DHCP and RRAS-dhcp

Discussion in 'Windows Networking' started by Nick, Jul 8, 2004.

  1. Nick

    Nick Guest

    Hello

    I am always getting the same error 20169:

    Unable to contact a DHCP server. The Automatic Private IP
    Address 169.254.226.187 will be assigned to dial-in
    clients. Clients may be unable to access resources on the
    network.

    I have 2 PPTP ports and 1 PPOE port

    DHCP server is configured correctly having 16 free IP's
    in it's pool. I selected in RRAS IP-properties adress
    assignment done by DHCP, and the correct adapter (static).

    I tried to reainstall DHCP/RRAS ... still the same error.

    (I am trying to solve this because i have now 2 DHCP's
    running on the same IP, that from RRAS and DHCP)
    see also:
    http://msmvps.com/bradley/archive/2004/04/24/5452.aspx

    anyone any suggestions?
     
    Nick, Jul 8, 2004
    #1
    1. Advertisements

  2. Nick

    Dodo Guest

    If the subnet mask is 255.255.255.240, the DHCP server should only have
    fourteen IPs in it's pool and one exclusion for the router IP. That's makes
    for 13 IP leases.
     
    Dodo, Jul 8, 2004
    #2
    1. Advertisements

  3. Nick

    Nick Guest

    Yes, i know, but the subnetmask is simply 255.255.255.0,
    but I only use 16 of these addresses on this DHCP.

    Greets
     
    Nick, Jul 8, 2004
    #3
  4. RRAS has a DHCP Relay Agent that may have to be activated.
     
    Phillip Windell, Jul 8, 2004
    #4
  5. Nick

    Nick Guest

    It's active
     
    Nick, Jul 8, 2004
    #5
  6. And it needs to be configured for:
    Listening on the external adapter
    Forwarding to the internal DHCP Server

    It may be interesting to see a network capture from both the DHCP Server and
    the requesting client during a failing transaction. . .

    -Chris
    --
    ==============================
    Chris Edson


    This posting is provided "AS IS" with
    no warranties, and confers no rights.
    ===============================
     
    Chris Edson [MSFT], Jul 12, 2004
    #6
  7. Nick

    Marc Guest

    I am having the same issue and I have narrowed it down to
    what I think is a bug in RRAS on Server 2003.

    Here's the setup.

    Win2K3 RRAS server in DMZ
    Win2K3 A/D DC with DHCP on LAN

    RRAS is configured as a DHCP Relay Agent, and the IP
    address of the DHCP server is set within The DHCP Relay
    Agent's properties. I can ping the DHCP server from the
    RRAS server.

    When I run Network Monitor on the RRAS server and have it
    monitor all traffic between the RRAS server and the DHCP
    server, I get no traffice captured (This is during RRAS
    service start and while the first VPN client is trying to
    connect)

    Then, I set Network Monitor to capture all traffic on the
    RRAS server and started the RRAS service and then tried
    and VPN client connection.

    Network Monitor shows the RRAS server broadcasting for a
    DHCP server instead of directly talking to the one set in
    it's DHCP Relay Agent properties. Since there is a Cisco
    PIX between the RRAS server and the DHCP server,
    broadcasts are not going to get through.

    Looks like a bug to me.
     
    Marc, Aug 5, 2004
    #7
  8. Nick

    Bill Grant Guest

    That seems a strange way to have it working anyway. If the RRAS server is
    in the DMZ, why would you want it allocating IP addresses from the DHCP on
    the LAN? If the remote clients get IP addresses from DHCP they will be in
    the same subnet as the LAN machines, and so will the RRAS server's internal
    interface. But they are isolated from the other machines in that subnet.

    How are these remote clients going to communicate with the LAN
    machines?
     
    Bill Grant, Aug 6, 2004
    #8
  9. Nick

    Marc Guest

    It's not that strange. All servers exposed to the Internet
    are in the DMZ, no exceptions. The PIX firewall can then
    control access to resources on the LAN, and minimize the
    risk of an attack. I will not put any Windows server (or
    PC for that matter), directly on the Internet; too big of
    a security risk. A simple static route takes care of the
    routing from the VPN clients to the servers on the LAN.

    I have set the RRAS server to issue IP addresses for the
    time being, but I would prefer if my assigned DHCP server
    could do the job instead of allocating addresses from
    multiple points.

    One DHCP server can service multiple subnets. It's a
    single point of DHCP management, and that's important for
    reducing our network maintenance costs as we will be
    outsourcing that responsibility.

    Now if I could just get my L2TP/IPSec VPN running I'd be
    laughing.....
     
    Marc, Aug 6, 2004
    #9
  10. But the Firewall is not a router and you will not be able to forward DHCP
    "queries" across it like you would a router. You should not create an
    environemnt where DHCP is used in anyway on the DMZ. Everything on a DMZ
    should be statically assigned.

    If you use RRAS for VPN, then that machine must be duel-homed and site
    "side-by-side" with the Inner Firewall while the Outer Firewall is rigged to
    forward VPN "callers" to the RRAS Nic exposed to the DMZ. You might be able
    to perform this twice at both Firewalls and avoid the duel-home RRAS box but
    doing that twice might be problematic. The RRAS box handles DHCP with the
    "callers" by using the DHCP Agent built into RRAS.
     
    Phillip Windell, Aug 6, 2004
    #10
  11. Nick

    Marc Guest

    The RRAS box is a dual homed machine conencted to
    different ports on the Cisco PIX. Nothing in the DMZ is
    using DHCP except the VPN clients.

    My point is that RRAS is apparently a DHCP Relay and one
    of the settings is the IP address of the DHCP server, so I
    would therefore assume that if a VPN client requests a
    DHCP assigned address, the DHCP Relay in RRAS would
    forward the request to the DHCP server IP address that is
    set within it's properties. It is not, as a packet capture
    shows the DHCP Relay Agent is broadcasting for a DHCP
    server instead of contacting the DHCP server directly via
    it's IP address.

    If this isn't the way it works, why bother setting an IP
    address for the DHCP server in RRAS?

    I have manually set up an address range in RRAS for VPN
    clients and it works fine.

    Thanks everyone for your responses....

    Marc
     
    Marc, Aug 13, 2004
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.