RE: VPN Prob

• From: Brian Tirch <btirch@xxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 28 Nov 2001 10:27:59 -0500

No I have not tried to do a packet capture, To get around it I set up a
terminal server and through the vpn I can run the terminal session and do
whatever I want graphically, which is nice but still not the answer..... 
We are using a private address range in the internal network and I am having
dhcp pass everything wins dns etc.. I have a relay agent setup and my
clients gets all the correct info if I do an ipconfig I have all the correct
addresses. Just thought it weird that I can only ping vpn server by name?
..... I did find some documentation about the error I was getting I think
was error 67 when I tried to do things by name.

where did you add the route on the vpn server, you went into rras and added
that

Brian Tirch
Entre Information Services


-----Original Message-----
From: Joe Pochedley [mailto:JoePochedley@xxxxxxxxx] 
Sent: Wednesday, November 28, 2001 9:43 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob

http://www.ISAserver.org


Brian,

What IP addresses are you handing out to your clients?  I have had, on a few
stubborn boxes, instances where even though I could flawlessly ping by IP
address back and forth, services on the boxes didn't know how to communicate
back to the VPN clients (seen this most often with web servers / services)
though I still can't quite explain why...

Our network is arranged as such...

10.1.xx.xx mask 255.255.0.0 for the main network
VPN clients on 10.1.50.xx mask 255.255.0.0
VPN server 10.1.1.100

Even though the VPN clients are technically on the same network, as I said,
some things just couldn't "find" them sometimes (it was an intermittent
problem and very annoying to try and track especially when I could ping
everywhere by IP address in both directions without error consistantly)...
Adding a route to the 10.1.50.xx "subnet" through the VPN server cleared the
problems right up...  

Don't know if this helps at all, but if you do have everything set up
properly, I'm not quite sure what else to offer...  

Have you tried setting up a packet capture to see if the WINS or DNS server
is getting the name lookup requests from the client (VPN) machines, and if
it's responding?

-----Original Message-----
From: Brian Tirch [mailto:btirch@xxxxxxxxxxxx] 
Sent: Tuesday, November 27, 2001 3:54 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob


http://www.ISAserver.org



I have the same issue but I have everything setup the way the link states
below. 
I can vpn in but the only system I can resolve by name is the vpn server and
I can map to the vpn server. I can ping the network by ip but can not map
nor ping by name to the rest of the network.

The network is all on the same segment, I have a dhcp relay agent so my
clients do get the wins and dns addresses......

So what did I do wrong?

-----Original Message-----
From: Joe Pochedley [mailto:JoePochedley@xxxxxxxxx] 
Sent: Tuesday, November 27, 2001 2:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob

http://www.ISAserver.org


Why do I feel like I've answered this question a dozen times...  Here some
snippits from previous posts...

--------------------
The important thing to remember though, is that even though the RRAS (VPN)
clients are getting their addresses from "DHCP", they're not getting the
name server information from the actual DHCP server...

Check out:
http://www.isaserver.org/shinder/tutorials/configuring_ISA_for_inbound_VPN.h
tm 
(link may wrap)

---------------------
Basically the above link states that DNS and WINS info is handed to the
RRAS/VPN clients from the RAS server, not from the DHCP server itself.......
Make sure your RRAS server is configured with this information if you want
the remote clients to get it...  Also make sure that your WINS server can
communicate with your VPN clients, otherwise the clients resort to
broadcasts for resolving UNC names which is why it takes so long to get a
response back when pinging by UNC...

Also...
----------------------
Basically since your users aren't authenticating against the domain, only
the RAS/VPN server, that's why they can't access domain resources...
Instruct your users NOT to put their password into the DUN connection box
and just connect...  As long as you have CFMN set to log into the domain,
the user will then be prompted for Username, Password and Domain...

Under Windows 2000/XP Pro this can be avoided by checking the box labeled
'Include Windows Login Domain' under the VPN setup properties, Options
tab...
-----------------------

Hope that helps (again)

JoeP

-----Original Message-----
From: Thomas Persson [mailto:thomas@xxxxxxxxxx] 
Sent: Tuesday, November 27, 2001 11:48 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob


http://www.ISAserver.org


Hi

We had a similar problem. VPN Clients (RRAS) dialing in could not browse the
network or connect to shares using UNC. The only way to connect to internal
shares was to Map it (ex. \\Server\Share to G:\).

After a month (or so) while spending time with Microsoft Support they came
up with a solution by installing WINS on one of our DC's, then enabling it
on the DC holding the WINS Service, on the "Master" DC and on the DC holding
the DHCP Service.

After that it works just fine...


======================== 
Med vänlig hälsning / Best Regards 
Thomas Persson 
Datatal AB 
Web: <http://www.datatal.se/> 
Mail: thomas@xxxxxxxxxx 
Tel Direct: +46 (0)498-25 30 11
Tel Support: +46 (0)498-25 30 30
Fax: +46 (0)498-25 30 99



-----Original Message-----
From: Armando Treviño López [mailto:armando.trevino@xxxxxxxxxxx]
Sent: den 27 november 2001 17:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob


http://www.ISAserver.org


I've got the same problem when configuring a VPN using RRAS. 
Also It seems that no domain validate the vpn clients or there is a problem
with the communication with WINS or DNS, because when i do a ping to an
internal host by its name it takes to much time to get the reply, but when I
do a ping to the ip address, i get the reply immediately. 

Anyone know the reason for this? or have the same problem?

Thanks.



-----Original Message-----
From: Shamshad Ahmad [mailto:sahmad@xxxxxxxxx]
Sent: Tuesday, November 27, 2001 3:30 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: VPN Prob


http://www.ISAserver.org


yes i can
 
 

-----Original Message----- 
From: Muqeem Syed 
Sent: Tue 11/27/2001 2:36 PM 
To: [ISAserver.org Discussion List] 
Cc: 
Subject: [isalist] RE: VPN Prob



http://www.ISAserver.org


but can you access the other computers by using the unc path name....

-----Original Message-----
From: Shamshad Ahmad [mailto:sahmad@xxxxxxxxx]
Sent: Tuesday, November 27, 2001 11:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN Prob


http://www.ISAserver.org


HI all

i m having a slight problem in VPN. I can connect to VPN right. I can browse
intranet and other web sited locally hosted. but i cant browse network thru
my network places. i can see only my computer under my domain name.

shamshad






------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
syed.muqeem@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
sahmad@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')







------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thomas@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')


------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
btirch@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
JoePochedley@xxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
btirch@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob
• » RE: VPN Prob

1. Home
2. isalist
3. Archive
4. 11-2001

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---