RRAS, 1 active PPTP connection, no one else can connect

Satellite office comprised of one Server W2K3 std SP2 DC/DNS/DHCP/File
server and one Server W2k3 std SP2 VPN(RRAS)/Backup server. The DC runs
Active directory and is a child domain to parent at Corp. domain. Both
servers have iSCSI interfaces connected to NAS boxes.

There are five "clients" running XP Pro SP2 and Vista that connect to
the domain.

The issue is, a user or users will go home and connect (PPTP) to the
domain through the RRAS server with no issue. However, if one of those
users leave the connection up (but unused) for multiple hours, no one
else will be able to reconnect. The policy is such that there NO time
restriction on time of or length of login. Users must be granted
specific access through their profile.

There appear to be NO relevant errors in the event log. Logging IS
active on the RRAS server, but the output written to the log does not
appear to have any useful information. Some hints for resolution would
be greatly appreciated.

Thanks

-Jonathan

That is odd. Does the RRAS server connect directly to the Internet or is
it behind another firewall/router? Some SOHO DSL "routers" will limit you to
one PPTP connection.

"Jonathan Schwartz" <(E-Mail Removed)> wrote in message
news:eban-(E-Mail Removed)...
> Satellite office comprised of one Server W2K3 std SP2 DC/DNS/DHCP/File
> server and one Server W2k3 std SP2 VPN(RRAS)/Backup server. The DC runs
> Active directory and is a child domain to parent at Corp. domain. Both
> servers have iSCSI interfaces connected to NAS boxes.
>
> There are five "clients" running XP Pro SP2 and Vista that connect to
> the domain.
>
> The issue is, a user or users will go home and connect (PPTP) to the
> domain through the RRAS server with no issue. However, if one of those
> users leave the connection up (but unused) for multiple hours, no one
> else will be able to reconnect. The policy is such that there NO time
> restriction on time of or length of login. Users must be granted
> specific access through their profile.
>
> There appear to be NO relevant errors in the event log. Logging IS
> active on the RRAS server, but the output written to the log does not
> appear to have any useful information. Some hints for resolution would
> be greatly appreciated.
>
> Thanks
>
> -Jonathan

The topology is: Netopia router to PIX 515 fierwall configured with a
DMZ to which one of the RRAS server NICs is attached. Also, there is a
NIC attached to the local LAN switch and NIC direct attached to a NAS
box.

At various times as many as 10 VPN/PPTP users have been connected so
there is no issue with number of connections. It's only when all, but
one of the users, disconnect while a single user stays connected for
hours. During this time "something" happens and no one else is able to
reconnect.

Now, this all may be a red haring as there may be something going on
that just happens to manifest its self in relation to the situation
mentioned above. Possibilities are DNS issue, An active directory issue.
Maybe a DHCP issue... I don't. The interesting thing is that when this
happens the connection just times out... without an error message. I'll
try it tonight and see if I can capture some more info.

Lastly, is there a way to parse and/or look at the RRAS logs and get
some meaningful data from them?

-Jonathan

In article <(E-Mail Removed)>,
"Bill Grant" <not.available@online> wrote:

> That is odd. Does the RRAS server connect directly to the Internet or is
> it behind another firewall/router? Some SOHO DSL "routers" will limit you to
> one PPTP connection.
>
> "Jonathan Schwartz" <(E-Mail Removed)> wrote in message
> news:eban-(E-Mail Removed)...
> > Satellite office comprised of one Server W2K3 std SP2 DC/DNS/DHCP/File
> > server and one Server W2k3 std SP2 VPN(RRAS)/Backup server. The DC runs
> > Active directory and is a child domain to parent at Corp. domain. Both
> > servers have iSCSI interfaces connected to NAS boxes.
> >
> > There are five "clients" running XP Pro SP2 and Vista that connect to
> > the domain.
> >
> > The issue is, a user or users will go home and connect (PPTP) to the
> > domain through the RRAS server with no issue. However, if one of those
> > users leave the connection up (but unused) for multiple hours, no one
> > else will be able to reconnect. The policy is such that there NO time
> > restriction on time of or length of login. Users must be granted
> > specific access through their profile.
> >
> > There appear to be NO relevant errors in the event log. Logging IS
> > active on the RRAS server, but the output written to the log does not
> > appear to have any useful information. Some hints for resolution would
> > be greatly appreciated.
> >
> > Thanks
> >
> > -Jonathan

"Jonathan Schwartz" <(E-Mail Removed)> wrote in message
news:eban-(E-Mail Removed)...
> The topology is: Netopia router to PIX 515 fierwall configured with a
> DMZ to which one of the RRAS server NICs is attached. Also, there is a
> NIC attached to the local LAN switch and NIC direct attached to a NAS
> box.

So there are two firewalls there. The Netopia is a NAT device,...making it
technically a "firewall",...they are not "routers",..calling them routers
was a bad marketing decision by the SOHO marketing departments of the world.
You should get rid of it,..leave the "modem" if this is a CableTV or DSL
connection and plug the PIX directly into the modem the way the Netopia was.

By simplfying the topology and getting rid of needless devices, will make
troubleshooting easier.

Why is the RRAS box on the Tri-homed DMZ? When the Users connect to it they
become part of the DMZ segment,...wouldn't you want them to become part of
the LAN instead?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I have confirmed with the T1 vendor that the Netopia is not doing NAT or
SPI. The Netopia is not acting as firewall, it is an interface for the
T1. It IS the "modem".

Regarding the Tri-homed DMZ... whenuser connect from the outside they do
become part of the local lan. The NAS box is for backup-to-disk only and
is on a private subnet not accessible by users. Only the backup app has
access to the NAS.

All this being said, is there a tool(s) that I can use that will gather
some meaningful information about what's going on with the RRAS service,
networking, and user authentication?

As of right now I have to restart the RRAS service every day now to keep
it active.


In article <#(E-Mail Removed)>,
"Phillip Windell" <(E-Mail Removed)> wrote:

> "Jonathan Schwartz" <(E-Mail Removed)> wrote in message
> news:eban-(E-Mail Removed)...
> > The topology is: Netopia router to PIX 515 fierwall configured with a
> > DMZ to which one of the RRAS server NICs is attached. Also, there is a
> > NIC attached to the local LAN switch and NIC direct attached to a NAS
> > box.
>
> So there are two firewalls there. The Netopia is a NAT device,...making it
> technically a "firewall",...they are not "routers",..calling them routers
> was a bad marketing decision by the SOHO marketing departments of the world.
> You should get rid of it,..leave the "modem" if this is a CableTV or DSL
> connection and plug the PIX directly into the modem the way the Netopia was.
>
> By simplfying the topology and getting rid of needless devices, will make
> troubleshooting easier.
>
> Why is the RRAS box on the Tri-homed DMZ? When the Users connect to it they
> become part of the DMZ segment,...wouldn't you want them to become part of
> the LAN instead?