VPN Site-to-Site problem with RRAS on Win2k3svr

12-01-2006, 04:08 AM

Hello,

We have the following scenario: a stand-alone Win2k3svr with Exchange 2003
is located at a server center in the internet (IS); another win2k3svr is
located in our office (OS). The OS establishes the site-to-site VPN
connection with the IS so the clients in the office can access their
mailboxes. Both servers run an ISA2000 for security reasons.

Since there is not record in the event log I can only tell the symptoms of
the problem:

For a long time it just worked fine. Since a couple of days the clients
cannot access their mailboxes or any other resources (e.g. SMB) on the IS.
Routing protocols do look like always and are correct on both sites. No
errors occur in the event log, the connection establishes just fine as usual.
So as I said, the clients in the office cannot access the resources, but from
the OS I can access everything on the IS (I always try to access the c$-share
by using the servers IP, not FQDN as a test). On the other side, the IS
cannot access anything on the office network, not the OS it self nor anything
behind that router.

Another symptom is: If I establish a VPN-connection directly from a client
to the IS then everything works fine â€“ so I first assumed that there must be
a problem with the routing table, but see for yourself:

Office server:
OS-IP (internal): 192.168.10.1
OS-RRAS-IP: 192.168.10.50
OS-IP on IS vpn: 192.168.20.51

Routing table on the OS:

Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
0.0.0.0 0.0.0.0 59.6.176.254 59.6.176.127 20
59.6.176.0 255.255.255.0 59.6.176.127 59.6.176.127 20
59.6.176.127 255.255.255.255 127.0.0.1 127.0.0.1 20
59.255.255.255 255.255.255.255 59.6.176.127 59.6.176.127 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.1 192.168.10.1 20
192.168.10.1 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.50 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.10.53 255.255.255.255 192.168.20.51 192.168.20.51 1
192.168.10.255 255.255.255.255 192.168.10.1 192.168.10.1 20
192.168.20.0 255.255.255.0 0.0.0.0 192.168.20.51 1
192.168.20.0 255.255.255.0 192.168.10.53 192.168.20.51 1
192.168.20.51 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.20.255 255.255.255.255 192.168.20.51 192.168.20.51 50
211.234.119.35 255.255.255.255 59.6.176.254 59.6.176.127 20
224.0.0.0 240.0.0.0 59.6.176.127 59.6.176.127 20
224.0.0.0 240.0.0.0 192.168.10.1 192.168.10.1 20
224.0.0.0 240.0.0.0 192.168.20.51 192.168.20.51 50
255.255.255.255 255.255.255.255 59.6.176.127 59.6.176.127 1
255.255.255.255 255.255.255.255 192.168.10.1 192.168.10.1 1
255.255.255.255 255.255.255.255 192.168.20.51 192.168.20.51 1
Standardgateway: 59.6.176.254

Internet server:
IS-IP (internal): 192.168.20.1
IS-RRAS-IP: 192.168.20.50
IS-IP on OS vpn: 192.168.10.53

Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 211.234.119.33 211.234.119.35 10
59.6.176.127 255.255.255.255 211.234.119.33 211.234.119.35 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.20.51 192.168.10.53 1
192.168.10.53 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.10.255 255.255.255.255 192.168.10.53 192.168.10.53 50
192.168.20.0 255.255.255.0 192.168.20.1 192.168.20.1 10
192.168.20.1 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.20.50 255.255.255.255 127.0.0.1 127.0.0.1 50
192.168.20.51 255.255.255.255 192.168.10.53 192.168.10.53 1
192.168.20.255 255.255.255.255 192.168.20.1 192.168.20.1 10
211.234.119.32 255.255.255.240 211.234.119.35 211.234.119.35 10
211.234.119.35 255.255.255.255 127.0.0.1 127.0.0.1 10
211.234.119.255 255.255.255.255 211.234.119.35 211.234.119.35 10
224.0.0.0 240.0.0.0 192.168.10.53 192.168.10.53 50
224.0.0.0 240.0.0.0 192.168.20.1 192.168.20.1 10
224.0.0.0 240.0.0.0 211.234.119.35 211.234.119.35 10
255.255.255.255 255.255.255.255 192.168.10.53 192.168.10.53 1
255.255.255.255 255.255.255.255 192.168.20.1 192.168.20.1 1
255.255.255.255 255.255.255.255 211.234.119.35 211.234.119.35 1

