Server2003 VPN Clients lock out entire network! 1

[Catrinisin]

Server2003 Enterprise, 2 NICs. NIC1 connected directly to the internet via T1 (72.x.x.x). NIC2 connected to local LAN. (10.x.x.x).

Routing and Remote Access is enabled for NAT, VPN and Basic Firewall.

When VPN clients connect to the server from the internet, all LAN traffic loses connection with the server. Clients on the local LAN cannot ping server, server cannot pign clients, etc. This only happens sometimes as VPN clients will sometimes connect fine and everything is still good. The only way to "release" the network is to manually disconnect the VPN client from within Routing and Remote Access MMC. (Disconnecting the VPN client from the client does not help, the connection still shows connected on the server when this happens)

Am I missing something obvious? Static routes? I have gone through the wizard using all combinations of settings possible.

Has anyone seen this type of issue?

Thanks

 

[ROUTERKID1]

any chance of putting the VPN and LAN on different servers ? Sounds like over load issue,

 

[Catrinisin]

I have thought about this, but not for load. This server is currently not in production and is not overloaded.

I guess I can try putting it on another server and see what happens. Something else I noticed; when I am able to log into the VPN from the internet, it seems that only netbios names are being resolved by the remote network and not DNS names. When I ping or nslookup a fully qualified name on the network, I am returned with the external IP of the RAS server.

For example:
ping computername returns 10.x.x.x. (This is the correct IP)
ping computername.domain.com returns 72.x.x.x

In the VPN client, I have verified that the use Default gateway on remote network option is selected.

This is an issue for me because users cannot configure Outlook to connect to the Exchange server as it only allows the use of the fully qualified name.

 

[LloydSev]

so question.. is "computername.domain.com" a real domain entry? As in, can you normally ping that without needing a VPN? If so, you may need to do an "ipconfig /flushdns" to remove the old entry to contact the new one.

However, this sounds like a DNS issue.

Computer/Network Technician
CCNA

 

[Catrinisin]

To answer your question, domain.com is a real domain, and computername.domain.com is a computer in the root domain on the local LAN.

Yes If I ping the domain.com without the VPN it does reply with 72.x.x.x which I would expect.

I know this seems like a DNS issue, but ipconfig /flushdns does not help. Still returns 72.x.x.x
This is sometimes not an issue. Sometimes the VPN will connect and I can ping computername.domain.com and it will return the correct IP of 10.x.x.x

I was under the impression that the VPN client would use the DNS server on the remote network, is this not the case?

 

[ROUTERKID1]

on the vpn connection do you have any DNS entries ? Can you post an ipconfig/all when you are connected via VPN.


Also run a tracert using the hostname and see if the resolve takes place from hostname to correct ip address,

 

[Catrinisin]

Yes there are DNS entries on the vpn client.
Here is an ipconfig /all of the vpn connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.151
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 10.10.10.151
DNS Servers . . . . . . . . . . . : 10.10.10.1
10.10.10.3
Primary WINS Server . . . . . . . : 10.10.10.3

The local network is 192.168.0.x. As you can see, the above DNS entries are correct.

A tracert does NOT resolve to the correct hostname.
It resolves as if it is querying the 192.168.0.1 DNS server.
I tried setting Remote Connections to the top of the binding order, this did not help.

 

[ROUTERKID1]

is this the ip address of the correct dns servers ?

 

[Catrinisin]

Yes this is the correct DNS server

I think this has something to do with the fact that the domain exists both externally as their website, and internally as the internal domain name.

Has anyone setup a VPN in this scenario?

 

[ROUTERKID1]

What are you guys using as routers or is everything on the server.

 

[Catrinisin]

There is a seperate Win 2003 server running Routing and Remote Access that is acting as the router/firewall. PPTP port (1723) has been forwarded to the RAS server.

Note: I have also tried using the router server as teh RAS server with teh same result.