VPN is UP but... no DNS, no see hosts on server lan, no PING 2

[chaswilcox]

OK- learning is happening in my dull brain, but since I am VPN virginal, I turn to your expertise to help. We have been able to make the VPN connection work so I can connect I can access the shares on the servers drives, and my outlook connects withthe exchange server.
When I try to see the other hosts in the MS domain, I don't even see the domain.
Apparently DNS doesn't resolve either since I can use http if I use the IP address, but not using the domain name...

The server is a Win2000 server, the client is win2000 too.

network wise it is like this:
client box(192.168.2.x)->(192.168.2.1)befw11s4(dhcp-from)->Roadrunner(cableISP)->inet->serverISP(public IP)->zyxel652(192.168.1.1)->switch->(192.168.101.x=vpn interface, 192.168.1.200 = NIC IP)vpnserver

My thought is thattehre is something in the win2k server ISA settings, or the lack of a routing entry that is keeping DNS from happening, but this is purely speculative. I am a routing table newbie.

suggestions?
TIA
chas

 

[chaswilcox]

A correction
Of course it isnot that there is no ping as mhkwood rightly points out, but that it behaves in unexpected ways and I am unable to reach hosts I think I should.
with ping:
using a domain name-
C:\>ping lightlink.com
Unknown host lightlink.com.
using private IP NIC in w2kserver - vpn server -
C:\>ping 192.168.1.200

Pinging 192.168.1.200 with 32 bytes of data:

Reply from 192.168.1.200: bytes=32 time=30ms TTL=128
Reply from 192.168.1.200: bytes=32 time=100ms TTL=128
Reply from 192.168.1.200: bytes=32 time=20ms TTL=128
Reply from 192.168.1.200: bytes=32 time=20ms TTL=128

using ip address of gateway on server lan
C:\>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss)
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

using IP of vpn interface IP addresses assigned in routign & remote access properties box
C:\>ping 192.168.101.1

Pinging 192.168.101.1 with 32 bytes of data:

Reply from 192.168.101.1: bytes=32 time=120ms TTL=128
Reply from 192.168.101.1: bytes=32 time=20ms TTL=128
Reply from 192.168.101.1: bytes=32 time=30ms TTL=128
Reply from 192.168.101.1: bytes=32 time=20ms TTL=128

Ping statistics for 192.168.101.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 20ms, Maximum = 120ms, Average = 47ms

Hope this helps with insight

 

[John Lewis]

Start with checking your network settings. Bring the VPN up, in a command window on the client type 'ipconfig /all'. The info listed for PPP adapter will be the VPN settings. In particular, is your DNS server configured? Check the properties for the VPN (Networking --> TCP/IP --> Settings.

Being unable to reach hosts on the remote network is a routing issue. To add the route, in a command window type 'ROUTE ADD 192.168.1.0 MASK 255.255.255.0 192.168.101.1' and try the tests again. If it works, tack a ' -P' to the end of the route command and run it again -- makes it persistent. I think I pulled the IPs out of your post correctly, the first should be the network address of your sever side LAN and the second should be the VPN IP. 'ROUTE HELP' gives some info about the route command. You may need to add a route on the server side back to the client.

If that doesn't help, try 'tracert xxx.xxx.xxx.xxx' with different IPs on the server network, including the DNS server. Looks like you've read enough to know the drill.

Good luck!

 

[chaswilcox]

OK-
tried a couple of things and have some more info for you:
the vpn clients's DNS servers are set for the server's ISP's DNS (168.100.1.9 and .3) in ipconfig /all
I can ping these addresses, but I do not have DNS working. could this be a ISA firewall issue?

Forgive my routing newbieness-
I do not know what the settings to "add the route on the serverside back to the client" should becould you supply a a bit more guidance here?

Thanks
-C

 

[John Lewis]

Easy part first. You shouldn't have to add the route on the server side if your running RIP. If you do need to add the route, click Start --> Programs --> Administrative Tools --> Routing and Remote Access. Double-click IP Routing --> right-click Static Routes --> New Static Route. Destination 192.168.2.0 Mask 255.255.255.0 Gateway would be the client VPN IP.

ISA may give you some problems, but I don't think you're there yet.

