SSH Sentinel to BEFVP41--can't map drives

[ranzo]

Can anyone tell me why I wouldn't be able to map a drive using the \\ipaddress\sharename method? I have Sentinel set up and the VPN connection seemingly working. I can ping the server's LAN ip address I'm trying to get to, but I can't map a share.

markku, I'm looking your way; you seem to be an expert on this setup.

???

 

[ChicagoTechNet]

what do you get if using net view \\serverip? if you get error 53, this is connection issue; if it is error 5, this is name resolution issue. For more tips or information, go to

http://www25.brinkster.com/ChicagoTech

Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www25.brinkster.com/ChicagoTech

 

[markku]

What OS, do you have necessary user/password-rights in your server. Do the workgroups match?

 

[ranzo]

Hi guys, thanks so much for your help so far...

When I type net view \\serverip\share I get error 123.

When I type net view \\serverip I get error 51.

When I type net use \\serverip or \\serverip\share I get error 53.

Client is WinXP Pro, server is WinNT 4 SP6a. Username, password, and workgroup settings are all the same as the NT server. In the office, I get on flawlessly, so this leads me to think the server's set up correctly. On the road, well, you see where I am with that--ping works but nothing else.

???

 

[ChicagoTechNet]

all errors tell me that is connectivty or name resolution issue. quoted from go to

http://www25.brinkster.com/ChicagoTech

Unable to browse through PPTP/VPN connection
Symptoms: 1. If the WINS server is on the same computer as the PPTP/VPN server, and you attempt to connect to a computer using a PPTP/VPN client, you may experience following problem: 1) The NetBIOS name of the computer to which you are attempting to connect is not resolved. 2) You may receive an error message similar to the following error message: "System error 53 has occurred. The network path was not found" when using net view or opening Network Knighthood.
2. If the WINS server is not on the same computer as the PPTP server and you attempt to connect to a computer using a PPTP client, you may be able to connect to computers on your local area network (LAN), but you may be unable to connect to network shares or resources on the PPTP server.
Resolutions: Inability to browse often means the client can't resolve NetBIOS names.
1. If this is a workgroup network, enable NetBIOS over TCP/IP on the server and clients.
2. If this is domain network and the WINS server is on the same computer as the PPTP/VPN server, move the WINS server to a different computer.
3. Add the NetBEUI protocol for your PPTP tunnel instead of, or in addition to, TCP/IP.
4. By default, most routers and firewalls prevent the transmission of NetBIOS names unless you enable UDP ports 137 and 138 and TCP port 139. Try to enable UDP ports 137 and 138 and TCP port 139 across all routers and firewalls between the PPTP/VPN client and PPTP/VPN server.
5. Make sure the client has correct DNS, WINS and Master Browser settings.
6. Make sure the default gateway points to the remote network rather than to the ISP.
7. Some ISP might block ports required for NetBIOS name broadcasts.
8. If WINS address is not distributed upon connection to VPN, LMHOSTS should be configured to enable Domain to be located.
9. If you try these techniques and the client still can't browse, try to use UNC to connect to the remote resources by ip, for example, use the net use h: \\serverip\sharename command.


Robert Lin, MS-MVP, MCSE & CNE
Windows, Network and How to at

http://www25.brinkster.com/ChicagoTech

 

[nuxguru]

If you can ping the server via IP address and not name, then NetBIOS is not resolving name to IP address correctly.

I am not to farmiliar to Sentinel, but if you add a line to c:\winnt\system32\drivers\etc\lmhosts file for your server (you can look at a sample file for referece which is lmohosts.sam already in that directory), it should resolve it.

Once you can resolve the server name, you may map the drive...

 

[ranzo]

Well, for good measure, I added the server to my HOSTS file. Same errors. The name is resolving, cause I can now ping using the server name, but still unable to mount a share.

Forgive me for being presumptuous, but I feel like NETBIOS is not the issue. First of all, from what I've read, SSH Sentinel does not allow for NETBIOS connections. So that is why, as markku suggested, I've been trying to connect directly to TCP/IP address. Shouldn't I be able to connect to \\serverip\share, regardless of NETBIOS name resolution issues?

What am I missing?

