locked
NAP/RRAS routing table irregularities RRS feed

  • Question

  • I have a RRAS implementation comprised of 4 servers- a non-domain joined W2k8r2 box connected to the internet and the LAN acting as the RAS and DHCP server and a W2k8r2 domain controller handling user auth via radius, and a second pair acting as the backup connection point. I've seen the same irregularities on both edge servers and I need some help diagnosing the issue. The RRAS servers are configured with static routes to all of the internal subnets and a default route to the firewall and out to the internet. Occasionally on both edge servers I see a route to a specific host on our network which points back to a client IP. For reference, the external IP is 192.168.12.9, the default router (firewall) is 192.168.12.1 and the internal interface is 172.16.51.90 on a subnet in which the default router is 172.16.51.65 (see persistent routes).  When this happens other remote clients are unable to route to the internal IP in question. Here is the routing table in a corrupted state with the problem route displayed (192.168.12.60 is the client IP):

    IPv4 Route Table
    ===========================================================================
    Active Routes:
    Network Destination        Netmask          Gateway       Interface  Metric
              0.0.0.0          0.0.0.0     192.168.12.1     192.168.12.9     11
              0.0.0.0          0.0.0.0    192.168.12.57    192.168.12.55     12
    ...
        172.16.51.101  255.255.255.255    192.168.12.60    192.168.12.55     12

    ...

    ===========================================================================
    Persistent Routes:
      Network Address          Netmask  Gateway Address  Metric
           172.16.0.0      255.255.0.0     172.16.51.65       3
          192.168.0.0      255.255.0.0     172.16.51.65       3

    When this occurs other remotely connected clients are unable to route to the internal host in question, despite the metric on the bad route being lower than the persistent routes. So my questions are:

    - what might be causing this issue?

    - how/why can a connected client modify the route table on the RRAS server?

    Thanks,

    Rob


    • Edited by sullivro Wednesday, August 1, 2012 4:27 PM
    Wednesday, August 1, 2012 4:26 PM

Answers

  • Hi sullivro,

    Thanks for posting here.

    >172.16.51.101  255.255.255.255    192.168.12.60    192.168.12.55     12

    If this RRAS serve is also provide VPN service then this is expected cos it will add a routing entry for incoming VPN seesion so I suspect the address 172.16.51.101 is the address of one of remote VPN client form internet .

    > When this happens other remote clients are unable to route to the internal IP in question.

    Yes, this is also expected , if the internal subnets is not subnet 172.16.51.0/24 then we need to adjust the routing entries on remote VPN client or force the client to use the PPP interface where on RRAS as the default gateway  and let RRAS/VPN server to forward the traffic for clients to internal subnets:

    Cannot reach beyond the RRAS server from VPN clients?

    http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx

    Split Tunneling for Concurrent Access to the Internet and an Intranet

    http://technet.microsoft.com/en-us/library/bb878117.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, August 6, 2012 7:30 AM

All replies

  • Hi sullivro,

    Thanks for posting here.

    >172.16.51.101  255.255.255.255    192.168.12.60    192.168.12.55     12

    If this RRAS serve is also provide VPN service then this is expected cos it will add a routing entry for incoming VPN seesion so I suspect the address 172.16.51.101 is the address of one of remote VPN client form internet .

    > When this happens other remote clients are unable to route to the internal IP in question.

    Yes, this is also expected , if the internal subnets is not subnet 172.16.51.0/24 then we need to adjust the routing entries on remote VPN client or force the client to use the PPP interface where on RRAS as the default gateway  and let RRAS/VPN server to forward the traffic for clients to internal subnets:

    Cannot reach beyond the RRAS server from VPN clients?

    http://blogs.technet.com/b/rrasblog/archive/2006/02/09/419100.aspx

    Split Tunneling for Concurrent Access to the Internet and an Intranet

    http://technet.microsoft.com/en-us/library/bb878117.aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Monday, August 6, 2012 7:30 AM
  • Tiger,

    Thanks for the response. 172.16.51.101 is the address of the internal device to which the phantom route is appearing. The client DHCP range is 182.168.12.x and the client IP is 192.168.12.60. 192.168.12.55 is the first address in the range being pulled from the DHCP server to the RRAS (vpn) server.

    To clarify, the internal subnets are those listed in the Persistent Routes section - 192.168.x.x and 172.16.x.x, which are pointed to the router on the LAN to which the internal interface is connected - 172.16.51.65.
    Thanks,

    Rob

    Thursday, August 9, 2012 8:27 PM