SBS2011 RRAS routing table misconfiguration upon client connection


  • We have a client with an SBS2011 server (recently migrated from SBS2003). Server is hosted in an ESXi environment with a single NIC adapter.

    They have the need for PPTP RRAS users to connect in to conduct various business.

    The RRAS has been setup in the most vanilla configuration (LAN Routing Only for PPTP connections). NPS policy have been configured accordingly also. The strange behavior begins when the VPN client makes the connection to the server. The communication between the VPN client and the server is fine, however every other computer in the business looses connectivity to the server on the local LAN. Disconnecting the VPN client immediately solves the problem for the internal LAN users.

    Inspection of the routing table on the server, both before and after shows a few anomalies which we have another post open (trying to resolve). One being that network metrics are not correct. However it seems that when the client connects, the server somehow fools itself into thinking the client is the server's default route and thus all traffic fails to terminate at the server as expected.

    My assumption would be that it has something to do with the metrics being wrong. The RRAS route that is created is always lower than any metric on any interface. All interfaces are 1Gbit so my assumption would be that interface metrics should be more like 10-50 when set to automatic.

    What I suppose I'm asking is "How is RRAS causing the routing table to change in such a strange way when a client connects?" and is there a way to make it behave the way we have come to expect in any other RRAS scenario.

    Thanks in advance for your help. Very much appreciated.

    Monday, March 05, 2012 2:05 AM


All replies

  • There having been a _very similar_ thread just recently it is _most likely_ that the attempt to manually provide such service, rather than use the SBS 'Allow VPN' wiz, is the reason.

    Have a look at that recent thread.

    • Marked as answer by Jonas Nimmo Tuesday, March 06, 2012 4:02 AM
    Monday, March 05, 2012 2:55 AM
  • That was it (kind of). We ran the SBS Console "fix my network" wizard in the Network Section which I would not normally do in a production environment. It found nothing that I would find as relative to the issue - IPv6 static address assignment, DNS listen only to primary NIC, NPS security policy creation (even though it already existed), cannot access router and smarthost fix. I only applied the fix to the IPv6, DNS and NPS policy. Ran the SBS VPN wizard to turn it off then again to turn it on. That seemed to fix it. Changes which, although shrouded in smoke and mirrors, seemed to have aleviated the underlying problem. It also seemed to fix the metrics on the NICs and thus sorted the routing table issues.
    Tuesday, March 06, 2012 4:02 AM
  • as I explain in the referenced thread, the SBS wizards do a lot of work that is not apparent to most. They have though been specifically designed to obviate the need to manually inspect or set up common functions.

    Get used to using the wizards. Those who don't more commonly break SBS.

    Tuesday, March 06, 2012 6:40 AM