can't contact SBS2003 from client on other side of h/w VPN router

Hi Everyone,

I am unable to communicate at all with my new SBS2003 Server from any
clients on the far side of a site-to-site VPN router.

I have 2 servers: SBS2003(SP1) (AD, DHCP, WINS), and Server2003(SP1) as a
Terminal Server. Both servers have 2 NICs each: 192.168.0.x and 192.168.1.x
with 255.255.255.0 subnet masks, with clients on both LANs working OK.

On the 192.168.0.x LAN I have a DSL internet connection with a SonicWALL
firewall/VPNrouter, but no VPN tunnels to anywhere.

On the 192.168.1.x LAN I have an identical setup but with site-to-site VPNs
to 2 other sites: 192.168.3.x & 10.2.1.x

SBS2003 uses the 192.168.0.x def-GW. Server2003 uses the 192.168.1.x def-GW.

Previously with SBS2000, clients on WAN could communicate with SBS2000
without any problem. Now with SBS2003, clients on the WAN subnets
(192.168.3.1 & 10.2.1.x) get no ping response from SBS2003, however they can
ping(etc) the Server2003 Terminal Server. SBS2003 cannot ping the WAN
clients either.

It's as if SBS2003 will not communicate with anything outsite its subnet,
whereas Server2003 does, and SBS2000 before my upgrade, did.

Help please!
Anthony.

sounds like routing issue. use tracert command to find out where the traffic go. or post the routing table here.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
"Anthony" <(E-Mail Removed)> wrote in message news:19D8C93B-ED68-48EC-9AD8-(E-Mail Removed)...
Hi Everyone,

I am unable to communicate at all with my new SBS2003 Server from any
clients on the far side of a site-to-site VPN router.

I have 2 servers: SBS2003(SP1) (AD, DHCP, WINS), and Server2003(SP1) as a
Terminal Server. Both servers have 2 NICs each: 192.168.0.x and 192.168.1.x
with 255.255.255.0 subnet masks, with clients on both LANs working OK.

On the 192.168.0.x LAN I have a DSL internet connection with a SonicWALL
firewall/VPNrouter, but no VPN tunnels to anywhere.

On the 192.168.1.x LAN I have an identical setup but with site-to-site VPNs
to 2 other sites: 192.168.3.x & 10.2.1.x

SBS2003 uses the 192.168.0.x def-GW. Server2003 uses the 192.168.1.x def-GW.

Previously with SBS2000, clients on WAN could communicate with SBS2000
without any problem. Now with SBS2003, clients on the WAN subnets
(192.168.3.1 & 10.2.1.x) get no ping response from SBS2003, however they can
ping(etc) the Server2003 Terminal Server. SBS2003 cannot ping the WAN
clients either.

It's as if SBS2003 will not communicate with anything outsite its subnet,
whereas Server2003 does, and SBS2000 before my upgrade, did.

Help please!
Anthony.

On 9/13/2005 05:49, Anthony wrote:
> It's as if SBS2003 will not communicate with anything outsite its subnet,
> whereas Server2003 does, and SBS2000 before my upgrade, did.

Assuming there's no software firwall on the server blocking pings, I would
check out the routing tables on both a client and on the server.

Work outwards from the server. Can the HW firewall ping the server?
Yes?, then move to the next router out, and so on. Since it worked before
(and SBS2K3 has the same address?) I would suspect a missing route on the
SBS2K3.

BTW, you might have inconsistent network browsing and domain replication
if you have multiply homed domain controllers. It's not a recommended
configuration at any rate.

~Jason

--

Anthony" <(E-Mail Removed)> wrote in message
news:19D8C93B-ED68-48EC-9AD8-(E-Mail Removed)...
> I have 2 servers: SBS2003(SP1) (AD, DHCP, WINS), and Server2003(SP1) as a
> Terminal Server. Both servers have 2 NICs each: 192.168.0.x and
192.168.1.x
> with 255.255.255.0 subnet masks, with clients on both LANs working OK.
>
> SBS2003 uses the 192.168.0.x def-GW. Server2003 uses the 192.168.1.x
def-GW.

