RAS Routing not working...need advice

I have setup a lab for my upcoming 70-291 test using VMWARE ESX server.

192.168.1.200 192.168.1.201
DET-RAS-01 <----> LON-RAS-01
10.1.1.1/24 10.1.2.1/24
^ ^
| |
DET-DC-01 LON-DC-01
10.1.1.100/24 10.1.2.100/24

Hopefully from my basic ASCII diagram you can see that each RAS server has
two interfaces - an Internet one on the 192.168.1.x range, and a local
interface on the 10.1.x.x range. I have setup demand-dial router connections
on each RAS Server configured to connect to the other server. The RRAS Admin
tool indicates the DD connections are connected and operational, and I can
ping each interface on both RAS servers from any RAS server. So, I know
traffic is passing over the PPTP tunnel. What I can't do is have DET-DC-01
ping LON-DC-01. The routers are not passing local traffic to the remote
subnet.

BTW: DET is DETROIT, and LON is LONDON

I have checked the following:
-----------------------------------------------------------
* No IP Filters are blocking the traffic.
-----------------------------------------------------------
* Static routes are configured on each RAS server for the remote subnet and
use the Demand-Dial interface as the gateway. I have verified this with route
print commands.
-----------------------------------------------------------
* I have changed the demand dial interfaces to persistent connections.
-----------------------------------------------------------
* I have performed an ipconfig on both RAS servers and IP routing is
enabled. All interfaces show up with the proper IP and subnet mask.
-----------------------------------------------------------
* I have a DHCP server on the DETROIT RAS router and a RAS static pool of
addresses on the LONDON RAS server.
-----------------------------------------------------------
* There are no errors in the event log on either server.
-----------------------------------------------------------
* All servers in the LON subnet are statically configured to use the
DET-DC_01 as their DNS and WINS server. No LON servers are members of the
domain yet. I was waiting until I get the routing working before I join them.
-----------------------------------------------------------
* I have checked the PPTP ports on the RAS servers to ensure they are
configured for inbound and outbound connections.
-----------------------------------------------------------
* I have read many RRAS docs on technet and to my best recollection - I'm
configured correctly - yet the traffic doesn't pass.
-----------------------------------------------------------
* I executed a "Tracert -d 10.1.2.100" from DET-DC-01 and the first hope was
10.1.1.1 (DET-RAS-01), and after that it failed to respond. I got the same
results when I tried to tracert from LON-DC-01 to 10.1.1.100).
-----------------------------------------------------------
* I've been stuck on this for a few days. I'm pulling my hair out and now
I'm beginning to realize why I've never seen anyone use a Windows 2003 server
for a router. LOL

Any advice would be helpful.

--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder

The most common cause of this is that the routes are not binding to the
connection. Because there can be multiple VPN connections to a RRAS router,
your calling router must specify which demand-dial connection on the
answering router you want to use. You do that by using the dd interface name
as the username on the calling router.

The static route on the answering router will only become active if the
connection is made to the dd interface. When this happens, the dd interface
will show as connected in the RRAS console and the static route will be
added to the routing table.

If the calling router does not use the name of a valid dd interface, it
connects as a simple "dialup" (or client-server) style VPN client. In that
case, only a host route is set up for the caller, and site-to-site routing
fails.

If the connection is bound to the dd interfaces, site to site routing
does work, because each router has a subnet route for the "other" site
through the VPN tunnel. The only reason for it to fail is if the VPN router
is not the default gateway for the LAN. In that case you need extra routing
to get the private traffic to the VPN router from the gateway router.

