Router TO Router VPN and WINS 1

[pizzaman2003]

Currently my organization is running SDSL between 3 office locations. We have static ip's assigned to each location on all the client machines and a router to router vpn tying in the 3 locations with a server at one location running Win2000Server.

I configured this server as a Wins server so all the clients at all the locations will be able to browse network neighborhood and see everyone. Technically this is suppose to work but the client machines are not seeing the other remote clients nor the server. The only way I can see a client machine or the WINS server is by doing a search for computer.

I want to be able to see all the client machines from the remote locations as well as the remote server when I click on network neighborhood and I believe I'm missing something in WINS.

One other thing now that I have the router to router vpn hooked up and I ping a client machine at one of the remote sites the pings stats are really high vs. if I ping like

http://www.yahoo.com

or something. Is this normal?

Any suggestions would be greatly appreciated.

Thanks,

Pizzaman

 

[VPNing]

I am currently doing something very similar to what you are doing. I have a server sitting in one location and then several remote offices connecting back via the Linksys BEFVP41's. I solved my "browsing" problem creating a LMHOSTS file for all of the clients. Once I did this and hard coded my wins server all of my problems dissapeared. I am even able to log into the domain remotely. If you need more details on the LMHOSTS file let me know.

Here are some articles on LMHOSTS file creation:

http://www.winnetmag.com/Articles/Index.cfm?ArticleID=5407&SearchString=lmhosts

http://www.microsoft.com/exchange/e...ange/en/55/help/documents/server/xogaa007.htm

 

[pizzaman2003]

Hi VPN,

Thank you for your insight... after yesterday I figured I was going to need to create this LMHOSTS file due to not being able to see these machines and you provided this confirmation.

I printed out the documents you suggested and have read these and also within win2000 server if you do a seach for a file called lmhosts you will see a file come up called lmhosts.sam this can be opened with word pad and provides the necessary "sample" instructions for creating the lmhosts file.
Have I ever created this file I can't say I have but will be working on this today.

When you got your router to router VPN up how were your ping states from client to client say from one remote site to the other? Did you experience erratic (high)and(low) pings?

This also I need to fix today because it's difficult to transfer files to you server when you have this high traffic. I hope this is not due to the WINS Server but I will be conducting further investigation with the routers tech support today.

Thanks again...

 

[holyfrik]

Hey

I am having a similar problem with seeing the remote computers on the network, over VPN. It works sometimes, but other times the computers don't show up in Network Neighborhood.

I've been looking in to the LMHOST issue as a possible remidy to this problem, but I'm just using Win2K pro, not server. Will the LMHOST file still work?

Also, do I need an entry on every computer to point to our "server", or just an entry in the server's LMHOST file, pointing to each of the remote computers? or Both?

Thanks

 

[VPNing]

Pizzaman2003 - Yes I do see eratic traffic through the tunnel but you must remember that you are using SDSL. This is basically a huge network that you have no control over. Unlike a dedicated curcuit (T1) where you are the only one using it.

Holyfrik - The LMHOSTS file will be on every client that is connecting via VPN. Fortunately you only have to do this once and it is easy to explain to end users if you can not get to them. You do not need the LMHOSTS file on the Server. I am currently using the LMHOSTS file Win98, 2000, XP. In Win98 you place file in the c:\windows directory. For XP and 2000 the file is placed in the c:\winnt\system32\drivers\etc directory. The other thing you "must" do under XP and 2000 is to tell them to look at the LMHOSTS file by going to the WINS configuration page and making sure that Enable LMHOSTS lookup is enabled.

I pulled my hair out getting this to work and really was a lot simpler than I was making it out to be. If you need assistance with the LMHOSTS file let me know.

P.S. I also hardcoded my WINS server.

 

[pizzaman2003]

Looking at the lmhosts file there are these # at the left of the sample one I referred to before... do you need that at the beginning of entries I make in the host file?

What I'm doing basically is adding the ip's and names of all the machines looks like this...

# PRE
# 99.999.9.9 HQTest01
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# 99.999.9.9
# #BEGIN_ALTERNATE
# #END_ALTERNATE

These are not real ip's but you get the jist of how I'm making the entries does this look like it will work? Do I need to add the client name for each machine after their respected IP's in order for this to work? or can I just use IP?

The first entry is for the server but it's not a PDC.
Just using it as a file sharing server.

Let me know what you think?

Thanks much,
Pizza

 

[John Lewis]

Couple of things here . . .