I am using the RRAS since many years and I experienced various problems,
which at least presented me some records in the event log. Since I donâ€™t get
any error messages I am really clueless how to solve that problem.

Any clue?

Best regards,
Daniel.

12-02-2006, 12:29 AM

There is an odd entry in the routing table for machine OS, but I am not
sure how it got there.

This entry is correct.

192.168.20.0 255.255.255.0 192.168.10.53 192.168.20.51 1

It is the route to send traffic for the "other" site through the VPN
tunnel. The entry above it

192.168.20.0 255.255.255.0 0.0.0.0 192.168.20.51 1

should not be there. I suspect that this entry is fouling up your site
routing.

You will note in the routing table for machine IS, the corresponding
correct route

192.168.10.0 255.255.255.0 192.168.20.51 192.168.10.53 1

is there, but not the incorrect one with 0.0.0.0 as the gateway address.

"Daniel" <(E-Mail Removed)> wrote in message
news:1386C533-A1A3-4F05-BC85-(E-Mail Removed)...
> Hello,
>
> We have the following scenario: a stand-alone Win2k3svr with Exchange 2003
> is located at a server center in the internet (IS); another win2k3svr is
> located in our office (OS). The OS establishes the site-to-site VPN
> connection with the IS so the clients in the office can access their
> mailboxes. Both servers run an ISA2000 for security reasons.
>
> Since there is not record in the event log I can only tell the symptoms of
> the problem:
>
> For a long time it just worked fine. Since a couple of days the clients
> cannot access their mailboxes or any other resources (e.g. SMB) on the IS.
> Routing protocols do look like always and are correct on both sites. No
> errors occur in the event log, the connection establishes just fine as
> usual.
> So as I said, the clients in the office cannot access the resources, but
> from
> the OS I can access everything on the IS (I always try to access the
> c$-share
> by using the servers IP, not FQDN as a test). On the other side, the IS
> cannot access anything on the office network, not the OS it self nor
> anything
> behind that router.
>
> Another symptom is: If I establish a VPN-connection directly from a client
> to the IS then everything works fine - so I first assumed that there must
> be
> a problem with the routing table, but see for yourself:
>
> Office server:
> OS-IP (internal): 192.168.10.1
> OS-RRAS-IP: 192.168.10.50
> OS-IP on IS vpn: 192.168.20.51
>
> Routing table on the OS:
>
> Netzwerkziel Netzwerkmaske Gateway Schnittstelle Metrik
> 0.0.0.0 0.0.0.0 59.6.176.254 59.6.176.127 20
> 59.6.176.0 255.255.255.0 59.6.176.127 59.6.176.127 20
> 59.6.176.127 255.255.255.255 127.0.0.1 127.0.0.1 20
> 59.255.255.255 255.255.255.255 59.6.176.127 59.6.176.127 20
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 192.168.10.0 255.255.255.0 192.168.10.1 192.168.10.1 20
> 192.168.10.1 255.255.255.255 127.0.0.1 127.0.0.1 20
> 192.168.10.50 255.255.255.255 127.0.0.1 127.0.0.1 50
