[isalist] Re: Strange Issue while using VPN
- From: "Tom Rogers" <trogers@xxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Wed, 5 May 2010 09:58:26 -0400
http://www.ISAserver.org
-------------------------------------------------------
On my External NIC on the ISA box, I have my static IP info set and a default
gateway. But I have nothing in the DNS IP settings. Should I have DNS addrs in
there? If so, internal or external from ISP? My DNS setup is a reverse lookup
on ISA.
What I have done to solve the issue is to manually put the private DNS Server
IPs addresses in the Wireless NIC DNS settings, while leaving the client IP to
DHCP and this fixes the issue. I just don't understand why there is an issue
because DHCP runs on my ISA server, and I have VPN clients obtain the DHCP info
from the LAN, and not from a static group set in ISA. And in the DHCP config, I
have DNS server, WINS server, domain name, etc set under scope options.
I have not tried it with a Win 7 client yet. And as I said, it only happens
with computers that are members of our domain.
Glad to know I am not alone in experiencing this.
-Tom
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Steven Comeau
> Sent: Wednesday, May 05, 2010 9:43 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Issue while using VPN
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> I was hesitant to bring this up before, but now that you corrected what
> you said about the direct IP ping, maybe this might help. We used to get
> the issue you describe because we use split brain DNS. Some of our
> resources resolve to both Public and Private IP addresses, depending upon
> whether the user is in Private or Public space. When inside (Private
> Address Space), machines can ping our servers (like Exchange) and get the
> internal, private IP address (192.168.X.X). However, if connected at home
> or to a café, etc., they get the Public IP (at the ISA box). This is by
> design. However, when they VPN in, this is where the issue happens, and
> it mostly happens with Windows XP machines (the issue is fixed in Win 7
> from what I can see). When you VPN in, it would be nice if the WAN/VPN
> adapter's DNS settings would be primary, but that doesn't always happen.
> So, when VPNed in, and say I am at home, and I try to ping our Exchange
> server, the reply resolves to the external IP address of our ISA box -
> this is because the DNS of the home system is primary and is therefore
> getting it's resolution from external DNS. However, if I ping the
> Exchange server's Private space address, it pings back fine. Again, this
> only happens with XP machines. With Win 7 boxes, they seem to have solved
> the issue and make the WAN/VPN adapter the primary DNS when VPNed in. To
> solve the issue on our XP boxes, we run a script that puts the WAN adapter
> at the top of the list so when a user VPNs in, the DNS from the WAN
> adapter, which has our Private address DNS server addresses from DHCP, is
> used to resolve IP addresses - and all is fine.
>
> You can test this by manually changing the DNS settings of the VPN adapter
> to your internal DNS server(s).
>
> If this solves your issue, I can pass along the script.
>
> Steve Comeau
> Associate Director of IT Rutgers Athletics
> 83 Rockafeller Road
> Piscataway, NJ 08854
> 732-445-7802
> 732-445-4623 (fax)
> www.scarletknights.com
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Tom Rogers
> Sent: Wednesday, May 05, 2010 9:23 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Issue while using VPN
>
> http://www.ISAserver.org
> -------------------------------------------------------
>
> Ok, did some more testing and here is what I found. Jim you are correct,
> my first statement was wrong "ping 192.168.1.2 should return packets from
> 192.168.1.2 not an IP addr that belongs to TuCows domain"
>
> When I ping 192.168.1.2 I *DO* get packets returned from 192.168.1.2
>
> When I ping *ANY* host_name on my internal LAN while VPN'd in, I get
> this...
> FROM HOME NETWORK (VERIZON FiOS)
>
> PING NT1
>
> Pinging NT1.COMPANYNAME.NET [64.99.80.30] with 32 bytes of data:
> Reply from 64.99.80.30: bytes=32 time=77ms TTL=117 Reply from 64.99.80.30:
> bytes=32 time=75ms TTL=117 Reply from 64.99.80.30: bytes=32 time=75ms
> TTL=117 Reply from 64.99.80.30: bytes=32 time=75ms TTL=117
>
> Ping statistics for 64.99.80.30:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round
> trip times in milli-seconds:
> Minimum = 75ms, Maximum = 77ms, Average = 75ms
>
> [Should return packets from 192.168.1.2]
>
>
> PING EXCHANGE
>
> Pinging exchange.COMPANYNAME.NET [64.99.80.30] with 32 bytes of data:
> Reply from 64.99.80.30: bytes=32 time=76ms TTL=117 Reply from 64.99.80.30:
> bytes=32 time=76ms TTL=117 Reply from 64.99.80.30: bytes=32 time=77ms
> TTL=117 Reply from 64.99.80.30: bytes=32 time=76ms TTL=117
>
> Ping statistics for 64.99.80.30:
> Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round
> trip times in milli-seconds:
> Minimum = 76ms, Maximum = 77ms, Average = 76ms
>
> [Should return packets from 192.168.1.5]
>
>
> I have captured a ping with Network Monitor 3.3, what should I look for, I
> do not see the 64.99.80.30 IP addr any where in the capture. Prolly not
> safe to post the capture on this list, should I email it to you privately
> Jim?