"Brandon Baker, MCSE" <(E-Mail Removed)> wrote in message
newsB4119FB-CBF8-465E-8A5A-(E-Mail Removed)...
>I have setup a lab for my upcoming 70-291 test using VMWARE ESX server.
>
> 192.168.1.200 192.168.1.201
> DET-RAS-01 <----> LON-RAS-01
> 10.1.1.1/24 10.1.2.1/24
> ^ ^
> | |
> DET-DC-01 LON-DC-01
> 10.1.1.100/24 10.1.2.100/24
>
> Hopefully from my basic ASCII diagram you can see that each RAS server has
> two interfaces - an Internet one on the 192.168.1.x range, and a local
> interface on the 10.1.x.x range. I have setup demand-dial router
> connections
> on each RAS Server configured to connect to the other server. The RRAS
> Admin
> tool indicates the DD connections are connected and operational, and I can
> ping each interface on both RAS servers from any RAS server. So, I know
> traffic is passing over the PPTP tunnel. What I can't do is have DET-DC-01
> ping LON-DC-01. The routers are not passing local traffic to the remote
> subnet.
>
> BTW: DET is DETROIT, and LON is LONDON
>
> I have checked the following:
> -----------------------------------------------------------
> * No IP Filters are blocking the traffic.
> -----------------------------------------------------------
> * Static routes are configured on each RAS server for the remote subnet
> and
> use the Demand-Dial interface as the gateway. I have verified this with
> route
> print commands.
> -----------------------------------------------------------
> * I have changed the demand dial interfaces to persistent connections.
> -----------------------------------------------------------
> * I have performed an ipconfig on both RAS servers and IP routing is
> enabled. All interfaces show up with the proper IP and subnet mask.
> -----------------------------------------------------------
> * I have a DHCP server on the DETROIT RAS router and a RAS static pool of
> addresses on the LONDON RAS server.
> -----------------------------------------------------------
> * There are no errors in the event log on either server.
> -----------------------------------------------------------
> * All servers in the LON subnet are statically configured to use the
> DET-DC_01 as their DNS and WINS server. No LON servers are members of the
> domain yet. I was waiting until I get the routing working before I join
> them.
> -----------------------------------------------------------
> * I have checked the PPTP ports on the RAS servers to ensure they are
> configured for inbound and outbound connections.
> -----------------------------------------------------------
> * I have read many RRAS docs on technet and to my best recollection - I'm
> configured correctly - yet the traffic doesn't pass.
> -----------------------------------------------------------
> * I executed a "Tracert -d 10.1.2.100" from DET-DC-01 and the first hope
> was
> 10.1.1.1 (DET-RAS-01), and after that it failed to respond. I got the same
> results when I tried to tracert from LON-DC-01 to 10.1.1.100).
> -----------------------------------------------------------
> * I've been stuck on this for a few days. I'm pulling my hair out and now
> I'm beginning to realize why I've never seen anyone use a Windows 2003
> server
> for a router. LOL
>
> Any advice would be helpful.
>
> --
> Good Sites to know:
> http://www.sysinternals.com
> http://www.eventid.net
> http://www.microsoft.com/technet
> http://www.isaserver.org
> http://www.nu2.nu/pebuilder
>

I feel mildly embarrassed after going back through and finding out what the
problem was....

I forgot to enable the RAS Policy allowing comms to other RRAS servers.

Thanks for helping - if I can just pass this 70-291 - the rest is cake. RAS
has always been my weak spot, since we never use it.

We either have Juniper or Cisco solutions in place for VPN needs.

THANKS!
--
Good Sites to know:
http://www.sysinternals.com
http://www.eventid.net
http://www.microsoft.com/technet
http://www.isaserver.org
http://www.nu2.nu/pebuilder



"Bill Grant" wrote:

