none
RRAS VPN (SSTP) in Azure - cannot ping other VMs in subnet

    Question

  • Hi there,

    I'm trying to setup RRAS on Windows Server 2012 R2 server in Azure to support inbound VPN connections from internet machines using SSTP.

    I've setup the RRAS service, and am able to successfully VPN into the host from a guest machine, and can establish connectivity to the RRAS server using ICMP etc. However, I cannot connect to any other VMs in the same subnet as the RRAS server... no matter what I do. My connection is just limited to the RRAS machine.

    My environment is as follows

    RRAS server - single interface.

    • IP address of 10.50.0.12
    • Configured as a VPN service (SSTP with public wildcard certificate)
    • RRAS configured with a static address pool of 172.16.10.10 - 172.16.10.254 

    I have configured a static route on another server in tenant (10.50.0.11) that points all traffic to the static address pool via the RRAS server (route add 172.16.10.0 mask 255.255.255.0 10.50.0.12 -p)

    I can successfully connect from my client machine, and establish connecting and ping the RRAS server on 10.50.0.12. 

    However, I cannot ping anything else, including the secondary VM that I put the static route on (10.50.0.11). I've tried disabling the Windows firewall on all machines... no difference.

    Can anyone point me in the right direction as to what might be wrong?

    Regards, James


    James Frost

    Saturday, February 13, 2016 12:29 AM

Answers

  • Hi James Frost,

    >Are two NICs a mandatory requirement to support RRAS VPN connections? 

    No, it's not a mandatory requirement, but we generally do that.

    As for your situation that the RRAS server could access the private network, we may check if configure NAT to set the NIC to be public interface could work.

    After configuring NAT, and set the NIC on RRAS server to be public interface, then the packet access that interface, the IP address of the host will be replaced by that IP address (10.50.0.12).

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 2:41 AM
    Moderator
  • Hi -

    Are two NICs a mandatory requirement to support RRAS VPN connections? 

    There is no additional routes required from the RRAS to the other internal machines, they are on the same subnet (10.50.0.x), and the RRAS server can quite happily connect to all other machines on that subnet... it's just the VPN client that's unable to do so, and is restricted to connectivity to the RRAS itself.

    Has anyone else deployed a RRAS SSTP VPN using a single NIC? If it's not supported that's fine, I'm just looking for confirmation - and I wasn't prompted with any errors during the setup of the configuration.

    Regards, James


    James Frost


        You do not need two NICs for that. You only need two NICs to use the routing option, not remote access. The remote access client connects to the internal interface of RRAS, no to a NIC.

      You should be able to connect to any machine on the LAN if the remotes are in the same IP subnet as the LAN machines. The RRAS server does proxy ARP on the LAN for the remotes.

    https://technet.microsoft.com/en-us/library/cc958008.aspx?f=255&MSPPError=-2147217396

     Perhaps it is a name resolution problem. Can you connect by IP address?


    Bill

    Monday, February 29, 2016 9:52 PM

All replies

  • Hi James,

    >RRAS server - single interface.

    According to your description, client could connect and ping RRAS server, however they couldn't access the internal network.

    In order to access the internal network, we need to ensure that client could connect to RRAS server, and the RRAS server could access the internal network.

    I notice that the RRAS server only has one NIC, so it seems the RRAS server itself couldn't access the internal network. Generally, RRAS server has two NICs, one for outside clients, another one is used to communicate with the internal network. Also, ensure that the route on the RRAS server is correct, so that it could route traffic to the correct host.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Saturday, February 13, 2016 3:51 AM
    Moderator
  • Hi -

    Are two NICs a mandatory requirement to support RRAS VPN connections? 

    There is no additional routes required from the RRAS to the other internal machines, they are on the same subnet (10.50.0.x), and the RRAS server can quite happily connect to all other machines on that subnet... it's just the VPN client that's unable to do so, and is restricted to connectivity to the RRAS itself.