Now, I'm still a bit lost. You have stated that DNS doesn't work. Looks like you have all of your DNS setting pointing to public internet DNS servers. Are you able to resolve public names, such as yahoo.com? Try 'nslookup yahoo.com'. Keep in mind that a public DNS server will never resolve your private network. You will need some other method of resolving these names, either a private DNS or WINS server on your network, or a hosts file on the client.

 

[chaswilcox]

I read your suggestion with such hopes, and dagone it now MS has dashed them again, I added the routes. but had no more positive results.

From the client, online and athenticated I am able to ping to private IP addresses, assigned by the server's dhcp- 192.168.1.2-198
I can ping to either of the ip's associated w/ the server
(192.168.1.200, and 192.168.101.1)
I get the following fails when I try to ping the default gateway, or our isp Nameserver, both of which are reachable from the server itself.

C:\>ping 192.168.1.1
Pinging 192.168.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% lo
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms


C:\>ping 168.100.1.9
Pinging 168.100.1.9 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 168.100.1.9:
Packets: Sent = 4, Received = 0, Lost = 4 (100%
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

I do realize that dns will not function for the private network using the public DNS servers, but apparently my packets are not reaching them in the first place (see ping above, and nslookup results below.)

C:\>nslookup yahoo.com
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 24.29.99.28: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 24.29.99.82: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 24.29.99.81: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 168.100.1.3: Timed out
DNS request timed out.
timeout was 2 seconds.
*** Can't find server name for address 168.100.1.9: Timed out
*** Default servers are not available
Server: UnKnown
Address: 24.29.99.28

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

So I am confused. Still, I am thinking that there must be a filtering issue and or a routing issue. some info as a shot in the dark: ipconfig results for the ppp adapter on the server side:
PPP adapter RAS Server (Dial In) Interface:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP
Physical Address. . . . . . . . . : 00-53-45-00-0
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.101.1
Subnet Mask . . . . . . . . . . . : 255.255.255.2
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1

Any ideas as to what to look at next? I am sooooo frustrated!!!!!!!!!
thanks for your help!
-C

 

[chaswilcox]

We have a winner!!!! 8)
here are the issues that were stopping us:
1- ISA configuration- packet filters not correct
2- VPN not in same subnet as LAN.
3- Outside firewall- vpn subnet ip addresses not NATed.

1- This is what was keeping us from pinging the gateway (192.168.1.1) successfully. We fixed it by uninstalling ISA (since the server is behind a firewall already, there was little risk); this simplified the problem set.
This allowed us to know that all packets on the VPN interface were available to be routed. We will now reinstall ISA after thinking through all of the protocols and appropriate tests for the protocols that we want to have opened.

2- Contrary to my previous understanding, (but based on reading MS documentation)the VPN subnet does not need to be a different subnet from the lan side of the server. By setting the VPN ip pool to be 192.168.1.203+ and the LAN DHCP pool to 192.168.3-198, both sets are in the same subnet, and so, without additional wins servers, lmhosts etc, we can see and browse the network just dandy.

3- When I originally configured the dsl firewall/router. I had limited the range of lan private IP addresses that would be forward to the internet to the DHCP pool. This meant that any of the VPN IP pools we tried were not allowed to send packets past the gateway, hence not able to reach public DNS, or browse www. I opened the NAT table up to allow the VPN subnet address to pass and problem solved.

Thanks to mhkwood for his help.
Hope this is informative to others
-C

 

[vpncnfg]

Thanks to chaswilcox whose suggestions in _this_
thread, specifically advice to try: "ipconfig /all"
led me to find my PCMCIA ethernet card "standing in the way" of achieving ping/data throughput through my ssh-sentinel enabled vpn to my befsx-41.

(My own thread /w two or three replies can be found via
handle search on vpncnfg)

And kudos to the community here -- it works!

vpncnfg

PS -- this /msg uploaded via vpn

 

[John Lewis]

2- Contrary to my previous understanding, (but based on reading MS documentation)the VPN subnet does not need to be a different subnet from the lan side of the server. By setting the VPN ip pool to be 192.168.1.203+ and the LAN DHCP pool to 192.168.3-198, both sets are in the same subnet, and so, without additional wins servers, lmhosts etc, we can see and browse the network just dandy.

