    Ethernet adapter Ethernet 9:
    
       Connection-specific DNS Suffix  . : mynet
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #11
       Physical Address. . . . . . . . . : 00-15-5D-01-08-11
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd92:97c4:4dbd:0:60fa:3cb4:e7c0:df5c(Preferred)
       Link-local IPv6 Address . . . . . : fe80::60fa:3cb4:e7c0:df5c%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.254
       DHCPv6 IAID . . . . . . . . . . . : 419435869
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-9F-35-91-00-15-5D-01-08-11
       DNS Servers . . . . . . . . . . . : 192.168.1.7
                                           192.168.1.9
                                           fd92:97c4:4dbd:0:16ae:dbff:febe:2d30
       NetBIOS over Tcpip. . . . . . . . : Enabled
       Connection-specific DNS Suffix Search List :
                                           mynet

    After starting the RRAS service:

    Windows IP Configuration
    
       Host Name . . . . . . . . . . . . : CONTOSO28
       Primary Dns Suffix  . . . . . . . : contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : Yes
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : contoso.org
                                           mynet
    
    Ethernet adapter Ethernet 9:
    
       Connection-specific DNS Suffix  . : mynet
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter #11
       Physical Address. . . . . . . . . : 00-15-5D-01-08-11
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv6 Address. . . . . . . . . . . : fd92:97c4:4dbd:0:60fa:3cb4:e7c0:df5c(Preferred)
       Link-local IPv6 Address . . . . . : fe80::60fa:3cb4:e7c0:df5c%13(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.1.10(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.1.254
       DHCPv6 IAID . . . . . . . . . . . : 419435869
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-9F-35-91-00-15-5D-01-08-11
       DNS Servers . . . . . . . . . . . : 192.168.1.7
                                           192.168.1.9
                                           fd92:97c4:4dbd:0:16ae:dbff:febe:2d30
       NetBIOS over Tcpip. . . . . . . . : Enabled
       Connection-specific DNS Suffix Search List :
                                           mynet

    I should point out that my DHCP server (on DC 192.168.1.9) is only setup for ipv4. Also, I see that the DNS list includes the ipv6 address fd92:97c4:4dbd:0:16ae:dbff:febe:2d30. It is defined in the underlying physical Hyper-V server's "vEthernet (External)" ipv6 definitions. I don't remember ever putting it there.

    TIA for any help,

    mlavie58


    • Edited by mlavie58 Friday, December 14, 2018 9:32 AM
    Friday, December 14, 2018 8:45 AM
  • Hi,

    Thanks for your update.

    Would you please:

    1. Change the virtual switch to make sure that the VPN client can obtain an IP address directly from your DHCP server
    2. Check Event Viewer for details of the error messages on both VPN server and the client

    For your information, you may locate entries on the server side by clicking Custom Views>Server Roles> Remote Access, and on the client side by clicking Windows logs>Application

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, December 17, 2018 8:35 AM
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 19, 2018 5:27 AM
  • Hi Zoe,

    I have been drowning in work this week. Will try to get back to you soon.

    Regards,

    mslavie

    Wednesday, December 19, 2018 7:12 AM
  • Hi,

    If you have any updates, please feel free to let me know.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, December 21, 2018 1:41 AM
  • Hi Zoe,

    Thank you for your suggestions.

    I am new to the whole subject of VMs. Could you please explain to me exactly what I should do regarding  "Change the virtual switch to make sure that the VPN client can obtain an IP address directly from your DHCP server"?

    Regards,

    mlavie

    Friday, December 21, 2018 7:57 AM
  • Hi,

    Sorry that I didn't make myself clear. However, based on our recent research, we've rule out DHCP address allocation.

    Would you please make sure that you have chosen the right adapter to obtain addresses?

    If the issue still persists, please check Event Viewer for details of the error messages.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, December 21, 2018 9:56 AM
  • Hi Zoe,

    Oddly, in my IPv4 tab, I do not see any option to choose an adapter - the dropdown list is entirely missing.

    Perhaps that is a hint?

    mlavie

    Friday, December 21, 2018 11:20 AM
  • Hi,

    The VPN server should be configured with two network interfaces; one internal and one external.

    Would you please check your network adapters and make sure that they are both enabled ?

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 24, 2018 2:20 AM
  • Hi Zoe,

    I am going to need some help from you. Basically, I am the CTO / VP R&D of a very small startup and have to handle the IT of our dev environment by myself...

