Answered by:
NAP/RRAS routing table irregularities

Question
-
I have a RRAS implementation comprised of 4 servers- a non-domain joined W2k8r2 box connected to the internet and the LAN acting as the RAS and DHCP server and a W2k8r2 domain controller handling user auth via radius, and a second pair acting as the backup connection point. I've seen the same irregularities on both edge servers and I need some help diagnosing the issue. The RRAS servers are configured with static routes to all of the internal subnets and a default route to the firewall and out to the internet. Occasionally on both edge servers I see a route to a specific host on our network which points back to a client IP. For reference, the external IP is 192.168.12.9, the default router (firewall) is 192.168.12.1 and the internal interface is 172.16.51.90 on a subnet in which the default router is 172.16.51.65 (see persistent routes). When this happens other remote clients are unable to route to the internal IP in question. Here is the routing table in a corrupted state with the problem route displayed (192.168.12.60 is the client IP):
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.12.1 192.168.12.9 11
0.0.0.0 0.0.0.0 192.168.12.57 192.168.12.55 12
...
172.16.51.101 255.255.255.255 192.168.12.60 192.168.12.55 12...
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
172.16.0.0 255.255.0.0 172.16.51.65 3
192.168.0.0 255.255.0.0 172.16.51.65 3When this occurs other remotely connected clients are unable to route to the internal host in question, despite the metric on the bad route being lower than the persistent routes. So my questions are:
- what might be causing this issue?
- how/why can a connected client modify the route table on the RRAS server?
Thanks,
Rob
- Edited by sullivro Wednesday, August 1, 2012 4:27 PM
Wednesday, August 1, 2012 4:26 PM
Answers
-
Hi sullivro,
Thanks for posting here.
>172.16.51.101 255.255.255.255 192.168.12.60 192.168.12.55 12
If this RRAS serve is also provide VPN service then this is expected cos it will add a routing entry for incoming VPN seesion so I suspect the address 172.16.51.101 is the address of one of remote VPN client form internet .
> When this happens other remote clients are unable to route to the internal IP in question.
Yes, this is also expected , if the internal subnets is not subnet 172.16.51.0/24 then we need to adjust the routing entries on remote VPN client or force the client to use the PPP interface where on RRAS as the default gateway and let RRAS/VPN server to forward the traffic for clients to internal subnets:
Cannot reach beyond the RRAS server from VPN clients?
http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx
Split Tunneling for Concurrent Access to the Internet and an Intranet
http://technet.microsoft.com/en-us/library/bb878117.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
- Marked as answer by Tiger LiMicrosoft employee Wednesday, August 8, 2012 2:24 AM
Monday, August 6, 2012 7:30 AM
All replies
-
Hi sullivro,
Thanks for posting here.
>172.16.51.101 255.255.255.255 192.168.12.60 192.168.12.55 12
If this RRAS serve is also provide VPN service then this is expected cos it will add a routing entry for incoming VPN seesion so I suspect the address 172.16.51.101 is the address of one of remote VPN client form internet .
> When this happens other remote clients are unable to route to the internal IP in question.
Yes, this is also expected , if the internal subnets is not subnet 172.16.51.0/24 then we need to adjust the routing entries on remote VPN client or force the client to use the PPP interface where on RRAS as the default gateway and let RRAS/VPN server to forward the traffic for clients to internal subnets:
Cannot reach beyond the RRAS server from VPN clients?
http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx
Split Tunneling for Concurrent Access to the Internet and an Intranet
http://technet.microsoft.com/en-us/library/bb878117.aspx
Thanks.
Tiger Li
Tiger Li
TechNet Community Support
- Marked as answer by Tiger LiMicrosoft employee Wednesday, August 8, 2012 2:24 AM
Monday, August 6, 2012 7:30 AM -
Tiger,
Thanks for the response. 172.16.51.101 is the address of the internal device to which the phantom route is appearing. The client DHCP range is 182.168.12.x and the client IP is 192.168.12.60. 192.168.12.55 is the first address in the range being pulled from the DHCP server to the RRAS (vpn) server.
To clarify, the internal subnets are those listed in the Persistent Routes section - 192.168.x.x and 172.16.x.x, which are pointed to the router on the LAN to which the internal interface is connected - 172.16.51.65.
Thanks,Rob
Thursday, August 9, 2012 8:27 PM