none
VPN losing name resolution when "use default gateway on remote network" is not checked RRS feed

  • Question

  • I am trying to connect to a VPN running on Windows Server 2003 from my new Windows 7 install.  I can currently connect to this VPN from my Vista machine.

    On the Windows 7 machine, if I have the "use default gateway on remote network" box checked, I can resolve network names over the VPN just fine.  However I do not want this box to be checked.  It works on Vista currently (and has worked on XP) over this VPN, to uncheck this box so all of my traffic is not routed over the VPN.  If I uncheck the box, I cannot ping any machines by name over the VPN, but it does work by IP.  Two machines side by side with quite different results.  I have tried to disable IPv6 on the Windows 7 machine but to no avail.  Can someone help me out here?
    Wednesday, August 19, 2009 11:21 PM

All replies

  •   What name are you using? The full FQDN or just the server name?

       If the FQDN works but server name fails, you need to add the domain name to the DNS suffix list in the client's dialup properties. The client will then add the domain suffix to the server name to form the FQDN.

       If you are running WINS on the LAN, kake sure that the client gets the correct WINS address when it connects. You can hard code that into the client's connection properties as well.  
    Bill
    Thursday, August 20, 2009 2:23 AM
  • Neither the FQDN or server name work from the Windows 7 machine.  Pinging the server name works on my Vista machine, but the FQDN cannot be found.  I tried adding the DNS suffix for the domain to the VPN connection DNS properties, but no dice.  This still doesn't explain the difference in behavior between the Windows 7 machine and the Vista machine.  Any ideas?
    Thursday, August 20, 2009 9:30 PM
  • Ok some progress on my end.  I tried disabling Windows Firewall for all connection types and I was able to ping the server by name.  So some combination of having "use default gateway on remote network" unchecked, and Windows Firewall is preventing me from reaching machines over the VPN by their local name.

    I compared the entries in the Windows Firewall exceptions list between my Windows 7 and Vista machines and from what I can tell everything matches up.  I am a member of a domain network at home, and I connect to a different domain at the office.  Again this works just fine in Vista and XP.  Netowrk Discovery and File and Printer Sharing are enabled for Domain networks and Home or work (private) networks.  My home network being detected as a Domain network and the VPN connection being detected as a Private network so I can't say what is missing.  All I can say right now is that this configuration does work with Windows Firewall disabled for Domain and Private Networks.

    Can any Windows Firewall experts point me to what else needs to be allowed through?
    Thursday, August 20, 2009 9:59 PM
  • Porperly you may need to check if pre-defined Firewall Policy "Core Networking - DNS (UDP-Out)" is enabled.

    Click Start, click Run, type wf.msc, click OK.
    On Windows Firewall with Advanced Security console, click Outbound, find the corresponding firewall rule "Core Networking - DNS (UDP-Out)"
    Make sure it is allowed, and applies to all connection, then check if the Ports and Protocols is set to:
     Protocol: UDP
     Local Port: All
     Remote: 53
    Make sure scope is set to any IP address.
    Check Advanced tab, verify if the profile applies to "Domain and Private and Public"

    Friday, August 21, 2009 5:53 AM
  • Hi Timothy, my settings are just as you described they should be.

    Core Networking - DNS (UDP-Out)
    Protocol: UDP
    Local Port: All
    Remote Port: 53

    Scope: Any

    Applies to: Domain, Private, and Public
    Friday, August 21, 2009 7:30 PM
  • bump!
    Wednesday, August 26, 2009 10:02 PM
  • bump bump!
    Monday, August 31, 2009 10:03 PM
  • bump bump bump!

    This is still a problem for me.  Do I need to file a bug or what?
    Monday, October 19, 2009 11:12 PM
  • +1

    I have a very similar problem.  There is definitely something "different" about the way VPN routing happens under Windows 7.  I've always had "Use Remote Gateway" UNCHECKED, and Windows had no problem routing my VPN traffic accordingly.  Now, in Windows 7, it will only route the traffic through the VPN in an "all or nothing" fashion.. meaning, I have to use the remote gateway for everything, or I can't get anything through the VPN at all.  This is a problem because I do not want all of my internet traffic flowing through the VPN.  Most of it is NOT meant for the VPN.
    Tuesday, October 27, 2009 5:45 AM
  •   That is how most VPN clients work. Having your machine connect to the Internet directly while the VPN is up is called split tunnelling and is frowned on by the security people as a security risk.

      When you connect by VPN, the standard method is to disable the existing default gateway (by increasing its metric) so that all non-local traffic goes through the tunnel. (The tunnel interface becomes your default gateway).

      I thought that this changed in Vista. How do you modify the "Use remote gateway..." setting in Vista/Win 7?

      If you are interested, there is a KB which explains how it works in W2k/XP.   KB254231 .

    Bill
    Tuesday, October 27, 2009 10:54 PM
  • Felonius,

    Have you tried disabling your firewall once connected  to the VPN?  In my situation, conecting to the VPN with "Use Remote Gateway" UNCHECKED results in no name resolution.  However, if I turn off Windows Firewall for private (Work) networks, name resolution will begin to work, and I can work with shares even after I turn Windows Firewall back on.  I do have to do this dance evert time I connect to the VPN which is less than ideal.
    Tuesday, October 27, 2009 11:53 PM
  • Actually, I solved my problem, though I'm not sure my solution will apply to what you are experiencing.
    Coincidentally, the same day I installed Windows 7, my workplace changed their VPN NAT'ing model.  They introduced a new layer of abstraction so the vIPs in the ISA couldn't talk to each other.  What this did to my connection was that I was not able to route beyond the ISA.  The ISA had 172.16.0.0, and the corporate network behind it had 172.17.0.0.  I had to install the following route into my Windows routing table:
    route ADD -p -4 172.17.0.0 MASK 255.255.255.0 172.16.2.1 IF 28
    (where 28 is the interface ID of my virtual VPN adapter, and 172.16.2.1 is my vIP in the ISA)

    I imagine I would've been plagued by this same issue, even if I were still using XP or Vista.
    Wednesday, October 28, 2009 4:40 AM