    Has anyone else deployed a RRAS SSTP VPN using a single NIC? If it's not supported that's fine, I'm just looking for confirmation - and I wasn't prompted with any errors during the setup of the configuration.

    Regards, James


    James Frost


    • Edited by James Frost Saturday, February 13, 2016 8:03 AM
    Saturday, February 13, 2016 8:03 AM
  • Hi James Frost,

    >Are two NICs a mandatory requirement to support RRAS VPN connections? 

    No, it's not a mandatory requirement, but we generally do that.

    As for your situation that the RRAS server could access the private network, we may check if configure NAT to set the NIC to be public interface could work.

    After configuring NAT, and set the NIC on RRAS server to be public interface, then the packet access that interface, the IP address of the host will be replaced by that IP address (10.50.0.12).

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 15, 2016 2:41 AM
    Moderator
  • Hi James Frost,

    Have you got any progress with your issue?

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 29, 2016 7:36 AM
    Moderator
  • Hi -

    Are two NICs a mandatory requirement to support RRAS VPN connections? 

    There is no additional routes required from the RRAS to the other internal machines, they are on the same subnet (10.50.0.x), and the RRAS server can quite happily connect to all other machines on that subnet... it's just the VPN client that's unable to do so, and is restricted to connectivity to the RRAS itself.

    Has anyone else deployed a RRAS SSTP VPN using a single NIC? If it's not supported that's fine, I'm just looking for confirmation - and I wasn't prompted with any errors during the setup of the configuration.

    Regards, James


    James Frost


        You do not need two NICs for that. You only need two NICs to use the routing option, not remote access. The remote access client connects to the internal interface of RRAS, no to a NIC.

      You should be able to connect to any machine on the LAN if the remotes are in the same IP subnet as the LAN machines. The RRAS server does proxy ARP on the LAN for the remotes.

    https://technet.microsoft.com/en-us/library/cc958008.aspx?f=255&MSPPError=-2147217396

     Perhaps it is a name resolution problem. Can you connect by IP address?


    Bill

    Monday, February 29, 2016 9:52 PM
  • I am having the exact same issue. Did you find a fix?

    Microsoft Partner

    • Proposed as answer by Stebaron Saturday, August 27, 2016 2:00 AM
    • Unproposed as answer by Stebaron Saturday, August 27, 2016 2:22 AM
    Thursday, April 21, 2016 9:30 PM
  • I was having the same issue. For reference my setup was an Azure VM running Windows Server 2016 Technical Preview 5 running RRAS.  It does not have a public IP address, instead port 443 is forwarded via a Public Load Balancer Inbound NAT rule.  The VM has one NIC and is on subnet 10.0.2.0/24. 

    Add to the VM both Direct Access and Routing Roles:

    When configuring the RRAS select:

    Make sure the properties for the RRAS server are setup as:

    And make sure that the RRAS is using a static IP address pool (in my case 192.168.150.1 - 192.168.150.255):

    Then in the RRAS, expand the IPv4 section, right click on General and select New Routing Protocol.  Select NAT and OK.

    Then right click on NAT and select New Interface, select Ethernet and OK.

    Configure it with these settings:

    This should allow remote clients to VPN into the RRAS server in Azure and then access the internal Azure network (10.0.2.0/24).

    • Proposed as answer by Stebaron Saturday, August 27, 2016 2:22 AM
    Saturday, August 27, 2016 2:22 AM
  • I was having the same issue. For reference my setup was an Azure VM running Windows Server 2016 Technical Preview 5 running RRAS.  It does not have a public IP address, instead port 443 is forwarded via a Public Load Balancer Inbound NAT rule.  The VM has one NIC and is on subnet 10.0.2.0/24. 

    Thank you so much for this! Just what I needed, immediately fixed my problem with RRAS VPN server in Azure

    Wednesday, November 15, 2017 4:40 AM
  • I L Man :). Tnq You.
    Thursday, July 12, 2018 4:57 AM