 

[ranzo]

BTW, blin2000, this VPN connection is IPSEC, not PPTP, so I'm not sure how much of your post is relevant. Nor does the VPN connection pass through; the router and the VPN server are one in the same. As far as enabling ports 137-139 goes, the only thing I can do is have those ports forwarded to a specific IP address on the LAN; just for good measure I had those ports forwarded to my server's LAN IP address--same exact errors.

???

 

[John Lewis]

Keep in mind that a virtual private network also has a virtual private network adapter associated with it (on both ends).

The fact that you are able to connect at work indicates that the appropriate OS components are configured for the physical device, however it is still possible (and sounds quite likely, imho) that some components are missing from the virtual adapter. A positive ping generally eliminates connection/routing issues. Using the ip to connect removes name resolution from the picture. Firewall issues are still possible, but it doesn't sound like you messed with that on the VPN side, so I would start looking somewhere else first. Oh -- on that note, remove the forwarding of ports 137-139. Someone will figure that out sooner than later and start poking around. Never a good idea to leave those open, and won't help you here anyway.

Check on both sides (I would bet server is the problem) to make sure that File and Printer Sharing and or client for ms windows is installed and enabled on the VPN connection.

 

[ranzo]

Thanks for the suggestion, mhkwood. I did turn off those ports; already noticed some snooping!

I'm confused now, cause I didn't think any virtual adapters were necessary in this case. Why do I need a virtual adapter on the file server, if the VPN server is handled by the router? I assume that any kind of proprietary adapter would be taken care of in the VPN router's firmware, and that the internal network (including the file server I'm trying to get at) wouldn't need such tinkering.

BTW, we have 3 of these BEFVP41's in different offices, and all the interoffice connectivity is fine (without virtual adapters set up on any machines for VPN). Maybe it's different now, since I'm connecting from a laptop client on the road?

The only thing I can think of is that SSH Sentinel (I guess this in itself is a virtual network adaptor, right?) has to be configured for MS File Sharing, but I've no idea how to do that.

arrgghhh.

 

[John Lewis]

Oooooops! Reading too many threads when I should be sleeping. Tend to run together.

You are correct on the server side, the router takes care of that. On the client side . . . I hate Sentinel . . . the Sentinel installation should take care of itself.

Having re-thought this issue, I have a new theory. Let's see just where that ping is going -- you still get a good reply on ping, right? (If not, post the error, not just that it doesn't work.) Try 'tracert xxx.xxx.xxx.xxx' replacing the xxx.xxx.xxx.xxx with the ip of your server. Be patient.

You should see only a couple of your ip addresses (the ones that your router uses for vpn connections and the address of server), not several public ip addresses.

Also, versions of Sentinel prior to 1.3 do not like XP. If I remember right, some will install, but will act stupid.

I will read again and post back if anything else comes to mind.

 

[ranzo]

OK, I'm at work now, will try the tracert thing later, and post back. Can't believe I didn't think of that. But here's an interesting note, as well. When I did a route print last night, the IP address schema of the remote (office, 10.10.10.x) network was not listed. I tried doing route add, and it gave me an error like "couldn't add route b/c the destination is not on the same subnet." Is this relevant? Like I said, I can still ping all computers on that network; I can even use http connections to that network.

I have version 1.3.2 of Sentinel.

About ready to buy a Snapgear router, I've heard good things, plus I can do PPTP directly to it so we won't need to screw with Sentinel. Anybody have experience with that?

 

[ranzo]

tracert 10.10.10.10

Tracing route to Server [10.10.10.10]
over a maximum of 30 hops:

1 354 ms 347 ms 353 ms Server [10.10.10.10]

Trace complete.


I've no idea whether this is normal over a VPN. Out of curiosity, are there any particular services/protocols that need to be on the NT server for this to work? Perhaps I'm missing something that doesn't hinder local connections, but over VPN it does. I keep thinking it's got to be NetBIOS related, but not sure how.

 

[markku]

Hi Ranzo,

Your VPN-tunnel seems to work perfectly. Sentinel will create necessary virtual adapter and routing automatically. Routing is not visible to the user. In NT-server nothing needs to be done, except give users permission to access server locally.

No SW-firewall in NT.

The logs in Linky and NT are clean?

You did follow instructions in SSH site 100%, no tweaking?

Is there any other service in NT which you can test, like ftp, IIS or terminal server.

Seems like user permission problem, check NT-logs.