>
> Again, this only happens on a laptop that is part of my domain. Any
> computer that is not part of my domain does not have this issue.
>
> I have not tested my laptop in another location yet, only from my home
> FiOS config.
>
> -Tom Rogers
>
>
>
>
>
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On Behalf Of Jim Harrison
> > Sent: Tuesday, May 04, 2010 5:33 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Strange Issue while using VPN
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > If Tom agrees, I plan all manner of testing; all to be done under the
> > watchful eye of Network Monitor.
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On
> > Behalf Of Steven Comeau
> > Sent: Tuesday, May 04, 2010 13:32
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Strange Issue while using VPN
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > Have you tried a tracert to the IP address?
> >
> > Steve Comeau
> > Associate Director of IT Rutgers Athletics
> > 83 Rockafeller Road
> > Piscataway, NJ 08854
> > 732-445-7802
> > 732-445-4623 (fax)
> > www.scarletknights.com
> >
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On
> > Behalf Of Jim Harrison
> > Sent: Tuesday, May 04, 2010 3:56 PM
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Strange Issue while using VPN
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > The first statement makes no sense at all..?
> > "ping 192.168.1.2 " should return packets from 192.168.1.2; not " an
> IP
> > addr
> > that belongs to TuCows domain ".
> >
> > This happens no matter where the VPN client is located?
> > Wanna do some deeper testing offline and report back with our
> findings?
> >
> >
> > -----Original Message-----
> > From: isalist-bounce@xxxxxxxxxxxxx
> [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > On
> > Behalf Of Tom Rogers
> > Sent: Tuesday, May 04, 2010 07:58
> > To: isalist@xxxxxxxxxxxxx
> > Subject: [isalist] Re: Strange Issue while using VPN
> >
> > http://www.ISAserver.org
> > -------------------------------------------------------
> >
> > When I do a "ping 192.168.1.2" for my primary DC/DNS server I see
> returned
> > not 192.168.1.2 but an IP addr that belongs to TuCows domain.
> >
> > When I do a "ping NT1" (server name - which should be 192.168.1.2) for
> my
> > primary DC/DNS server I see returned not 192.168.1.2 but an IP addr
> that
> > belongs to TuCows domain.
> >
> > Here is the IPCONFIG/ALL from the affected laptop when connected to
> VPN...
> >
> > Windows IP Configuration
> > Host Name . . . . . . . . . . . . : SPWS119
> > Primary Dns Suffix . . . . . . . : COMPANYNAME.NET
> > Node Type . . . . . . . . . . . . : Hybrid
> > IP Routing Enabled. . . . . . . . : No
> > WINS Proxy Enabled. . . . . . . . : No
> > DNS Suffix Search List. . . . . . : COMPANYNAME.NET
> > home Ethernet adapter LAN:
> > Media State . . . . . . . . . . . : Media disconnected
> > Description . . . . . . . . . . . : Broadcom NetXtreme 57xx
> > Gigabit Controller
> > Physical Address. . . . . . . . . : 00-1D-09-AF-XX-XX
> >
> > Ethernet adapter WLAN:
> > Connection-specific DNS Suffix . : home
> > Description . . . . . . . . . . . : Dell Wireless 1390 WLAN
> > Mini-Card
> > Physical Address. . . . . . . . . : 00-1B-FC-D1-XX-XX
> > Dhcp Enabled. . . . . . . . . . . : Yes
> > Autoconfiguration Enabled . . . . : Yes
> > IP Address. . . . . . . . . . . . : 192.168.7.102
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . : 192.168.7.1
> > DHCP Server . . . . . . . . . . . : 192.168.7.1
> > DNS Servers . . . . . . . . . . . : 192.168.7.1
> > [Verizon FiOS]---> 68.237.161.12
> > Lease Obtained. . . . . . . . . . : Tuesday, April 27, 2010
> > 7:40:06 PM
> > Lease Expires . . . . . . . . . . : Wednesday, April 28, 2010
> > 7:40:06 PM
> >
> > Ethernet adapter VirtualBox Host-Only Network:
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : VirtualBox Host-Only
> Ethernet
> > Adapter
> > Physical Address. . . . . . . . . : 08-00-27-00-XX-XX
> > Dhcp Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.56.1
> > Subnet Mask . . . . . . . . . . . : 255.255.255.0
> > Default Gateway . . . . . . . . . :
> >
> > PPP adapter COMPANYNAME LAN (BROADBAND):
> > Connection-specific DNS Suffix . :
> > Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
> > Physical Address. . . . . . . . . : 00-53-45-00-00-00
> > Dhcp Enabled. . . . . . . . . . . : No
> > IP Address. . . . . . . . . . . . : 192.168.1.42
> > Subnet Mask . . . . . . . . . . . : 255.255.255.255
> > Default Gateway . . . . . . . . . : 192.168.1.42
> > DNS Servers . . . . . . . . . . . : 192.168.1.2
> > 192.168.1.7
> > Primary WINS Server . . . . . . . : 192.168.1.7
> > Secondary WINS Server . . . . . . : 192.168.1.2
> >
> > Notice DHCP Enabled is NO for the PPP adapter - this is because I
> manually
> > set the DNS IP addr to my internal LAN DNS Servers.