First, you don't have to duplicate the lmhosts file on every machine. Easiest way to get around that is to make the first line of your lmhost on most of the computers look like this:

#INCLUDE \\999.999.9.9\host_share\lmhosts

That will read the contents of the of the lmhosts file referenced in the path when the local lmhosts is parsed. I use ip instead of computer name. The 'Everyone' group has to have read permissions for the share and the file. It works well in a situation where you have many computers, or if you add/change/delete equipment often, as you only have to change one file. If you decide to do that, post back and I'll give more detail.

Next, in the lmhosts file, a # followed by a space is a comment line, therefore, none of the lines above would ever be read. You need to take the # off of all of your real lines. The other use for the # is to indicate keywords, such as the #INCLUDE noted above. No space between the # and the keyword.

You do have to list the name of each machine as well as the ip. That's the whole point of lmhosts, providing a way to resolve names to ip's. You should also put some space (I like a tab - keeps everything lined up) then #PRE after the host name on each line. That tells the computer to cache that entry when the computer starts. Saves some time when browsing your network. By default, only 100 #PRE entries will be loaded when the computer starts, but that can be changed in the registry if needed.

So your lmhost lines should look something like this:

xxx.xxx.xxx.xxx computer_name #PRE

No leading #, no space in #PRE, and the other lines with keywords should be left out (other that the #INCLUDE, if you elect to use that).

 

[pizzaman2003]

Hey mhkwood,

Thanks for the info. my last question is I know where to put the lmhost file now in win2000 and how to edit this.

In order to edit the lmhost file I open it with word pad do I need to add the .sam extention back to the file in order for it to work or can I leave it as a text file? Also, after editing the file your supposed to reboot your machine is that correct?

Thanks,

Pizzaman

 

[John Lewis]

I prefer notepad, but wordpad should work -- didn't have wordpad when I grew up.

The lmhosts file should go in the same directory you found lmhosts.sam in. Generally should be '\WINNT\system32\drivers\etc', but it can vary.

The real lmhosts file has no extension. No .sam, .txt or anything else. The .sam is on the sample file to keep it from trying to load.

Yes, reboot after your done.

Good luck, glad to be of help!

 

[pizzaman2003]

Well my final analysis of this lmhosts.sam file I'm trying to work with here is becoming a bit of a pain. Here's what I did thus far.

1. Found the lmhosts.sam file in c:\\winnt\system32\drivers\etc directory.

2. I proceded to then put in the IP in the far left column entered the ip xxx.xxx.xxx HQTEST01 #PRE

3. I then saved this file as just lmhosts to that location as stated above but when I saved this ...windows prompted to save as a text file. So I put quotation marks like the "lmhosts" to avoid saving the file as text and saved to that directory. If I right click and goto properties the file type is called file.? Hmmmm

4. Next I rebooted the machine and went to network neighborhood and I cannot see the server machine.
So at this point I'm puzzled. Do I need this lmhost file on the server also in order to resolve the ip entry I entered in the lmhost file. This is not rocket science but new to me.

What am I missing?

 

[John Lewis]

Did you remember to enable LMHOSTS lookup? (Control Panel --> Network and Dial Up connections --> Right click on Local Area Connection (not your VPN connection) --> Properties --> Select TCP/IP in the components box --> Click properties --> Andvanced --> WINS Tab --> Check the box that says 'Enable LMHOSTS lookup') If you didn't have that checked already, reboot after you get it fixed.

If that was already done, right click on My Network Places and select 'Search for Computer' Type the name of one of your machines in the box and click search. Any results?

Open a command window. Type cd \winnt\system32\drivers\etc and press enter. Type dir and press enter. Should give you a list of files. Do you see 'lmhosts'? If it looks like it is there, type dir lmhosts and press enter. Still see it?

In the command window, type NET VIEW and press enter. Can you see any of your computers there?

Make sure you can still ping the remote network. Could be that you're fishing for the wrong problem (been there). Try to ping using the ip, then the computer name.

In the command window, type nbtstat -c That should print the Netbios Cache table. See any of your computers there? Is there anything there?

Of course you can stop at any point it starts to work or you see the problem, just giving several steps at once to keep from posting 30 messages in this thread. If you don't get results, post back as many of the answers as you can.

Good luck

 

[pizzaman2003]

I have enabled lmhosts lookup checked ..I can find the server if I do a search for computers and then map drives to it..

The thing is I was trying to get the server and all the machines to show up in network neighborhood on a client machine.

I have the wins server address entered for wins in tcp/ip... without this I would not see the server machine.

I do see the lmhosts file where it should be in the location c:\\winnt\system32\drivers\etc. Couple other things to mention is that this is not a domain environment. Everything is a workgroup for right now.
If that makes a difference with the lmhosts file.

