none
RRAS (site-to-site VPN with TMG) denying some packets RRS feed

  • Question

  • Hi,

    We use TMG in both of our sites, with the S2S VPN feature which is actually backed by RRAS. This works OK 99% of the time.

    Every now and again though, specific packets get blocked from a specific client and the only way to fix it so far is to disconnect and reconnect the VPN (either from TMG or directly from RRAS).

    In the specific case today, email connectivity (we only have Exchange in our primary site) is fine, access to corporate intranet (also only in the primary site) is fine to. But access to a SQL database (via local ODBC) fails.

    This has been bugging me for months now and I want it solved! I've even disabled all intrusion features of TMG in case it was that and it still happens.

    Thanks!

    mardi 10 septembre 2019 15:24

Toutes les réponses

  • Hi,

    Thanks for your question.

    I'm wondering of the details of this situation "email connectivity (we only have Exchange in our primary site) is fine, access to corporate intranet (also only in the primary site) is fine to. But access to a SQL database (via local ODBC) fails."

    Do you mean the clients have email to connect from the remote site to Exchange server via VPN, it work fine? And the clients can access to corporate net of primary site? But it cannot work from the clients of remote site to the SQL database?

    Did you have the monitor tool Network Monitor or WireShark to capture the packets for deep troubleshooting?

    We can refer to the following articles which demonstrated how to capture network traffic,

    https://blogs.msdn.microsoft.com/dswl/2010/01/05/how-to-capture-network-traffic-with-microsoft-network-monitor/

    https://www.howtogeek.com/104278/how-to-use-wireshark-to-capture-filter-and-inspect-packets/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope this helps. If you have any question or concern, please feel free to let me know.

    Best regards,

    Michael 


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    mercredi 11 septembre 2019 07:26
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    jeudi 12 septembre 2019 09:46
  • Hi,

    How are things going on?

    Please feel free to let me know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    lundi 16 septembre 2019 08:54
  • Hi Michael,

    Sorry for the delay.

    Basically some applications just stop working over the VPN from specific clients but other applications are fine.

    Our branch office has no local services like email, SQL etc (only file services is local) so all that is going over the VPN to the HQ. Then every now and again some packets/protocols from some machines just give up until we disconnect and re-connect the VPN.

    mardi 17 septembre 2019 16:25
  • Hi,

    Thanks for your reply.

    May I ask if you have tried to consult the vendor for this issue?

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    mercredi 18 septembre 2019 08:41
  • Sorry, the vendor of what?

    In this specific case the VPN is provided by Windows RRAS / TMG (Microsoft) and the application is SQL (also Microsoft).

    mercredi 18 septembre 2019 09:08
  • Hello Lanky Doodle,

    Michael's suggestion of creating a trace of some sort when the problem is occurring is the only approach that I think is likely to help. If you want some more advice about how to do this and are prepared to share the trace data then just ask.

    Gary

    mercredi 18 septembre 2019 11:39
  • Thanks Gary. Yeah, I'll need some help with that...

    ...as now I know that it's RRAS and not directly TMG, the Logging option in TMG is helpless here because the traffic is not even hitting it to be logged!

    jeudi 19 septembre 2019 10:40
  • Hello Lanky Doodle,

    We might have to go through several iterations of tracing and analysis before we get to the route of the problem.

    This is my initial suggestion: when the problem appears on a client then (on that client) issue the command:

    logman start dandy -ets -p Microsoft-Windows-Ras-NdisWanPacketCapture -nb 128 -o dandy.etl

    This should start capturing the traffic flowing through the VPN tunnel. Try pinging the SQL server or anything else in the other site (to see if it works and to get some known traffic in the trace). Try to reproduce the error again (provoke the ODBC client to try to connect again). Finally, stop the trace with the command:

    logman stop dandy -ets

    The captured data (in dandy.etl) can be viewed in Microsoft Message Analyzer or made available in this forum (via OneDrive, Google Drive, etc.). This trace is unlikely to reveal the cause of the problem, but it should be a reasonable starting point for deciding on the next steps...

    Gary

    jeudi 19 septembre 2019 11:51
  • Thanks Gary!

    I've recently had to bounce the VPN so it will probably be a few days now before I'm able to do this.

    dimanche 22 septembre 2019 14:42
  • Hi,

    Just want to confirm the current situations. How are things going on?

    Please feel free to let me know if you need further assistance.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    jeudi 26 septembre 2019 07:24
  • Hi,

    How are things going on?

    Please let us know if you need further assistance.

    If you find any reply that helps, could you help mark it as an answer so that other community members could find the helpful reply quickly please ? Your contribution is highly appreciated.

    Thanks for your support and understanding.

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    lundi 7 octobre 2019 08:09
  • Hi Michael,

    I've not had much luck with this. Sod's law it hasn't happened since I posted.

    I will keep an eye on it and report back when I can.

    jeudi 17 octobre 2019 09:14