VPN routing problem


  • Hi All, 

    I'm having an issue where my VPN client can connect and ping the VPN server, but can't access any other items on my client network.  The server is running Windows server 2003 SP2.

    My internal network is  The VPN server is on the internal network, and on a network shared with the router.

    My client connects and gets the IP from the DHCP server.  It can ping both and  However, it cannot ping the domain controller at

    Strangely enough, the domain controller can ping and its arp table shows the MAC of the VPN server.

    One other strange thing is that the VPN server can't ping

    I've checked and there are no packet filters on any of the VPN server's NICs.

    The routing table on the VPN server shows 
    Destination,Network mask,Gateway,Interface,Metric,Protocol,,,Local Area Connection 2,1,Network management,,,Loopback,1,Local,,,Loopback,1,Local,,,Local Area Connection,10,Local,,,Loopback,10,Local,,,Loopback,50,Local,,,Local Area Connection,10,Local,,,Local Area Connection 2,10,Local,,,Loopback,10,Local,,,Local Area Connection 2,10,Local,,,Local Area Connection 2,10,Local,,,Local Area Connection,10,Local,,,Local Area Connection 2,1,Local,,,Local Area Connection,1,Local

    Any ideas?
    Monday, November 2, 2009 11:13 PM

All replies

  •   If the server can ping the VPN client, you do not have a network problem.

      Ping is pretty unreliable for this sort of thing, especially with most machines now running presonal firewalls. These usually block ICMP echo, which is what ping uses.

      Accessing LAN machines from VPN clients can be tricky because name resolution doesn't work the same way as it does on a LAN. Does the client get the correct DNS address? Does nslookup work for the domain name and/or a server's FQDN?
    Tuesday, November 3, 2009 12:57 AM



    Thank you for your post here.


    Agree with Bill Grant that the VPN connection is OK as you can ping both and I believe that Windows firewall or any other 3rd party firewall block the ICMP echo request on and Please check how it works if you manually add the rule to explicitly allow that.



    1. In the Windows Advanced firewall console tree, right-click Inbound Rules, and then click New Rule.

    2.  On the Rule Type page, click Custom, and then click Next.

    3. On the Program page, click Next.

    4. On the Protocols and Ports page, for Protocol type, click ICMPv4, and then click Customize.

    5. In the Customize ICMP Settings dialog box, click Specific ICMP types, select Echo Request, and then click OK.

    6. Click Next.

    7. On the Scope page, click Next.

    8. On the Action page, click Next.

    9. On the Profile page, click Next.

    10. On the Name page, for Name, type Inbound ICMPv4 Echo Requests, and then click Finish.


    If you have any questions or concerns, please do not hesitate to let me know.










    Tuesday, November 3, 2009 7:13 AM
  • Hi All,

    Thanks for your replies.

    I already tried turned off the firewall on the client and there's no firewall on the server(s) I'm trying to reach.  I also tried remote desktop from client to domain controller and that doesn't work but remote deskop from client to vpn server works and remote desktop from vpn server to domain controller works.

    The strangest thing is that I can't ping the VPN client from the VPN server, even with firewalls disabled.  It's almost like the route back to the client isn't working, but you can see it above in the routing table.

    Oh, and when I pinged a server from my VPN client, even though I didn't get a response I saw an entry for the vpn client's IP in the ARP table (to the VPN server's MAC).

    Tuesday, November 3, 2009 3:19 PM
  •   Yes, you will see an ARP record for the VPN client linked to the server's MAC address. Because the VPN client machine is in the same IP subnet as the LAN machines (on subnet addressing) no real IP routing takes place. The server does proxy ARP on the LAN for the remote client, then sends the packet across the point to point link to the remote client.

       If you want a routed solution you have to put the remotes in their own IP subnet (using an address pool on the RRAS server) and route through the RRAS server.

    Tuesday, November 3, 2009 11:06 PM