My first entry in the lmhosts is:

xxx.xxx.xxx.xxx server_name #pre

with the real ip and actual server name.

I don't have anything listed after that but was doing this just so I could see the server first in network neighborhod or browsing microsoft network then add the clients to the lmhosts afterwards.

 

[John Lewis]

When browsing the network, make sure you select 'Entire Network' as opposed to 'Computers Near Me'.

Take the address out for the WINS server. You either need to use a WINS server (which has some problems across subnets), OR lmhosts, not both.

Add at least one more entry to the lmhosts. Some versions of windows have a problem parsing a lmhosts with just one entry, I think it's limited to to NT4 SP?, but easier to cover than research.

You say you can see the lmhosts file . . .did you do that through the command window with 'dir lmhosts'? That eliminates some of the stuff windows does with hiding file extensions. What about the other stuff in the command window (nbtstat -c, NET VIEW)? You can eliminate the 'ping' because you can connect to the host otherwise, but those two still have relevance, especially the nbtstat -c. Post back please.

 

[holyfrik]

Well the Lmhosts file is set up on all of the host computers.

I an type in nbtstat-c and see that the file is working, and can now ping to host names.

Problems:

The VPN is between 2 workgroups in two different cities, the remote workgroup doesn't always show up. I know it is connected, and can ping to the remote computers via IP address, and hostname; Remote workgroup doesn't always show up in network neighborhood.

If I ping the remote computers, and then do the whole "search for computers"......the remote computers eventually show up, but it takes some time.

Can I change something to make this processs faster. Example>.....remote computers show up on reboot.

If not, not too crutial it does work, just a little slow. Thanks for all your help.

HOLYFRIK

 

[pizzaman2003]

MHKWOOD I'm going to try removing the static setting I entered in for wins and see if that makes a difference today with the lmhosts file.

After I do this I will try the nbtstat -c to see what happens after I make some entries into the lmhosts file.

I'll keep you posted

Pizza

 

[pizzaman2003]

Well the latest development is I did remove the static IP settings for the WINS Server and just ran off the lmhosts file I was able to see the server still. Then I used the nbtstat -c command and was able to see the server in that listing.

Not sure why I the server does not show up in network neighborhood?

My latest development is I'm having shifty bandwidth issues transferring files from a client machine over the vpn to the remote server. Again we are running a router to router vpn what I'm seeing is last night I attempted to send alot of data like 150mb to the server from the remote.
The time the D/L stated for the D/L(download) to complete was around 2.0hrs...

As the data was transferring I pinged the server a couple of times to see if their was alot of latency.

What I got back for results were
bytes= 32 time= 994ms ttl=126
bytes= 32 time= 70ms ttl=126
bytes= 32 time= 224ms ttl=126

Also, I did see packet loss at the end of my ping test.
I refrenced the problem with my ISP and they said there is something strange about this. One router is trained up at 412k and the other at 384k. Supposively we can move our bandwidth up in increments of 784k and then 1.5mb.

I attempted to do this between two location being set at 784k and they said there is a possible problem between the loop and the co and also a possible issue with the DSLAM and they are currently investigating.

My question is have other people that have deployed SDSL over a router to router vpn have you seen any these types of issues? I just hope I can resolve this and not get alot of grey hairs...Any feedback would be excellent.

Thanx,

Pizza

 

[VPNing]

PIZZA,
I have been watching your posts. Are you getting much sleep ;-). I find it interesting that you had results after removing your WINS. I had the exact opposite effect but I did write my LMHOSTS a little differently and I will put mine at the bottom of this reply. One thing that I did remember when I was investigating the LHMOSTS was that the spacing between entries per line was crucial but who knows.
Anyway, with regards to your packet loss issue I have read time and time again that the MTU is typically the culprit. Here is an article for you to look at.

http://www.speedguide.net/editorials/packet_size.shtml

You might want to do some of your own research with regards to the MTU as well.

Here is my LMHOSTS that allows me to see "all" of the computers on the otherside of the tunnel including the NT4 Server. I am also able to run a Norton Antivrus Server that will push the latest virus defenitions across the tunnel.

172.20.1.8 MPG1 #PRE #DOM:MPG
172.20.1.8 "MPG \0x1b" #PRE
172.20.1.8 "MPG \0x1c" #PRE

The first line is pointing to my Domain Contoller
The second and third are WINS entries b and c have something to do with the primary and secondary setting.

 

[John Lewis]

VPNing is correct. The three lines listed should help. Been too long since I did this.

holyfrik -- this should help your problem as well.

