DHCP and RRAS-dhcp

Hello

I am always getting the same error 20169:

Unable to contact a DHCP server. The Automatic Private IP
Address 169.254.226.187 will be assigned to dial-in
clients. Clients may be unable to access resources on the
network.

I have 2 PPTP ports and 1 PPOE port

DHCP server is configured correctly having 16 free IP's
in it's pool. I selected in RRAS IP-properties adress
assignment done by DHCP, and the correct adapter (static).

I tried to reainstall DHCP/RRAS ... still the same error.

(I am trying to solve this because i have now 2 DHCP's
running on the same IP, that from RRAS and DHCP)
see also:
http://msmvps.com/bradley/archive/2004/04/24/5452.aspx

anyone any suggestions?

If the subnet mask is 255.255.255.240, the DHCP server should only have
fourteen IPs in it's pool and one exclusion for the router IP. That's makes
for 13 IP leases.

Yes, i know, but the subnetmask is simply 255.255.255.0,
but I only use 16 of these addresses on this DHCP.

Greets

>-----Original Message-----
>If the subnet mask is 255.255.255.240, the DHCP server
should only have
>fourteen IPs in it's pool and one exclusion for the
router IP. That's makes
>for 13 IP leases.
>
>
>.
>

RRAS has a DHCP Relay Agent that may have to be activated.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Nick" <(E-Mail Removed)> wrote in message
news:28cd501c464d2$856735e0$(E-Mail Removed)...
> Yes, i know, but the subnetmask is simply 255.255.255.0,
> but I only use 16 of these addresses on this DHCP.
>
> Greets
>
> >-----Original Message-----
> >If the subnet mask is 255.255.255.240, the DHCP server
> should only have
> >fourteen IPs in it's pool and one exclusion for the
> router IP. That's makes
> >for 13 IP leases.
> >
> >
> >.
> >

It's active

And it needs to be configured for:
Listening on the external adapter
Forwarding to the internal DHCP Server

It may be interesting to see a network capture from both the DHCP Server and
the requesting client during a failing transaction. . .

-Chris
--
==============================
Chris Edson
(E-Mail Removed)

This posting is provided "AS IS" with
no warranties, and confers no rights.
===============================


"Nick" <(E-Mail Removed)> wrote in message
news:296f501c46530$82027050$(E-Mail Removed)...
>
> It's active
>
>

I am having the same issue and I have narrowed it down to
what I think is a bug in RRAS on Server 2003.

Here's the setup.

Win2K3 RRAS server in DMZ
Win2K3 A/D DC with DHCP on LAN

RRAS is configured as a DHCP Relay Agent, and the IP
address of the DHCP server is set within The DHCP Relay
Agent's properties. I can ping the DHCP server from the
RRAS server.

When I run Network Monitor on the RRAS server and have it
monitor all traffic between the RRAS server and the DHCP
server, I get no traffice captured (This is during RRAS
service start and while the first VPN client is trying to
connect)

Then, I set Network Monitor to capture all traffic on the
RRAS server and started the RRAS service and then tried
and VPN client connection.

Network Monitor shows the RRAS server broadcasting for a
DHCP server instead of directly talking to the one set in
it's DHCP Relay Agent properties. Since there is a Cisco
PIX between the RRAS server and the DHCP server,
broadcasts are not going to get through.

Looks like a bug to me.

>-----Original Message-----
>And it needs to be configured for:
> Listening on the external adapter
> Forwarding to the internal DHCP Server
>
>It may be interesting to see a network capture from both
the DHCP Server and
>the requesting client during a failing transaction. . .
>
>-Chris
>--
>==============================
>Chris Edson
>(E-Mail Removed)
>
>This posting is provided "AS IS" with
>no warranties, and confers no rights.
>===============================
>
>
>"Nick" <(E-Mail Removed)> wrote in
message
>news:296f501c46530$82027050$(E-Mail Removed)...
>>
>> It's active
>>
>>
>
>
>.
>

That seems a strange way to have it working anyway. If the RRAS server is
in the DMZ, why would you want it allocating IP addresses from the DHCP on
the LAN? If the remote clients get IP addresses from DHCP they will be in
the same subnet as the LAN machines, and so will the RRAS server's internal
interface. But they are isolated from the other machines in that subnet.

How are these remote clients going to communicate with the LAN
machines?

