2003 SP1 breaks VPN router on all servers I try

Whenever I install SP1 on any of our VPN servers, it breaks the internal
routing on the server. The VPN interfaces connect just fine, just the
routing breaks. I can ping the VPN adaptor IP address on the remote server,
but if I ping the LAN IP address of that same server no response. If I
remove SP1 it comes to life again. This happened to a couple of our VPN
servers when SP1 first came out. We just banned SP1 from our network. But
recently a new location snuck SP1 on their server, and boom, broken again. I
don't see any patches related to this, but since SP1 is acting like an
on/off light switch for our VPN functionality on any server it touches what
could it be? I can happily continue to ban SP1 from our networks, but sooner
or later I'm going to run up against something that requires SP1 installed.
Would be nice to figure this out... Anyone with ideas?

What's your route table look like before and after the SP? Is SP1 enabling
the firewall after the install?

"Andy L" <(E-Mail Removed)> wrote in message
news:OJcZ$(E-Mail Removed)...
> Whenever I install SP1 on any of our VPN servers, it breaks the internal
> routing on the server. The VPN interfaces connect just fine, just the
> routing breaks. I can ping the VPN adaptor IP address on the remote
server,
> but if I ping the LAN IP address of that same server no response. If I
> remove SP1 it comes to life again. This happened to a couple of our VPN
> servers when SP1 first came out. We just banned SP1 from our network. But
> recently a new location snuck SP1 on their server, and boom, broken again.
I
> don't see any patches related to this, but since SP1 is acting like an
> on/off light switch for our VPN functionality on any server it touches
what
> could it be? I can happily continue to ban SP1 from our networks, but
sooner
> or later I'm going to run up against something that requires SP1
installed.
> Would be nice to figure this out... Anyone with ideas?
>
>

Firewall won't start (another service using ipnat.sys which I assume is
RRAS). But YES?? there is a change in the routing table. When defining the
VPN interface, a static route is added in RRAS admin tool for the class C IP
address space of the remote network (ie 192.168.10.0 mask 255.255.255.0)
using that same VPN interface to the remote network.

Without SP1 the routing table for that address space looks like this:
Dest / Mask / Gateway / Interface
192.168.10.0 255.255.255.0 0.0.0.0 192.168.32.4
192.168.10.0 255.255.255.0 192.168.32.1 192.168.32.4

With SP1 the routing table only has 1 entry:

192.168.10.0 255.255.255.0 192.168.32.1 192.168.32.4

32.1 is the VPN IP of the remote server, 32.4 is the VPN IP of the local
server.






"Neteng" <(E-Mail Removed)> wrote in message
news:%(E-Mail Removed)...
> What's your route table look like before and after the SP? Is SP1 enabling
> the firewall after the install?
>
> "Andy L" <(E-Mail Removed)> wrote in message
> news:OJcZ$(E-Mail Removed)...
>> Whenever I install SP1 on any of our VPN servers, it breaks the internal
>> routing on the server. The VPN interfaces connect just fine, just the
>> routing breaks. I can ping the VPN adaptor IP address on the remote
> server,
>> but if I ping the LAN IP address of that same server no response. If I
>> remove SP1 it comes to life again. This happened to a couple of our VPN
>> servers when SP1 first came out. We just banned SP1 from our network. But
>> recently a new location snuck SP1 on their server, and boom, broken
>> again.
> I
>> don't see any patches related to this, but since SP1 is acting like an
>> on/off light switch for our VPN functionality on any server it touches
> what
>> could it be? I can happily continue to ban SP1 from our networks, but
> sooner
>> or later I'm going to run up against something that requires SP1
> installed.
>> Would be nice to figure this out... Anyone with ideas?
>>
>>
>
>

Well, after spending hours checking, resetting routing tables, VPN settings,
comparing registry entries, taking down, rebuilding RRAS configuration,
network interfaces I give up again. Finally yanked SP1 and poof, everything
works again. Do SP1 CDs create toxic fumes when burned?

"Andy L" <(E-Mail Removed)> wrote in message...
>Well, after spending hours checking, resetting routing tables, VPN
>settings, comparing registry entries, taking down, rebuilding RRAS
> >configuration, network interfaces I give up again. Finally yanked SP1 and
>poof, everything works again. Do SP1 CDs create toxic fumes >when burned?