Couple of clarifications: The 'MPG1' in the example refers to the netbios name of the server, and the references to 'MPG' would be a domain or workgroup name. You need the entries for each workgroup.

The spacing is critical in the sections with the \ IS critical. There must be exactly 15 characters between the " and the \, padding the extra characters with spaces. If we replace the spaces in the above example with #, it would look like "MPG############\0x1b". Also, make sure you use the correct slash, and the character directly after the slash is the number zero, not the letter O. These entries should come first in your lmhosts.

Now for your bandwidth issues. For what it is worth, the latency problem could be causing your browsing problem as well. Netbios doesn't play well sometimes.

Couple of things to keep in mind with DSL or any other 'high speed' connection. Your ISP (generally) sets two speed caps. One for downstream data (coming to you) and another for upstream data (going away from you). The upstream is generally a fraction of the downstream. This works well for web browsing, as most of the data is downstream. When you start networking, it can cause some problems because if you 'flood' your upstream bandwidth, your downstream will appear to cap at nearly the same time. This is related to how tcp works, and is not a real connection problem. When you download a large amount of data from a host on another DSL connection, you can easily flood it's upstream bandwidth and cause some problems.

I haven't been able to determine from your other posts, are you seeing slow pings under normal load, or just when you are transfering large files?

To pin this down a bit better, I would try a different twist on the ping.
Try 'ping -n 30 -l 128 xxx.xxx.xxx.xxx > testfile.txt'
The -n 30 does 30 pings instead of the standard 4, the -l 256 sends a 128 byte ping instead of 32 byte. The > testfile.txt sends the output to a file - you won't see the results on the screen. Use any name you like for testfile.txt, but you will want to do this several times, using a different filename each time, something that will allow you to remember which ping you were doing. You can open the files with notepad, wordpad, etc to view the results.

You will want run the entire set of pings both under a full load and under normal load. Run it a few times for each situation, changing the -l number to 256, 768, and 1024.

You also need to ping several different places. I would ping at least two hosts on each of your remote networks, and at least one on the local network. Also, ping the address of each of the remote routers -- this should give results for each location bypassing the VPN. Finally ping somewhere else on the internet, yahoo.com is fine. I would also run the tests from one of your other locations, if possible.

As you do the tests, if you see consistent timeouts as you increase the packet size in a particular situation (ie, the 768 packets get through, but the 1024 do not), somewhere along the line the packet size is being limited. Your own MTU values can do this, but there are several places the carrier (your ISP/telco) can change the MTU as well. Often not a lot you can do about it, other than change your MTU accordingly.

You should expect to see slightly higer values pinging through your VPN vs directly to the router, but not significantly higher. If you notice a big difference, something is going wild in one (or more) of your routers.

If you are downloading from one remote, and the results pinging that remote are much higher than when pinging the other remote, that's a good indication that you are flooding your upstream on the remote side. Not a lot you can do about that one, except set up something to throttle back your own bandwidth use or buy more bandwidth. If you get the MTU just right, might help some, but won't solve it completely.

Several other possiblities, but that should give you a start.

One other thing, try a 'tracert xxx.xxx.xxx.xxx > testfile.txt' for each of the situations above. Again, the 'testfile.txt' is any file you choose, and replace the xxx.xxx.xxx.xxx with each of the hosts that you are pinging. This will show you how the traffic is being routed. When you tracert to your remote networks, you should see each of your routers and the remote host with nothing in between. The high values should show up for the remote router. If not, the problem is somewhere on your side. When you tracert to the remote routers, you should see the full path your actual data is taking. If you see consistent high values for one of the hosts along the way, that is where your problem is.

Another of those really long posts, but it is a lot harder to explain what to do than it is to just do it. If you don't understand, post back and we will clarify.

 

[pizzaman2003]

Final analysis is we need more bandwidth it looks like trying to send 60 mb over a sdsl connection to a remote server through vpn at bandwidth speeds of 320k on one end and 412k on the other takes about 1hr. and 45 min. plus running client software from mapped drives on the server through this type of setup move at a snails pace.

We are exploring fiber options now and possibly a T1 solution if anyone has a better idea feel free to post it.

Thanx for all you help mhk. The ping thing is very sporadic basically cause the lines we have are far from the co and it's just a mess with this dsl trying to achieve the bandwidth we need.

Word of advice for anyone working with sdsl and adsl vpns make sure before implementing you can increase your bandwidth. What the ISP's tell you at first and actual results of testing are two different worlds.

You can have a mess on your hands being in a long contract. If you have the option also go with cable service at least you know you can increase bandwidth speed and save yourself hair loss.

Pizzaman