"Marc" <(E-Mail Removed)> wrote in message
news:0d3e01c47b15$641f5080$(E-Mail Removed)...
> I am having the same issue and I have narrowed it down to
> what I think is a bug in RRAS on Server 2003.
>
> Here's the setup.
>
> Win2K3 RRAS server in DMZ
> Win2K3 A/D DC with DHCP on LAN
>
> RRAS is configured as a DHCP Relay Agent, and the IP
> address of the DHCP server is set within The DHCP Relay
> Agent's properties. I can ping the DHCP server from the
> RRAS server.
>
> When I run Network Monitor on the RRAS server and have it
> monitor all traffic between the RRAS server and the DHCP
> server, I get no traffice captured (This is during RRAS
> service start and while the first VPN client is trying to
> connect)
>
> Then, I set Network Monitor to capture all traffic on the
> RRAS server and started the RRAS service and then tried
> and VPN client connection.
>
> Network Monitor shows the RRAS server broadcasting for a
> DHCP server instead of directly talking to the one set in
> it's DHCP Relay Agent properties. Since there is a Cisco
> PIX between the RRAS server and the DHCP server,
> broadcasts are not going to get through.
>
> Looks like a bug to me.
>
> >-----Original Message-----
> >And it needs to be configured for:
> > Listening on the external adapter
> > Forwarding to the internal DHCP Server
> >
> >It may be interesting to see a network capture from both
> the DHCP Server and
> >the requesting client during a failing transaction. . .
> >
> >-Chris
> >--
> >==============================
> >Chris Edson
> >(E-Mail Removed)
> >
> >This posting is provided "AS IS" with
> >no warranties, and confers no rights.
> >===============================
> >
> >
> >"Nick" <(E-Mail Removed)> wrote in
> message
> >news:296f501c46530$82027050$(E-Mail Removed)...
> >>
> >> It's active
> >>
> >>
> >
> >
> >.
> >

It's not that strange. All servers exposed to the Internet
are in the DMZ, no exceptions. The PIX firewall can then
control access to resources on the LAN, and minimize the
risk of an attack. I will not put any Windows server (or
PC for that matter), directly on the Internet; too big of
a security risk. A simple static route takes care of the
routing from the VPN clients to the servers on the LAN.

I have set the RRAS server to issue IP addresses for the
time being, but I would prefer if my assigned DHCP server
could do the job instead of allocating addresses from
multiple points.

One DHCP server can service multiple subnets. It's a
single point of DHCP management, and that's important for
reducing our network maintenance costs as we will be
outsourcing that responsibility.

Now if I could just get my L2TP/IPSec VPN running I'd be
laughing.....
>-----Original Message-----
> That seems a strange way to have it working anyway. If
the RRAS server is
>in the DMZ, why would you want it allocating IP addresses
from the DHCP on
>the LAN? If the remote clients get IP addresses from DHCP
they will be in
>the same subnet as the LAN machines, and so will the RRAS
server's internal
>interface. But they are isolated from the other machines
in that subnet.
>
> How are these remote clients going to communicate
with the LAN
>machines?
>
>"Marc" <(E-Mail Removed)> wrote in message
>news:0d3e01c47b15$641f5080$(E-Mail Removed)...
>> I am having the same issue and I have narrowed it down
to
>> what I think is a bug in RRAS on Server 2003.
>>
>> Here's the setup.
>>
>> Win2K3 RRAS server in DMZ
>> Win2K3 A/D DC with DHCP on LAN
>>
>> RRAS is configured as a DHCP Relay Agent, and the IP
>> address of the DHCP server is set within The DHCP Relay
>> Agent's properties. I can ping the DHCP server from the
>> RRAS server.
>>
>> When I run Network Monitor on the RRAS server and have
it
>> monitor all traffic between the RRAS server and the DHCP
>> server, I get no traffice captured (This is during RRAS
>> service start and while the first VPN client is trying
to
>> connect)
>>
>> Then, I set Network Monitor to capture all traffic on
the
>> RRAS server and started the RRAS service and then tried
>> and VPN client connection.
>>
>> Network Monitor shows the RRAS server broadcasting for a
>> DHCP server instead of directly talking to the one set
in
>> it's DHCP Relay Agent properties. Since there is a Cisco
>> PIX between the RRAS server and the DHCP server,
>> broadcasts are not going to get through.
>>
>> Looks like a bug to me.
>>
>> >-----Original Message-----
>> >And it needs to be configured for:
>> > Listening on the external adapter
>> > Forwarding to the internal DHCP Server
>> >
>> >It may be interesting to see a network capture from
both
>> the DHCP Server and
>> >the requesting client during a failing transaction. . .
>> >
>> >-Chris
>> >--
>> >==============================
>> >Chris Edson
>> >(E-Mail Removed)
>> >
>> >This posting is provided "AS IS" with
>> >no warranties, and confers no rights.
>> >===============================
>> >
>> >
>> >"Nick" <(E-Mail Removed)> wrote in
>> message
>> >news:296f501c46530$82027050$(E-Mail Removed)...
>> >>
>> >> It's active
>> >>
>> >>
>> >
>> >
>> >.
>> >
>
>
>.
>

"Marc" <(E-Mail Removed)> wrote in message
news:166001c47bc1$ffb89d10$(E-Mail Removed)...
> One DHCP server can service multiple subnets. It's a
> single point of DHCP management, and that's important for
> reducing our network maintenance costs as we will be
> outsourcing that responsibility.

But the Firewall is not a router and you will not be able to forward DHCP
"queries" across it like you would a router. You should not create an
environemnt where DHCP is used in anyway on the DMZ. Everything on a DMZ
should be statically assigned.

If you use RRAS for VPN, then that machine must be duel-homed and site
"side-by-side" with the Inner Firewall while the Outer Firewall is rigged to
forward VPN "callers" to the RRAS Nic exposed to the DMZ. You might be able
to perform this twice at both Firewalls and avoid the duel-home RRAS box but
doing that twice might be problematic. The RRAS box handles DHCP with the
"callers" by using the DHCP Agent built into RRAS.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com