> >
> > -Tom Rogers
> >
> >
> >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Jim Harrison
> > > Sent: Monday, May 03, 2010 3:36 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Re: Strange Issue while using VPN
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > Tom,
> > >
> > > One statement you made is a bit confusing; " ping my server by
> netbios
> > > name or the correct IP address ". If you ping by IP address, your
> > host
> > > uses an IP address apparently owned by TuCows?
> > > I don't think you meant to say "by IP address" there...?
> > >
> > > Resolution for unqualified names is wholly dependent on the:
> > > 1. domain suffixes used by the host
> > > 2. name resolution servers available to the host By default, a
> Windows
> > > host will use the nearest name services
> > available to
> > > it; as defined by subnet masking.
> > > If those servers are located within the local physical subnet, it
> > won't
> > > use the DNS servers available across the VPN tunnel.
> > >
> > > When you're in this state, the ipconfig/all output from the affected
> > > laptop would be useful.
> > >
> > >
> > > -----Original Message-----
> > > From: isalist-bounce@xxxxxxxxxxxxx
> > [mailto:isalist-bounce@xxxxxxxxxxxxx]
> > > On Behalf Of Tom Rogers
> > > Sent: Monday, May 03, 2010 12:13 PM
> > > To: isalist@xxxxxxxxxxxxx
> > > Subject: [isalist] Strange Issue while using VPN
> > >
> > > http://www.ISAserver.org
> > > -------------------------------------------------------
> > >
> > > I use a company laptop when on the road to VPN in via ISA 2006. I
> can
> > make
> > > the VPN connection fine, but when I try to RDP to my servers, I have
> > to
> > > use IP address. I cannot use the NetBIOS names. Now from my home PC,
> I
> > can
> > > with no problems.
> > >
> > > During testing as to why, when I try to ping my server by netbios
> name
> > or
> > > the correct IP address, I always get a result of an IP address that
> > > belongs to Tucows.com showing for every single host I try to ping on
> > my
> > > internal network.
> > >
> > > Then I MANUALLY put the internal LAN DNS server IP addresses on the
> > TCP/IP
> > > settings of my Wireless NIC and try it again, and everything is
> fine!
> > >
> > > When I had the Wireless NIC TCP/IP DNS settings set to DHCP, I get
> the
> > > problem. The IP Addr for my laptop is set to DHCP on the Wireless
> NIC
> > and
> > > never needs to change.
> > >
> > > When I do IPCONFIG /ALL while IP and DNS settings on the Wireless
> NIC
> > are
> > > set to DHCP, show my DNS server IPs are correctly set to my internal
> > LAN
> > > DNS Server IPs, and I have a proper internal LAN IP address for my
> > laptop.
> > > But I continually get the error issue unless I manually change my
> > Wireless
> > > NIC DNS IP settings to the internal LAN DNS Server IPs.
> > >
> > > Anyone know why this is happening? It is a consistent behaviour for
> > all
> > > our laptops that are joined to our domain, but not an issue for
> > computers
> > > NOT joined to the domain.
> > >
> > > TIA,
> > >
> > > -Tom Rogers
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: //www.freelists.org/archives/isalist/
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server Articles and Tutorials:
> > > http://www.isaserver.org/articles_tutorials/
> > > ISA Server Blogs: http://blogs.isaserver.org/
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > *** This message contains confidential information and is intended
> only
> > for
> > the individual named. If you are not the named addressee, you should
> not
> > disseminate, distribute or copy this e-mail. Please notify the sender
> > immediately by e-mail if you have received this e-mail by mistake and
> > delete this e-mail from your system. E-mail transmission cannot be
> > guaranteed
> to
> > be
> > secure or error-free as information could be intercepted, corrupted,
> lost,
> > destroyed, arrive late or incomplete, or contain viruses. The sender
> > therefore does not accept liability for any errors or omissions in the
> > contents of this message, which arise as a result of e-mail
> transmission.
> > If verification is required please request a hard-copy version.
> > Rutgers University - DIA
> > 83 Rockafeller Road
> > Piscataway, NJ 08854
> > www.scarletknights.com ***
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: //www.freelists.org/archives/isalist/
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server Articles and Tutorials:
> > http://www.isaserver.org/articles_tutorials/
> > ISA Server Blogs: http://blogs.isaserver.org/
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> *** This message contains confidential information and is
> intended only for the individual named. If you are not the
> named addressee, you should not disseminate, distribute or
> copy this e-mail. Please notify the sender immediately by
> e-mail if you have received this e-mail by mistake and delete
> this e-mail from your system. E-mail transmission cannot be
> guaranteed to be secure or error-free as information could be
> intercepted, corrupted, lost, destroyed, arrive late or
> incomplete, or contain viruses. The sender therefore does not
> accept liability for any errors or omissions in the contents of
> this message, which arise as a result of e-mail transmission.
> If verification is required please request a hard-copy version.
> Rutgers University - DIA
> 83 Rockafeller Road
> Piscataway, NJ 08854
> www.scarletknights.com ***
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