Check out this article and make sure you read the SP1 release notes. The
first article will direct you to download and install a hotfix which fixes a
problem in tcpip.sys.

Installing security update MS05-019 or Windows Server 2003 Service Pack 1
may cause network connectivity between clients and servers to fail:
http://support.microsoft.com/kb/898060

Microsoft Knowledge Base Article 898060 outlines a very specific and limited
situation where disruptions in network connectivity may be experienced after
the installation of either security update MS05-019 or Microsoft Windows
Server 2003 Service Pack 1 (SP1).

Specifically, the information in this article primarily applies to WAN and
LAN configurations and scenarios where routers and data-link level protocols
that have different Maximum transmission Units (MTUs) are used across the
network. In these situations, any one or more of the following symptoms may
occur:

- Inability to connect to terminal servers or to file share access.
- Failure of domain controller replication across WAN links.
- Microsoft Exchange servers cannot connect to domain controllers.

The Knowledge Base Article mentioned above provides information about a
hotfix which is now available to address these issues.

See also:
Active Directory changes do not replicate in Windows Server 2003:
http://support.microsoft.com/default...b;en-us;830746

--
Todd J Heron, MCSE
Windows Server 2003/2000/NT; CCA
----------------------------------------------------------------------------
This posting is provided "as is" with no warranties and confers no rights

In news:(E-Mail Removed),
Todd J Heron <todd_heron(delete)@hotmail.com> made this post, which I then
commented about below:
> "Andy L" <(E-Mail Removed)> wrote in message...
>> Well, after spending hours checking, resetting routing tables, VPN
>> settings, comparing registry entries, taking down, rebuilding RRAS
>>> configuration, network interfaces I give up again. Finally yanked
>>> SP1 and
>> poof, everything works again. Do SP1 CDs create toxic fumes >when
>> burned?
>
> Check out this article and make sure you read the SP1 release notes.
> The first article will direct you to download and install a hotfix
> which fixes a problem in tcpip.sys.
>
> Installing security update MS05-019 or Windows Server 2003 Service
> Pack 1 may cause network connectivity between clients and servers to
> fail: http://support.microsoft.com/kb/898060
>
> Microsoft Knowledge Base Article 898060 outlines a very specific and
> limited situation where disruptions in network connectivity may be
> experienced after the installation of either security update MS05-019
> or Microsoft Windows Server 2003 Service Pack 1 (SP1).
>
> Specifically, the information in this article primarily applies to
> WAN and LAN configurations and scenarios where routers and data-link
> level protocols that have different Maximum transmission Units (MTUs)
> are used across the network. In these situations, any one or more of
> the following symptoms may occur:
>
> - Inability to connect to terminal servers or to file share access.
> - Failure of domain controller replication across WAN links.
> - Microsoft Exchange servers cannot connect to domain controllers.
>
> The Knowledge Base Article mentioned above provides information about
> a hotfix which is now available to address these issues.
>
> See also:
> Active Directory changes do not replicate in Windows Server 2003:
> http://support.microsoft.com/default...b;en-us;830746

Nice post! That should explain why there are a few postings why SP1 is
breaking certain things with networking services.

Ace

Hello Andy.-

I have been with the same problem, all references point out that when SP1 is
applied and there is no other problems related like RDP connection or domain
replication, this could be resolved with this hot fix.
http://support.microsoft.com/?kbid=897651

However they suggest that if there are not any other problems in your
environment, wait next service pack.

I hope this helps.

"Andy L" wrote:

> Whenever I install SP1 on any of our VPN servers, it breaks the internal
> routing on the server. The VPN interfaces connect just fine, just the
> routing breaks. I can ping the VPN adaptor IP address on the remote server,
> but if I ping the LAN IP address of that same server no response. If I
> remove SP1 it comes to life again. This happened to a couple of our VPN
> servers when SP1 first came out. We just banned SP1 from our network. But
> recently a new location snuck SP1 on their server, and boom, broken again. I
> don't see any patches related to this, but since SP1 is acting like an
> on/off light switch for our VPN functionality on any server it touches what
> could it be? I can happily continue to ban SP1 from our networks, but sooner
> or later I'm going to run up against something that requires SP1 installed.
> Would be nice to figure this out... Anyone with ideas?
>
>
>