    The entire network is behind a NATing router.
    The host Hyper-V has one physical NIC. It is of course nominally inactive.
    I have 2 vEthernet adapters:

    • "External" - fixed local IP 192.168.1.8 (for our 192.168.1.0/28 LAN)
    • "Internal" - no fixed address assigned, and has an APIPA address of 169.254.50.218 

    The Hyper-V assigns one external adapter to the VPN VM. Thus, when in the VPN VM, only one adapter is defined.

    What exactly do I need to do?

    TIA, and thanks for your patience,
    mlavie


    • Edited by mlavie58 Monday, December 24, 2018 6:41 AM
    Monday, December 24, 2018 6:21 AM
  • Hi,

    The external interface connects to the Internet and the internal interface connects to the intranet. As a result your internal interface should be configured within the same network as the DHCP server.

     

     

    Please refer to the following instruction to configure your vpn server:

    1. Create virtual network (Hyper-V -> Virtual Network Manager -> Type: External Network, Name: LAN -> Connect to the physical adapter connected to the internal LAN

    2. Create virtual network (Hyper-V -> Virtual Network Manager -> Type: External Network, Name: WAN -> Connect to the physical adapter connected to the internet

    3. Create virtual machine (Hyper-V -> New Virtual Machine -> on the step "Configure Networking" Connection: LAN -> complete the wizard with desired configuration

    4. Edit the virtual machine configuration (Hyper-V -> select VPN virtual machine -> Right-click - Settings... -> Add Hardware -> Network Adapter -> Network: WAN. Write down the network connections' MAC addresses.

    5. Start the virtual machine -> Install OS -> Configure IP Adresses and rename the network connections (for better management and config) by noted MAC adresses-> Install Network Access and Protection Role - Select RRAS -> Start RRAS -> Configure -> Custom -> Select VPN Server, eventually NAT => Configure LAN network as a Private Network and WAN as a Public Network

     

    For your reference:

    VPN installation in HyperV

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/f64bae16-2f2c-448a-a879-404ee49c7da9/vpn-installation-in-hyperv?forum=winserverhyperv

    Regards,

    Zoe



    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 24, 2018 7:27 AM
  • Thanks, Zoe.

    I'm reviewing the instructions now.

    Regards,
    mslavie

    Monday, December 24, 2018 7:32 AM
  • Hi Zoe,

    The instructions you sent (and linked articles) seem to deal with the situation in which the VPN VM is exposed directly to the Internet and therefore must perform NATing. This of course requires 2 adapters - one facing the Internet/WAN and one facing the LAN, with the VPN VM also performing NAT-ing.

    However, my VPN is already behind a NAT-ing modem/router. My modem/router forwards all incoming connections to VPN ports (L2TP and SSTP) to the VPN VM. So all activity - including incoming from the Internet (but already NAT-ed through the modem/router) is on the LAN. In this scenario, I thought I would in theory only need one network adapter. 

    I could define a second adapter for the VPN VM if that would help, although I thought that would be unnecessary. What do you think?

    mlavie



    • Edited by mlavie58 Monday, December 24, 2018 3:28 PM
    Monday, December 24, 2018 8:14 AM
  • Hi,

    I made a diagram of network topology and hope this may help you understand more clearly.

    A VPN server needs two interfaces so the VPN client can connect to another private network.

      

    By your description I suppose you have a network topology like this. If you want the VPN client communicate with the NATing network you don't need a VPN server because they can already communicate with each other.

      

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.



    Tuesday, December 25, 2018 2:55 AM
  • Hi Zoe,

    Your second diagram is essentially my architecture. I have a diagram, but don't know how to include it in a Forum reply.

    In any case, you are in theory correct - the computer on the WAN could connect to any LAN sever if I wanted to allow the traffic through. But I do not want to allow just any traffic through , except through the VPN server, for security reasons. I want to block most ports on the modem/router except UDP ports 500, 1701 and 4500 (L2TP), which should be forwarded to the VPN server. For example, if I want to allow remote users RDP access or SMB browsing (insecure protocols) - I obviously don't want to just open all sorts of ports on my firewall. I want to force the users to connect securely through a VPN. 

    Now, if I wanted all communications to go through VPN, I could use the classic architecture that the VPN has one adapter facing the modem/router on the router's LAN (e.g., 192.168.1.0/28), and another facing the internal LAN (e.g., 192.168.2.0/28). However, I do want port 80 and 443 to pass through the modem/router directly to an Exchange server on the LAN.

    Is that clear? Do I still need 2 adapters on the VPN? Since virtual adapters on a VM are free, it wouldn't be a problem to add one. But I both want to understand what is happening, and also use the simplest possible architecture.