Get rid of the two-nic setup. Run one Nic in each server, preferably the
same subnet. Use a LAN Router between the subnets.

The LAN Router sits between 192.168.0.x and 192.168.1.x

The VPN Device acts as the LAN Router between this pair and the WAN Subnets.

The Default Gateway of all machines on the LAN will be the LAN Router,...the
LAN Router has the Static Route that tells it to use the VPN Device as the
"gateway" for the two WAN Subnets. The actual Default Gateway of the LAN
Router itself will be the Internet Device.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

Hi Robert, thank you for your reply.

The results of "ipconfig /all" & "route print" for both CCAUSVR1 (SBS2003,
which cannot communicate with - or be communicated with - anything outside
its 192.168.0.x/192.168.1.x subnets) and CCAUSVR2 (Server2003 as Application
Terminal Server), which can - as expected - be spoken to & communicate with
hosts outside its 2 192.168 subnets are quoted at the bottom of this msg.

In other words, from my remote site client PCs, I can ping/RDP/etc
Server2003, but not SBS2003. Vice versa, SBS2003 cannot contact them but
Server2003 can. This has stalled my plans to migrate from externally hosted
POP3 to Exchange! :-(

I can ping SBS2003 from the local routers, but not from the remote routers
(ie not once the source IP changes to 10.2.1.x or 192.168.3.x).

The routing table of both look near-identical except for expected
differences (SBS2003 is DNS & WINS, Server2003 points to SBS2003 for DNS &
WINS, etc).

Sincere thanks for any lights you can shed here.
Anthony.

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
CCAUSVR1 (SBS2003):
U:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ccausvr1
Primary Dns Suffix . . . . . . . : ccau.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ccau.local

Ethernet adapter ADMIN-LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network
Connection #2
Physical Address. . . . . . . . . : 00-06-5B-8F-8B-AA
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.10
Primary WINS Server . . . . . . . : 192.168.0.10

Ethernet adapter PRODN-LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 XT Network Connection
Physical Address. . . . . . . . . : 00-06-5B-8F-8B-AB
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.1.10
Primary WINS Server . . . . . . . : 192.168.1.10

U:\>route print

IPv4 Route Table
==============================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 06 5b 8f 8b aa ...... Intel(R) PRO/1000 XT Network Connection #2
0x10004 ...00 06 5b 8f 8b ab ...... Intel(R) PRO/1000 XT Network Connection
==============================================
==============================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.0.1 192.168.0.10 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.10 192.168.0.10 10
192.168.0.10 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.10 192.168.0.10 10
192.168.1.0 255.255.255.0 192.168.1.10 192.168.1.10 10
192.168.1.10 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.10 192.168.1.10 10
224.0.0.0 240.0.0.0 192.168.0.10 192.168.0.10 10
224.0.0.0 240.0.0.0 192.168.1.10 192.168.1.10 10
255.255.255.255 255.255.255.255 192.168.0.10 192.168.0.10 1
255.255.255.255 255.255.255.255 192.168.1.10 192.168.1.10 1
Default Gateway: 192.168.0.1
=================================================
Persistent Routes:
None

\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

CCAUSVR2 (Server2003 configured as Application Terminal Server):
U:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : ccausvr2
Primary Dns Suffix . . . . . . . : ccau.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ccau.local

Ethernet adapter ADMIN-LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
Physical Address. . . . . . . . . : 00-0F-1F-65-C6-86
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.0.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.0.10
Primary WINS Server . . . . . . . : 192.168.0.10

Ethernet adapter PRODN-LAN:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet #2
Physical Address. . . . . . . . . : 00-0F-1F-65-C6-88
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.1.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
DNS Servers . . . . . . . . . . . : 192.168.1.10
Primary WINS Server . . . . . . . : 192.168.1.10

