RRAS Dual NIC Bug/Feature?

Here is our setup:

W2K3 RRAS server with VPN. Three NICS, one private and two public.
One of the two public is on a cable modem (DEFAULT GATEWAY) with
dynamic IP (DHCP), the other is a backup T1 line with static IP.

We used to use W2K with ISA server. For VPN users to connect to the
static IP address, we used to have to add a route to the client's IP
address. To connect to the dynamic IP address we just inform them when
that address changed.

Now with W2K3 the weirdest thing happens. With no routes set up, all
users can try to connect to the static side, but they actually end up
connecting to the dynamic side. Does anybody know why W2K3 does this?
Don't get me wrong, it is a great feature if that is what is intended.
Management of the connections drops to zero now. Everybody just tries
to connect to the static side.

Thanks,
Doug

Double check your setup against this:

Microsoft Windows Server 2003 Remote Access/VPN Server Role
http://www.microsoft.com/technet/pro...r/default.mspx

Ignore that fact that you have three Nics. Choose the one external Nic you
plan to use and configure it RRAS if that Nic and the Internal Nic are the
only ones it has.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Doug Crabtree" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Here is our setup:
>
> W2K3 RRAS server with VPN. Three NICS, one private and two public.
> One of the two public is on a cable modem (DEFAULT GATEWAY) with
> dynamic IP (DHCP), the other is a backup T1 line with static IP.
>
> We used to use W2K with ISA server. For VPN users to connect to the
> static IP address, we used to have to add a route to the client's IP
> address. To connect to the dynamic IP address we just inform them when
> that address changed.
>
> Now with W2K3 the weirdest thing happens. With no routes set up, all
> users can try to connect to the static side, but they actually end up
> connecting to the dynamic side. Does anybody know why W2K3 does this?
> Don't get me wrong, it is a great feature if that is what is intended.
> Management of the connections drops to zero now. Everybody just tries
> to connect to the static side.
>
> Thanks,
> Doug
>

We are connecting fine. No problems whatsoever. I was just wondering about
the ability for the VPN to go from the static to the dynamic automatically.

Doug Crabtree

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> Double check your setup against this:
>
> Microsoft Windows Server 2003 Remote Access/VPN Server Role
> http://www.microsoft.com/technet/pro...r/default.mspx
>
> Ignore that fact that you have three Nics. Choose the one external Nic you
> plan to use and configure it RRAS if that Nic and the Internal Nic are the
> only ones it has.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com

"Doug Crabtree" <(E-Mail Removed)> wrote in message
news:BIGdnW0mq6y--jnfRVn-(E-Mail Removed)...
> We are connecting fine. No problems whatsoever. I was just wondering
about
> the ability for the VPN to go from the static to the dynamic
automatically.

I don't know what you mean by that.

RRAS either supplys DHCP to the RRAS Clients or it doesn't (VPN or not). If
the client has static addresses configured into thier "dial-up" settings,
then they will use them instead of DHCP. DHCP is never "pushed",...DHCP is
alwayd "requested" by the Client that needs the address,..if they don't need
an address they don't "ask" for one.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

No, that is not what I meant. Sorry.

I am not asking from the client side, I am asking from the server side.

1) The user has in his/her VPN settings to connect to ip xxx.xxx.xxx.xxx
(this static side of the server not defined with a default gateway)
2) The user authenticates and establishes the connection.
3) I go into RRAS and check out the IP routing table (or route print).
That connection is shown to have a route out via the dynamic IP
yyy.yyy.yyy.yyy (defined with a default gateway) on the server.

My question was, why is W2K3 establishing the VPN connection on the NIC
(yyy.yyy.yyy.yyy) that was not originally tried by the client
(xxx.xxx.xxx.xxx)?

Thanks,
Doug

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Doug Crabtree" <(E-Mail Removed)> wrote in message
> news:BIGdnW0mq6y--jnfRVn-(E-Mail Removed)...
>> We are connecting fine. No problems whatsoever. I was just wondering
> about
>> the ability for the VPN to go from the static to the dynamic
> automatically.
>
> I don't know what you mean by that.
>
> RRAS either supplys DHCP to the RRAS Clients or it doesn't (VPN or not).
> If
> the client has static addresses configured into thier "dial-up" settings,
> then they will use them instead of DHCP. DHCP is never "pushed",...DHCP
> is
> alwayd "requested" by the Client that needs the address,..if they don't
> need
> an address they don't "ask" for one.
>
> --
>
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>

"Doug Crabtree" <(E-Mail Removed)> wrote in message
news:eZ6dnbkHwuZb8DnfRVn-(E-Mail Removed)...
> No, that is not what I meant. Sorry.
>
> I am not asking from the client side, I am asking from the server side.
>
> 1) The user has in his/her VPN settings to connect to ip xxx.xxx.xxx.xxx
> (this static side of the server not defined with a default gateway)
> 2) The user authenticates and establishes the connection.
> 3) I go into RRAS and check out the IP routing table (or route print).
> That connection is shown to have a route out via the dynamic IP
> yyy.yyy.yyy.yyy (defined with a default gateway) on the server.
>
> My question was, why is W2K3 establishing the VPN connection on the NIC
> (yyy.yyy.yyy.yyy) that was not originally tried by the client
> (xxx.xxx.xxx.xxx)?

I'm not sure of all the gory details, but you can really have only one
"true" external Nic and it will be the one with the Default Gateway. Any
outbound traffic will alway use that Nic unless the destination is a
specific "known" route that is already established to be associated with one
of the other Nics. Since the "caller" is not part of a pre-established
route which would be associated with a different Nic,..they become
associated with the Nic that is tied to their "unknown" route which is the
one with the Default Gateway. This would be the case whether you were using
VPN or not.

As an experiment,..if the "caller" comes from only a certain number of
addresses that are part of a single subnet (their ISP's subnet) then create
a Static Route on the Server that tells it to use the xxx.xxx.xxx.xxx Nic to
get to that subnet destination. Now it should show the Nic you were
expecting instead of the one with the Default Gateway because now the
xxx.xxx.xxx.xxx Nic is associated with that particular destination subnet.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com

"Phillip Windell" <@.> wrote in message
news:%(E-Mail Removed)...
> As an experiment,..if the "caller" comes from only a certain number of
> addresses that are part of a single subnet (their ISP's subnet) then
> create
> a Static Route on the Server that tells it to use the xxx.xxx.xxx.xxx Nic
> to
> get to that subnet destination. Now it should show the Nic you were
> expecting instead of the one with the Default Gateway because now the
> xxx.xxx.xxx.xxx Nic is associated with that particular destination subnet.

This is how we did it on Windows 2000. When the user would try to connect
to the static side witout the route, the connection failed. Now the server
just routes to the dynamic side with the gateway. I was just wondering if
this was a bug or a feature of 2003. I hope it is a feature because it is
easer to tell everybody to hit the static so we don't have to worry about
the dynamic anymore, the server handles it.

Thanks,
Doug

"Doug Crabtree" <(E-Mail Removed)> wrote in message
news:y7-dnboyN9UHCTnfRVn-(E-Mail Removed)...
> This is how we did it on Windows 2000. When the user would try to connect
> to the static side witout the route, the connection failed. Now the
server
> just routes to the dynamic side with the gateway. I was just wondering if
> this was a bug or a feature of 2003. I hope it is a feature because it is
> easer to tell everybody to hit the static so we don't have to worry about
> the dynamic anymore, the server handles it.

I don't really know about that. I wasn't aware that 2000 didn't work the
same way.

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com