    TIA,
    mlavie



    • Edited by mlavie58 Tuesday, December 25, 2018 9:11 AM
    Tuesday, December 25, 2018 9:07 AM
  • UPDATE:

    I gave in and added an additional adapter on the VPN server. Oddly, this only solved the problem if I defined the adapter as getting a dynamic address. It didn't work if I assigned the adapter a fixed address on the LAN.

    I still think a second adapter should have been unnecessary, but I guess if it works - it works.

    Zoe, thank you for your time and help.

    mlavie

    Wednesday, December 26, 2018 6:23 AM
  • Hi,

    I'm glad to hear that your issue is resolved.

    However, we are quite interested in it. Actually we can't reproduce the DHCP issue in our environment, so we wonder that if you would help us collect the information below.

    1. What's your VPN Client's IP address now, is it in the internal LAN?
    2. When assigning the fixed IP address, did you also change the adapter in the IPv4 tab, from which the client obtains an DHCP offer?

     

    By the way, we agree that in theory one adapter is enough. We will keep looking into this.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, December 26, 2018 8:39 AM
  • Hi Zoe,

    Here is my setup:

    My modem/router performs firewalling, NAT-ing and forwarding. Its LAN range (and the LAN range of all hosts in the LAN) is 192.168.1.0/28 (the diagram mistakenly shows 192.168.0/28 - sorry).

    My PDC is also the DHCP and DSN server.

    All of the 3 hosts in the diagram are VM guests, hosted by Hyper-V. All hosts are WS2019 with latest updates.

    When the VPN had a single adapter, with a fixed IP address, I had all the problems.

    Adding a second adapter with a fixed IP address didn't work either. I tried manually assigning each of the 2 possible adapters in the ipv4 tab, but it didn't help. Neither did selecting Let RRAS Choose.

    Adding the second adapter only fixed the problem if it was set to dynamic (and not fixed) IP address. 

    The second adapter (once set to dynamic) was given address 192.168.1.30.
    The RRAS internal adapter was assigned 192.168.1.48.
    These are of course valid addresses for my LAN.

    Could I provide any more helpful information?

    Regards,
    mlavie





    • Edited by mlavie58 Wednesday, December 26, 2018 11:52 AM
    Wednesday, December 26, 2018 11:31 AM
  • Hi,

    Many thanks for your information. We'll keep looking into this.

     If we have any updates or any thoughts about this issue, we will keep you posted as soon as possible. Your kind understanding is appreciated. If you have further information during this period, you could post it on the forum, which help us understand and analyze this issue comprehensively.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, December 28, 2018 6:44 AM
  • I am following this issue.  There is another thread on this issue which has had nobody from Microsoft chime in.

    https://social.technet.microsoft.com/Forums/exchange/en-US/0270d377-be3a-4b63-82a0-9df076c5e3b3/upgrade-from-2016-to-2019-breaks-dhcp-relay-agent-when-using-rras?forum=ws2019

    Hopefully this issue can be confirmed and a fix be released.

    • Edited by bmasephol Monday, January 7, 2019 9:46 PM Adding Link
    Monday, January 7, 2019 9:44 PM
  • Hi Zoe,

    Do you have any news? This issue has become important again, because I have RRAS running on the same box as Exchange Server.

    Having to define a second NIC as a workaround for this is a problem:

    It turns out that Exchange Server often becomes quite unhappy when there are 2 NICs on the Windows Server. For whatever reason, it messes up the way Exchange Server performs DNS lookups.

    FYI,

    mlavie

    Tuesday, January 8, 2019 7:02 PM
  • Hi,

    We're trying to involve someone familiar with this topic to further look at this issue.  Appreciate your patience.

    Thank you for your understanding and support.

    Regards,

    Zoe


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 9, 2019 7:25 AM
  • Hi,

     

    Would you mind following the instruction below for trouble shooting? It would be helpful for us to identify the problem if you could upload the screenshot.

     

    1. Please download Microsoft Network Monitor 3.4 From https://www.microsoft.com/en-us/download/details.aspx?id=4865 on the server side
    2. Click New Capture
    3. Click Start and try to connect to the VPN server on the client side
    4. Click Stop when the connection fails
    5. Enter DHCP in the filter and click Apply
    6. Please take a screenshot of the output and provide us with the IP address of your VPN server and PDC

     

    Thanks for your cooperation

     

    Regards,

    Zoe

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, January 9, 2019 9:48 AM
  • Thanks Zoe.

