question

MCopious-9819 avatar image
0 Votes"
MCopious-9819 asked MCopious-9819 answered

Windows Server 2019 with RAS-VPN (PPTP/L2tp) blocks some IP addresses

Hello,

I have a server with Windows server 2019 and the Remote Access role with the features: 'DirectAccess and VPN' and 'Routing'. The server has two NIC's, one connected to the internal network and the other one, via a router, with the WAN. The VPN uses the protocols PPTP and L2TP and it is possible to connect with the VPN over the internet.

For some users it is not possible to make a connecting with the VPN and after a lot of testing it seems that the server doesn't respond to certain IP addresses, for all protocols, pptp, icmp etc. The server has a firewall and Symantec endpoint protecting but none have a rule to block some IP addresses. In the log of the firewall I can see the incomming connect, for example a request for een ICMP ping but no response, the same for the PPTP, etc.

As far as I can see and know, there are no limitations for connections based on IP and I don't know what to check next. Are there other places in Windows Server 2019 where IP's kan be blocked?

Becasue we lost an server the Remote Access role is installed on a server that also acts as a back-up domain controller.

Thank you in advance for your time.

windows-server-2019windows-server-infrastructure
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello MCopious,

One bit of information that you could easily provide and that would help to characterize the problem is whether there is any pattern in the working and non-working IP addresses.

If, for example, addresses X.Y.Z.23 and X.Y.Z.25 work and X.Y.Z.24 and X.Y.Z.26 don't work then there is unlikely to be any configured "blocking" that could explain the behaviour.

However, if X.Y.1.23 and X.Y.1.25 work and X.Y.2.24 and X.Y.2.26 don't work then there is a slim chance that something is either blocking (or not routing) the traffic.

Gary



0 Votes 0 ·

Hi,
 
Just want to confirm the current situations.
 
Please feel free to let us know if you need further assistance.
 
Best Regards,
Sunny

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Remote Access role is installed on a server that also acts as a back-up domain controller

Multi-homing / installing RRAS role on a domain controller will always cause no end to grief for active directory domain DNS. I'd remove the second NIC and move RRAS role to its own dedicated instance of windows.

--please don't forget to Accept as answer if the reply is helpful--







5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SunnyQi-MSFT avatar image
0 Votes"
SunnyQi-MSFT answered

Hi,

Thanks for posting in Q&A platform.

I would like confirm with you is there any error message when VPN client cannot connect to VPN server?

Based on your description, my understanding is your VPN client cannot ping VPN server successfully so that it cannot obtain an available internal IP address from VPN server. Please correct me if my understanding is wrong.

If the VPN client cannot ping VPN server successfully, I would suggest to enable File and Printer Sharing (Echo Request - ICMPv4-In) rules in both Inbound and Outbound rule of Windows Firewall.

41237-image-1.jpg


If the issue still existed, since there are Windows firewall and Symantec in your environment, for testing, I would suggest temporally disable Symantec to see if VPN client can connect VPN server. If not, please temporally disable both Windows Firewall and Symantec for testing.


Best Regards,
Sunny


If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


image-1.jpg (129.8 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MCopious-9819 avatar image
0 Votes"
MCopious-9819 answered

I wanted to answer sooner, but I've been busy with the troubleshooting of the vpn, thank you for your suggestions.

There is a generic error when a client cannot connect, error like 'the connection was interrupted' or ' check your network settings'. I've tried turning off the firewall and Symantec, but this didn't solve the problem.

I've examined the IP's and can't find a pattern.

The firewall allows the echo request ICMPv4, it's just certain IP's that can't ping, this doesn't mean that the can't connect, but IP's that can't connect, can't ping the server. Today I had a strange result when pinging the server, for the address we use 'exchange.domain.nl' this points to 'office.domain.nl', but the ping command displayed this as ' OFfiCe.domain.nl', from the IP's that work it is 'office.domain.nl' without the capitals. Maybe it's nothing but it seems strange.

Today I installed a new server with the DC role and just the RAS role, during the day I could connect from various sources: hotspot via mobile and via a mobile datastick that gets a new IP everytime it's used, so that looks hopeful but I'm still a little cautious. Tonight they are going to test the VPN.

I will keep you informed but I'm still open for idea's and suggestions!

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered MCopious-9819 commented

I installed a new server with the DC role and just the RAS role

The multi-homing will continue to cause some unexpected results.


--please don't forget to Accept as answer if the reply is helpful--







· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, that's a typo, I mean without the DC role, just the RAS role..

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered

Has the domain controller been cleaned up? Also check domain health is 100%


--please don't forget to Accept as answer if the reply is helpful--


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

MCopious-9819 avatar image
0 Votes"
MCopious-9819 answered

The VPN has been running for a couple of days and the first day everything seemed fine but the problems are started againa.

I've checked the log files of the firewall and the people that can't connect have their ip's blocked by the domain part of the firewall. The make a connection with the second NIC, connected with the internet. The clients that can connect, don't appear, or just once, in the log of the domain firewall and are handled by the private part of the firewall.

The pc has two NIC's, with both a static address, nic 1 has an internal network address en nic 2 an external internet ip address. The domain part of the firewall is set for nic 1 only, this was for nic 1 and 2, but still it blocks external ip addresses.

Most of the times I can connect to the VPN, the times that I can't connect my ip is blocked by the domain firewall, but most of the times my IP isn't blocked. Other users can connect sometimes but are most of the times blocked by the domain part of the firewall. But I don't know what makes this difference or what settings are needed for the external IP to be ignored bij the domain part of the firewall and just be handled by the public part.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.