> 192.168.10.53 255.255.255.255 192.168.20.51 192.168.20.51 1
> 192.168.10.255 255.255.255.255 192.168.10.1 192.168.10.1 20
> 192.168.20.0 255.255.255.0 0.0.0.0 192.168.20.51 1
> 192.168.20.0 255.255.255.0 192.168.10.53 192.168.20.51 1
> 192.168.20.51 255.255.255.255 127.0.0.1 127.0.0.1 50
> 192.168.20.255 255.255.255.255 192.168.20.51 192.168.20.51 50
> 211.234.119.35 255.255.255.255 59.6.176.254 59.6.176.127 20
> 224.0.0.0 240.0.0.0 59.6.176.127 59.6.176.127 20
> 224.0.0.0 240.0.0.0 192.168.10.1 192.168.10.1 20
> 224.0.0.0 240.0.0.0 192.168.20.51 192.168.20.51 50
> 255.255.255.255 255.255.255.255 59.6.176.127 59.6.176.127 1
> 255.255.255.255 255.255.255.255 192.168.10.1 192.168.10.1 1
> 255.255.255.255 255.255.255.255 192.168.20.51 192.168.20.51 1
> Standardgateway: 59.6.176.254
>
> Internet server:
> IS-IP (internal): 192.168.20.1
> IS-RRAS-IP: 192.168.20.50
> IS-IP on OS vpn: 192.168.10.53
>
> Network Destination Netmask Gateway Interface
> Metric
> 0.0.0.0 0.0.0.0 211.234.119.33 211.234.119.35 10
> 59.6.176.127 255.255.255.255 211.234.119.33 211.234.119.35 10
> 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
> 192.168.10.0 255.255.255.0 192.168.20.51 192.168.10.53 1
> 192.168.10.53 255.255.255.255 127.0.0.1 127.0.0.1 50
> 192.168.10.255 255.255.255.255 192.168.10.53 192.168.10.53 50
> 192.168.20.0 255.255.255.0 192.168.20.1 192.168.20.1 10
> 192.168.20.1 255.255.255.255 127.0.0.1 127.0.0.1 10
> 192.168.20.50 255.255.255.255 127.0.0.1 127.0.0.1 50
> 192.168.20.51 255.255.255.255 192.168.10.53 192.168.10.53 1
> 192.168.20.255 255.255.255.255 192.168.20.1 192.168.20.1 10
> 211.234.119.32 255.255.255.240 211.234.119.35 211.234.119.35 10
> 211.234.119.35 255.255.255.255 127.0.0.1 127.0.0.1 10
> 211.234.119.255 255.255.255.255 211.234.119.35 211.234.119.35 10
> 224.0.0.0 240.0.0.0 192.168.10.53 192.168.10.53 50
> 224.0.0.0 240.0.0.0 192.168.20.1 192.168.20.1 10
> 224.0.0.0 240.0.0.0 211.234.119.35 211.234.119.35 10
> 255.255.255.255 255.255.255.255 192.168.10.53 192.168.10.53 1
> 255.255.255.255 255.255.255.255 192.168.20.1 192.168.20.1 1
> 255.255.255.255 255.255.255.255 211.234.119.35 211.234.119.35 1
>
>
> I am using the RRAS since many years and I experienced various problems,
> which at least presented me some records in the event log. Since I don't
> get
> any error messages I am really clueless how to solve that problem.
>
> Any clue?
>
> Best regards,
> Daniel.
>
>
>

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
RRAS w2k3 r2 - BUG with D.O.D adapter in VPN Site-to-Site!!!!!	Renato Jr/TX Informatica	Windows Networking	3	01-02-2009 06:25 PM
Site to site tunnel file sharing problem	Robert Jacobs	Windows Networking	5	05-30-2007 06:49 PM
2003 Server RRAS Site-To-Site VPN Dropping	Russell Preece	Windows Networking	8	09-29-2005 09:23 AM
2 NICs + Site-to-Site VPN + Http proxy = problem	Guillaume Tamisier	Windows Networking	10	08-02-2004 03:31 AM
another vpn wins site to site to site problem*	Christopher S. Daane	Windows Networking	5	04-21-2004 07:25 AM