U:\>route print

IPv4 Route Table
=============================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 0f 1f 65 c6 86 ...... Broadcom NetXtreme Gigabit Ethernet
0x10004 ...00 0f 1f 65 c6 88 ...... Broadcom NetXtreme Gigabit Ethernet #2
=============================================
=============================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.11 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.11 192.168.0.11 10
192.168.0.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.0.255 255.255.255.255 192.168.0.11 192.168.0.11 10
192.168.1.0 255.255.255.0 192.168.1.11 192.168.1.11 10
192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.11 192.168.1.11 10
224.0.0.0 240.0.0.0 192.168.0.11 192.168.0.11 10
224.0.0.0 240.0.0.0 192.168.1.11 192.168.1.11 10
255.255.255.255 255.255.255.255 192.168.0.11 192.168.0.11 1
255.255.255.255 255.255.255.255 192.168.1.11 192.168.1.11 1
Default Gateway: 192.168.1.1
=============================================
Persistent Routes:
None
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\ \\\\\\\\\

"Robert L [MS-MVP]" wrote:

> sounds like routing issue. use tracert command to find out where the traffic go. or post the routing table here.
>
> Bob Lin, MS-MVP, MCSE & CNE
> Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
> How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com

Hi Jason,

> On 9/13/2005 05:49, Anthony wrote:
> > It's as if SBS2003 will not communicate with anything outsite its subnet,
> > whereas Server2003 does, and SBS2000 before my upgrade, did.
>
> Assuming there's no software firwall on the server blocking pings, I would
> check out the routing tables on both a client and on the server.

No, no software firewalls here.

Please see my reply to Robert L for routing tables of my SBS2003 (broken)
and Server2003 (OK) - unless i'm missing something, nothing untoward. Client
PC routing tables appear OK too.

Also, the user who first detected this problem (because their ability to
transfer files over the VPN broke) says it broke only a week or so before my
original post, NOT after the upgrade (complete installation from scratch) to
SBS2003 which was 2 weeks earlier than that.

I've racked my memory and checked the SBS2003 Event Logs as to anything I
might have done at that time to cause this, but apart from an unexpected
server shutdown due to the UPS dying during a power failure & no UPS software
installed (oops!), and subsequent installation of APC's PowerChute software,
I don't know of anything else that would have changed at that time.

I understand your concern about the mutiply-homed servers, however this has
worked fine until the above.

Many thanks for any furhter suggestions,
Anthony.

> Work outwards from the server. Can the HW firewall ping the server?
> Yes?, then move to the next router out, and so on. Since it worked before
> (and SBS2K3 has the same address?) I would suspect a missing route on the
> SBS2K3.
>
> BTW, you might have inconsistent network browsing and domain replication
> if you have multiply homed domain controllers. It's not a recommended
> configuration at any rate.
>
> ~Jason
>
> --
>

"Phillip Windell" wrote:

> > I have 2 servers: SBS2003(SP1) (AD, DHCP, WINS), and Server2003(SP1) as a
> > Terminal Server. Both servers have 2 NICs each: 192.168.0.x and
> 192.168.1.x
> > with 255.255.255.0 subnet masks, with clients on both LANs working OK.
> > SBS2003 uses the 192.168.0.x def-GW. Server2003 uses the 192.168.1.x
> def-GW.
>
> Get rid of the two-nic setup. Run one Nic in each server, preferably the
> same subnet. Use a LAN Router between the subnets.

Hi Phillip,
I understand your concern, however please review my replies to the other 2
respondents that I just posted - I'm not certain the multiply-homed servers
is the issue in this case, as all worked OK until (perhaps) an unexpected
power loss 2 weeks after initial installation of SBS2003, prior to which my
problem did not exist.

Many thanks for any further input you might have here.
Anthony.