> The most common cause of this is that the routes are not binding to the
> connection. Because there can be multiple VPN connections to a RRAS router,
> your calling router must specify which demand-dial connection on the
> answering router you want to use. You do that by using the dd interface name
> as the username on the calling router.
>
> The static route on the answering router will only become active if the
> connection is made to the dd interface. When this happens, the dd interface
> will show as connected in the RRAS console and the static route will be
> added to the routing table.
>
> If the calling router does not use the name of a valid dd interface, it
> connects as a simple "dialup" (or client-server) style VPN client. In that
> case, only a host route is set up for the caller, and site-to-site routing
> fails.
>
> If the connection is bound to the dd interfaces, site to site routing
> does work, because each router has a subnet route for the "other" site
> through the VPN tunnel. The only reason for it to fail is if the VPN router
> is not the default gateway for the LAN. In that case you need extra routing
> to get the private traffic to the VPN router from the gateway router.
>
> "Brandon Baker, MCSE" <(E-Mail Removed)> wrote in message
> newsB4119FB-CBF8-465E-8A5A-(E-Mail Removed)...
> >I have setup a lab for my upcoming 70-291 test using VMWARE ESX server.
> >
> > 192.168.1.200 192.168.1.201
> > DET-RAS-01 <----> LON-RAS-01
> > 10.1.1.1/24 10.1.2.1/24
> > ^ ^
> > | |
> > DET-DC-01 LON-DC-01
> > 10.1.1.100/24 10.1.2.100/24
> >
> > Hopefully from my basic ASCII diagram you can see that each RAS server has
> > two interfaces - an Internet one on the 192.168.1.x range, and a local
> > interface on the 10.1.x.x range. I have setup demand-dial router
> > connections
> > on each RAS Server configured to connect to the other server. The RRAS
> > Admin
> > tool indicates the DD connections are connected and operational, and I can
> > ping each interface on both RAS servers from any RAS server. So, I know
> > traffic is passing over the PPTP tunnel. What I can't do is have DET-DC-01
> > ping LON-DC-01. The routers are not passing local traffic to the remote
> > subnet.
> >
> > BTW: DET is DETROIT, and LON is LONDON
> >
> > I have checked the following:
> > -----------------------------------------------------------
> > * No IP Filters are blocking the traffic.
> > -----------------------------------------------------------
> > * Static routes are configured on each RAS server for the remote subnet
> > and
> > use the Demand-Dial interface as the gateway. I have verified this with
> > route
> > print commands.
> > -----------------------------------------------------------
> > * I have changed the demand dial interfaces to persistent connections.
> > -----------------------------------------------------------
> > * I have performed an ipconfig on both RAS servers and IP routing is
> > enabled. All interfaces show up with the proper IP and subnet mask.
> > -----------------------------------------------------------
> > * I have a DHCP server on the DETROIT RAS router and a RAS static pool of
> > addresses on the LONDON RAS server.
> > -----------------------------------------------------------
> > * There are no errors in the event log on either server.
> > -----------------------------------------------------------
> > * All servers in the LON subnet are statically configured to use the
> > DET-DC_01 as their DNS and WINS server. No LON servers are members of the
> > domain yet. I was waiting until I get the routing working before I join
> > them.
> > -----------------------------------------------------------
> > * I have checked the PPTP ports on the RAS servers to ensure they are
> > configured for inbound and outbound connections.
> > -----------------------------------------------------------
> > * I have read many RRAS docs on technet and to my best recollection - I'm
> > configured correctly - yet the traffic doesn't pass.
> > -----------------------------------------------------------
> > * I executed a "Tracert -d 10.1.2.100" from DET-DC-01 and the first hope
> > was
> > 10.1.1.1 (DET-RAS-01), and after that it failed to respond. I got the same
> > results when I tried to tracert from LON-DC-01 to 10.1.1.100).
> > -----------------------------------------------------------
> > * I've been stuck on this for a few days. I'm pulling my hair out and now
> > I'm beginning to realize why I've never seen anyone use a Windows 2003
> > server
> > for a router. LOL
> >
> > Any advice would be helpful.
> >
> > --
> > Good Sites to know:
> > http://www.sysinternals.com
> > http://www.eventid.net
> > http://www.microsoft.com/technet
> > http://www.isaserver.org
> > http://www.nu2.nu/pebuilder
> >
>
>
>

Glad to hear you got it sorted out. Best of luck with the exam!