    I'll try to do this by the end of today, if I can.

    BTW - I have no problem with giving Microsoft employees RDP into my server.

    Lavie

    Wednesday, January 9, 2019 12:50 PM
  • Hi,

    I'm sorry to say that based on the forum policy and for your security, we don't recommend you do that.

    However, you may contact Microsoft Customer Services and Support if you would like a more efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au

    Regards,

    Zoe

     


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 11, 2019 3:11 AM
  • Has there been any updates on this from Microsoft's side?  It seems very straight forward to setup and create the issue.
    Friday, February 8, 2019 7:01 PM
  • Any news on this one?  RRAS works fine if I assign a static address pool or add a second network card with dynamic IP, but won't with a static IP and one network card.
    Monday, March 11, 2019 4:57 PM
  • Any news on this one?  RRAS works fine if I assign a static address pool or add a second network card with dynamic IP, but won't with a static IP and one network card.
    the same. Windows server 2019 (1809)
    Thursday, April 11, 2019 2:24 PM
  • I'm having the same issue as originally posted. RRAS not picking up a block of DHCP addresses. This is with Server 2019, 1809. I also have an RRAS on Windows Server 2012 which works perfectly. Both servers are identically configured in RRAS snapin. I'm using a static pool as a work-around, but this looks like a problem on Microsoft's side.
    Thursday, April 18, 2019 12:33 AM
  • The same here, also Windows Server 2019 (1809).
    Friday, May 17, 2019 11:18 AM
  • Hello all. Faced the same problem on a freshly installed licensed Windows Server 2019 (1809). Moreover, the issue is reproduced both on the VMware virtual machine and on the physical server.
    After several days of experiments, it was still possible to establish a VPN (PPTP) through a DHCP on the system with a single network adapter. The solution is the following: it is necessary in the network settings of the IPv4 adapter to set automatic assignment of IP addresses and DNS, (it’s okay that the network cannot recognize), then set the static addressing back (IP, gateway, mask, DNS), and then restart the RRAS. The connection must be established successfully. But not so happy. After the server is restarted, access again disappears. Apparently the problem is that the internal network adapter RRAS cannot give the clients the correct addressing, since he himself receives the address of the APIPA 169.254... And reassigning the settings of the network adapter of the system somehow temporarily solves this problem. It looks like this is really a bug that has been fixing for half a year. On the 2008/2012 and 2016 servers VPN through DHCP works without problems. I apologize for my English, I am writing from Russia. I hope clearly explained.
    Wednesday, May 29, 2019 1:41 PM
  • We logged a case with Microsoft for it.

    They confirmed it being an issue and are working on a permanent solution, and provided us a workaround for the time being:

    1-Add this registry key :

     

    reg add "HKLM\SYSTEM\CurrentControlSet\Services\Dhcp" /v RequiredPrivileges /d "SeChangeNotifyPrivilege"\0"SeCreateGlobalPrivilege"\0"SeImpersonatePrivilege"\0 /t REG_MULTI_SZ /f

    2-Restart the DHCP client service :

     

    $dhcpPID = $( tasklist /svc /fo CSV | findstr Dhcp).split(",")[1].replace('"','')

     

    stop-process $dhcpPID -force

     

    Start-Service Dhcp

     

    3-Restart the Remote Connection Service.

    If you want, you can skip step 2 & 3 and just reboot the RRAS server after step 1.

    Confirmed on 2 servers.


    • Edited by Danny.V Wednesday, June 19, 2019 7:02 AM
    • Proposed as answer by Danny.V Wednesday, June 19, 2019 11:08 AM
    Wednesday, June 19, 2019 7:01 AM
  • This registry key seemed to fix my DHCP issue as well on 2019.

    Thanks for posting.

    Wednesday, November 20, 2019 9:36 PM
  • I had been experiencing this issue as well.  What I ended up doing was removing the default hyper-v nic and adding a legacy nic in the hyper-v settings for the virtual VPN server.  I was able to set it to static and the clients can get DHCP addresses from the DHCP servers through the VPN server now.  I did nothing special on the legacy nic settings inside the VM, all I did was set a static IP on it.

    EDIT: A little time and testing and this solution did not work out well.  I started to have weird issues with the legacy nic where it would just stop working.  I tested with two nic work-around, one set to static and one to DHCP and that works, but in the end I went with the solution above to add the reg entries.



    • Edited by MnM Show Thursday, March 19, 2020 5:07 PM
    Wednesday, March 18, 2020 8:23 PM