2003 SP1 RRAS problem

[Guest]

Since I upgraded my 2003 RRAS servers to SP1 ICMP is blocked through the
client tunnels. It works to and from a remote client and the RRAS server but
not to and from a remote client and end nodes on the company network. Anyone
seen this?

 

[Robert L [MS-MVP]]

give us more details about "It works to and from a remote client and the RRAS server but
not to and from a remote client and end nodes on the company network"

For more and other information, go to http://howtonetworking.com.

Don't send e-mail or reply to me except you need consulting services. Posting on MS newsgroup will benefit all readers and you may get more help.

Bob Lin, MS-MVP, MCSE & CNE
How to Setup Windows, Network, Remote Access on http://www.HowToNetworking.com
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
This posting is provided "AS IS" with no warranties.

Since I upgraded my 2003 RRAS servers to SP1 ICMP is blocked through the
client tunnels. It works to and from a remote client and the RRAS server but
not to and from a remote client and end nodes on the company network. Anyone
seen this?

 

[Guest]

Sorry Jeff, I do not have the answer for you, however maybe this will help as
you have exactly the problem as me with SP1. I posted this issue back on
April 11th in ‘Windows Server Networking’ as ‘RRAS/VPN Win 2003 SP1’. As you
can see I got lots of responses from people with the same problem! But no
answers…

In the following set-up, both RRAS SP1 servers can ping ALL computers (local
and remotes clients and the remote RRAS SP1 server). However, local clients
can only ping all local computers.

Client1 XP Pro
LAN IP Address 192.168.1.50/24 (fixed)
Static route 192.168.2.0 mask 255.255.255.0 192.168.1.1
I
LAN1
I
RRAS1 Win2k3SP1
Internet IP Address aaa.bbb.ccc.ddd (fixed)
LAN IP Address 192.168.1.1/24 (fixed)
Static route to remote LAN set in RRAS
Address pool for remotes 192.168.1.201 to 250 set in RRAS
I
I
Internet
I
I
RRAS2 Win2k3SP1
Internet IP Address eee.fff.ggg.hhh (fixed)
LAN IP Address 192.168.2.1/24 (fixed)
Static route to remote LAN set in RRAS
Address pool for remotes 192.168.2.201 to 250 set in RRAS
I
LAN2
I
Client2 XP Pro
LAN IP Address 192.168.2.50/24 (fixed)
Static route 192.168.1.0 mask 255.255.255.0 192.168.2.1


Note: The situation is just the same if you replace the LANs (and the
‘Internet’) with simple cross over cables (as a test set-up). This removes
any routers, switches and hubs, so it proves it’s not the MTU issue
(KB898060) nor is it IPNAT.SYS problem (KB897651) Microsoft emailed me the
updated ipnat.sys but it made no difference.

I have discovered (with Network Monitor) that the packets travel as follows:
-

From Client - OK
In to the local RRAS server LAN NIC - OK
Out of the local RRAS server Internet NIC (in tunnel) - OK
In to the remote RRAS server Internet NIC (in tunnel) - OK
Then nothing on the remote RRAS server LAN NIC !!!
Same in both directions

These are clean installations of Win2k3 SP1 with RRAS, no firewalls at all,
no virus checkers, nothing to get in the way.

Take off SP1 and it’s fine!

Please keep me (all of us) informed, when you have time. Regards shudson

 

[Guest]

Hi Robert, it is pretty simple.... after installing 2003 SP1 RRAS stopped
passing ICMP through client VPN tunnels. A remote VPN client can ping the
inside NIC of the RRAS server but if the same remote client attempts to ping
a node on the local network across the RRAS server ICMP is not passed this
also fails if the inside machine attempts to ping the VPN client. If SP1 is
removed, it works..........

 

[Guest]

Thanks for the reply, it is good to know that I am not the only one with this
problem.

 

[Guest]

This solved my problem, hope it helps others…

The ‘Demand Dial’ interfaces on my RRAS servers were slightly
miss-configured (the user name in the login credentials did not match the
remote RRAS Demand Dial interface name). This causes RRAS to think the
incoming connection is a Remote Access Client, no a Demand Dial ‘Router’
Connection.

In pre-SP1 Win2k3 this did not seem to matter, in that Remote Access
Connections behaved the same way as Demand Dial connections

Post-SP1 Win2k3 RRAS does not give Remote Access Connections the same
routing functionality as Demand Dial connections.

Once I got my RRAS Demand Dial interfaces and login credentials names
correctly (so that incoming connections were seen as Demand Dial ‘Router’
connections and not Remote Access Connections, every thing worked fine again
(as per pre-SP1)

This is another case where SP1 shows up a miss-configured pre-SP1 installation

Regards
shudson

 

[Bill Grant]

Thanks for the update. I am amazed that it ever worked!

If the username doesn't match the demand-dial interface name, the
routing usually fails immediately. Because the demand-dial interface isn't
bound to the connection, the static routes are not activated and site to
site routing fails.

 

[Guest]

Hello,

I was just running through the posts here and saw this one that tweaked my
interest.

I just had an all out war with Sp1 and my DC it got to the point where I
called Microsoft and opened a case number with them. After an unsuccessful
repair with the team. I received a call today from a Server team manager and
told them they have REAL problem with SP1.They have realized that the Sp1 is
causing some real issues and I advised them if they wanted to see some real
problems in the real world just browse the newsgroups.

My experience was:
1. Lost two hardrives (that were not bad) I replaced them so it was not the
HD's
(Waste of money and time)
2. Unable to administer FPSE and 1030 and 1058 event is the Application of
event viewer.
3. Loss of DNS after 2 days and restarting the server would hang for a good
7-10minutes (no joke)

Ok I removed it and all was well however there was some residual Sp1 in
there causing some things to still happen.
I had to reformat this server. After about 12 hours of needless work I would
have to say until they fix the fix keep this OUT of your machines!!

I am back to normal and hopefully will be able to get something accomplished.
Just a poke in the dark
Joe