Be aware that this is what I like to call a feature bug. Technically, even if the addresses apear to be in the same subnet, they are not really as the VPN IPs have a /32 subnet mask -- they aren't really part of any network, they are 'endpoints'. The behavior you are seeing is nice, but it is not consistent. It seems to vary even between sevice packs within the same version of windows. No pattern at all. I usually go with the documented method as a failsafe.

Moral of the story is if you upgrade (or even apply one of those pesky security patches MS is so good about) and things stop working, this is where you look, or at least start.

 

[chaswilcox]

There I go thinkin' I had a clue. Thanks for clarifying- The VPN help files in 2000 server do not make this point clear at all. Can you point me at better docs?

I will reconfigure tomorrow. Will I need to set up the server as a wins server on the VPN "subnet" in order to keep being able to "see" the network/host names?
Thanks
-C

 

[John Lewis]

I haven't been able to find the docs from Microsoft since they started restructuring the KB. Lot of good stuff seems to be lost in transition.

For what it's worth, the 'proper' behavior is dictated by RFC1812 (

http://www.arin.net/library/rfc/rfc1812.txt).

175 pages of stimulating reading |-I

WINS server is your best bet for long term consistency.

 

[chaswilcox]

I am throwing myself on your mercy here!!

I need a coherent trouble shooting process here, and I do nto know enough about what I am doing to know how to identify the error(s)

I am able to connect and authenticate here, I can map drives on the server. I can NOT ping the server's LAN gateway, or any public IP address. I get:
C:\>ping 192.168.13.1
pinging 192.168.13.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.13.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
Oddly I can ping 192.168.13.2 (which is a wireless AP/switch on the server's lan) but not any other host on that network except for the server- 192.168.1.200

I have configured so that my set up is :
CLIENT- LAN 192.168.2.0
Client(W2k) Lan side IP- DHCP assigned 192.168.2.100
through linksys befw11s4 & Cable modem (road runner) through internet to
168.###.###.###
Server side DSL router/firewall zyxel652 (192.168.13.1)
SERVER- LAN 192.168.13.0
Server (w2k small biz server) 192.168.13.200 provides static pool for VPN (192.168.23.203-192.168.23.243) so internal interface of VPN is 192.168.23.203
server also provides DHCP for LAN addresses 192.168.13.3-192.168.13.198
DNS servers for server and DHCP are our ISP's public DNS servers 168.100.1.9 and the local 192.168.13.200

I added the following routes:
>ROUTE ADD 192.168.13.0 MASK 255.255.255.192 192.168.23.203
and
>ROUTE ADD 192.168.23.0 MASK 255.255.255.255 192.168.13.200
(prbably these are wrong,as it didn't help)

lastly as food for thought here is the ipconfig /all for the server PPP/VPN

PPP adapter RAS Server (Dial In) Interface:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.23.203
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 127.0.0.1


and here is the ipconfig /all for the Client :
PPP adapter CS VPN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Physical Address. . . . . . . . . : 00-53-45-00-00-00
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.23.204
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 192.168.23.204
DNS Servers . . . . . . . . . . . : 168.100.1.9
168.100.1.3


In short I am just about exactly back where I started. My thoughtsa are that maybe I need to add a rout to my gateway/router/firewall (192.168.13.1) though I don't know what it would be.
And that I have not the correct routes for the server's static routs I added.

Please help!!
TIA
-C
-

 

[chaswilcox]

bump!

 

[CocoSavage]

Hiya,

had a similiar problem. It turned out that the client and the server where both using the same network address, in this case it was 192.168.0.0 on both sides. When the client was looking for the server on its IP address 192.168.0.69 it was looking for it on its local subnet and not going over the VPN connection.

I fixed it by changing the route to force the client to look for that IP address over the internet connection..

"route change 192.168.0.69 mask 255.255.255.255 192.168.0.28 METRIC 1"

This worked allowing me to ping the client from the server and the client could now also ping the server.

Adding the route did not work as the route was already there so I had to use change

coco

 

[chaswilcox]

That's the ticket! thanks