"Brandon Baker, MCSE" <(E-Mail Removed)> wrote in message
news:99921612-0035-497C-8CC3-(E-Mail Removed)...
>I feel mildly embarrassed after going back through and finding out what the
> problem was....
>
> I forgot to enable the RAS Policy allowing comms to other RRAS servers.
>
> Thanks for helping - if I can just pass this 70-291 - the rest is cake.
> RAS
> has always been my weak spot, since we never use it.
>
> We either have Juniper or Cisco solutions in place for VPN needs.
>
> THANKS!
> --
> Good Sites to know:
> http://www.sysinternals.com
> http://www.eventid.net
> http://www.microsoft.com/technet
> http://www.isaserver.org
> http://www.nu2.nu/pebuilder
>
>
>
> "Bill Grant" wrote:
>
>> The most common cause of this is that the routes are not binding to
>> the
>> connection. Because there can be multiple VPN connections to a RRAS
>> router,
>> your calling router must specify which demand-dial connection on the
>> answering router you want to use. You do that by using the dd interface
>> name
>> as the username on the calling router.
>>
>> The static route on the answering router will only become active if
>> the
>> connection is made to the dd interface. When this happens, the dd
>> interface
>> will show as connected in the RRAS console and the static route will be
>> added to the routing table.
>>
>> If the calling router does not use the name of a valid dd interface,
>> it
>> connects as a simple "dialup" (or client-server) style VPN client. In
>> that
>> case, only a host route is set up for the caller, and site-to-site
>> routing
>> fails.
>>
>> If the connection is bound to the dd interfaces, site to site routing
>> does work, because each router has a subnet route for the "other" site
>> through the VPN tunnel. The only reason for it to fail is if the VPN
>> router
>> is not the default gateway for the LAN. In that case you need extra
>> routing
>> to get the private traffic to the VPN router from the gateway router.
>>
>> "Brandon Baker, MCSE" <(E-Mail Removed)> wrote in message
>> newsB4119FB-CBF8-465E-8A5A-(E-Mail Removed)...
>> >I have setup a lab for my upcoming 70-291 test using VMWARE ESX server.
>> >
>> > 192.168.1.200 192.168.1.201
>> > DET-RAS-01 <----> LON-RAS-01
>> > 10.1.1.1/24 10.1.2.1/24
>> > ^ ^
>> > | |
>> > DET-DC-01 LON-DC-01
>> > 10.1.1.100/24 10.1.2.100/24
>> >
>> > Hopefully from my basic ASCII diagram you can see that each RAS server
>> > has
>> > two interfaces - an Internet one on the 192.168.1.x range, and a local
>> > interface on the 10.1.x.x range. I have setup demand-dial router
>> > connections
>> > on each RAS Server configured to connect to the other server. The RRAS
>> > Admin
>> > tool indicates the DD connections are connected and operational, and I
>> > can
>> > ping each interface on both RAS servers from any RAS server. So, I know
>> > traffic is passing over the PPTP tunnel. What I can't do is have
>> > DET-DC-01
>> > ping LON-DC-01. The routers are not passing local traffic to the remote
>> > subnet.
>> >
>> > BTW: DET is DETROIT, and LON is LONDON
>> >
>> > I have checked the following:
>> > -----------------------------------------------------------
>> > * No IP Filters are blocking the traffic.
>> > -----------------------------------------------------------
>> > * Static routes are configured on each RAS server for the remote subnet
>> > and
>> > use the Demand-Dial interface as the gateway. I have verified this with
>> > route
>> > print commands.
>> > -----------------------------------------------------------
>> > * I have changed the demand dial interfaces to persistent connections.
>> > -----------------------------------------------------------
>> > * I have performed an ipconfig on both RAS servers and IP routing is
>> > enabled. All interfaces show up with the proper IP and subnet mask.
>> > -----------------------------------------------------------
>> > * I have a DHCP server on the DETROIT RAS router and a RAS static pool
>> > of
>> > addresses on the LONDON RAS server.
>> > -----------------------------------------------------------
>> > * There are no errors in the event log on either server.
>> > -----------------------------------------------------------
>> > * All servers in the LON subnet are statically configured to use the
>> > DET-DC_01 as their DNS and WINS server. No LON servers are members of
>> > the
>> > domain yet. I was waiting until I get the routing working before I join
>> > them.
>> > -----------------------------------------------------------
>> > * I have checked the PPTP ports on the RAS servers to ensure they are
>> > configured for inbound and outbound connections.
>> > -----------------------------------------------------------
>> > * I have read many RRAS docs on technet and to my best recollection -
>> > I'm
>> > configured correctly - yet the traffic doesn't pass.
>> > -----------------------------------------------------------
>> > * I executed a "Tracert -d 10.1.2.100" from DET-DC-01 and the first
>> > hope
>> > was
>> > 10.1.1.1 (DET-RAS-01), and after that it failed to respond. I got the
>> > same
>> > results when I tried to tracert from LON-DC-01 to 10.1.1.100).
>> > -----------------------------------------------------------
>> > * I've been stuck on this for a few days. I'm pulling my hair out and
>> > now
>> > I'm beginning to realize why I've never seen anyone use a Windows 2003
>> > server
>> > for a router. LOL
>> >
>> > Any advice would be helpful.
>> >
>> > --
>> > Good Sites to know:
>> > http://www.sysinternals.com
>> > http://www.eventid.net
>> > http://www.microsoft.com/technet
>> > http://www.isaserver.org
>> > http://www.nu2.nu/pebuilder
>> >
>>
>>
>>