none
Server 2016 RRAS in Azure not routing traffic RRS feed

  • שאלה

  • I'm trying to setup an SSTP VPN using Windows server 2016 hosted in Azure.  The problem is that when I connect, I can ping the RRAS server but nothing else.  Thoughts?

    The server has a single NIC getting its IP from Azure DHCP (10.255.0.10).  I installed the Direct Access and VPN (RAS) role and Network Policy Server was already installed.  It's configured with a Custom configuration with just VPN access enabled.  I have a static pool of IPv4 addresses (10.255.0.100-10.255.0.150) because I can't seem to get IPs from Azure DHCP.  I have ports enabled for SSTP Remote access connections (inbound only).  Everything else is set to 0 or 1 ports and disabled.

    The IPv4 General section lists the Loopback interface, Internal (10.255.0.100), and Ethernet 3 (10.255.0.10).  There are no static routes configured.  From the VPN server, I can ping everything on the same network and across the site to site VPN to a different location.

    When I connect, I get 10.255.0.101 and can ping the VPN server at 10.255.0.10 or 10.255.0.100 (so I know it's connected), but no other IP addresses on that network or other networks connected by site to site VPN.

    NPS seems to be setup properly since I can authenticate and connect.

    A very similar setup works fine on-premises using Windows 2012, so I'm at a bit of a loss.  Any help would be appreciated.

    Thank you.


    Alex

    שבת 06 יולי 2019 03:13

תשובות

  • I fixed it by adding the interface that accepts the VPN connections (You may call it External, but it's the only interface on the computer) to the NAT setup, and setting it as "Public interface connected to the Internet" and "Enable NAT on this interface".  I've never needed to do that before, especially when the IP addresses are on the same network as the internal interface of the RRAS server.  Maybe this is something to do with using a Static Pool of addresses on the RRAS server?

    I don't see the Public IP of the Azure VM in the routing table, but that seems correct since the server only has a private IP and is behind the Azure NAT.  Also, the issue is that the RRAS server doesn't pass VPN traffic to the Azure internal network unless I enable the NAT settings mentioned above.

    If you know of a way to enable it to pass traffic without using NAT, I'd prefer that since the IP addresses are on the same network as the Azure internal LAN.

    Thanks.


    Alex

    • סומן כתשובה על-ידי Jinseng יום ראשון 14 יולי 2019 16:32
    יום שני 08 יולי 2019 02:54

כל התגובות

  • Hi,

    If you can connect to the VPN but cannot ping the Azure network then make sure that the route to your Azure external IP is set correctly. 

    You can view this by right clicking on static routes under IPv4 in RRAS.  Then select Show IP Route Table. 

    If you do not see your Azure Public IP listed and going to the External network adapter then you need to manually add the route.

    Best regards,
    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שני 08 יולי 2019 02:18
    מנחה דיון
  • I fixed it by adding the interface that accepts the VPN connections (You may call it External, but it's the only interface on the computer) to the NAT setup, and setting it as "Public interface connected to the Internet" and "Enable NAT on this interface".  I've never needed to do that before, especially when the IP addresses are on the same network as the internal interface of the RRAS server.  Maybe this is something to do with using a Static Pool of addresses on the RRAS server?

    I don't see the Public IP of the Azure VM in the routing table, but that seems correct since the server only has a private IP and is behind the Azure NAT.  Also, the issue is that the RRAS server doesn't pass VPN traffic to the Azure internal network unless I enable the NAT settings mentioned above.

    If you know of a way to enable it to pass traffic without using NAT, I'd prefer that since the IP addresses are on the same network as the Azure internal LAN.

    Thanks.


    Alex

    • סומן כתשובה על-ידי Jinseng יום ראשון 14 יולי 2019 16:32
    יום שני 08 יולי 2019 02:54
  • Hi,

    Please run command tracert to check the route.

    In my opinion, the traffic was forwarded to a wrong gateway or dropped.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שני 08 יולי 2019 08:00
    מנחה דיון
  • Tracert dies at the RRAS server (the first hop).  It doesn't connect to anything after that.  The IP that shows up in tracert is the first IP in the statically assigned pool.  Re-enabling the NAT configuration makes everything work again. It's as though Azure blocks traffic from IPs not assigned to the VM from the Azure DHCP server.

    Alex

    יום רביעי 10 יולי 2019 02:23
  • Hi,

    Did you check the static routes of IPv4 in RRAS?

    If necessary, you can add a static route for the IP in static pool.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום רביעי 10 יולי 2019 08:14
    מנחה דיון
  • Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שישי 12 יולי 2019 06:21
    מנחה דיון
  • The routes seem fine. The IPs in the static pool are all in the same range as the IP assigned to the server. Since enabling NAT works, I’m going to stick with that for now. Thanks for the thoughts.

    Alex

    יום ראשון 14 יולי 2019 16:32
  • Hi,

    Thanks for your update.

    If there is no progress, I would suggest you contact Microsoft Support to get an efficient solution.

    Best regards,

    Travis


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    יום שני 15 יולי 2019 09:02
    מנחה דיון