Lose local network file access when connecting to VPN of a client

G

Guest

Hi,

I am running Windows Vista and am in IT Support.

When connected via a LAN cable I have access to Exchange, network drives etc
and all works peachy. As soon as I connect to a client VPN I lose access to
all my network drives via mapped drives and UNC paths. Funnily my access to
the Exchange server is still perfect.

When I disconnect from the VPN to the client network I gain access to the
network drives again.

I ran an "nslookup" while disconnected from the VPN and only connected to
LAN via network cable and I connect to my company DNS server. Once I connect
to the VPN of the client and run "nslookup" again I connect to the DNS server
of the client. (I can confirm all this as I installed the system at the
client I am connected to via VPN)

So basically it seems that for some reason Vista has some sort of priority
setup to use the default gateway or something of the VPN connection which
takes precedance over my local LAN connection and uses all DNS, WINS etc
settings of the VPN and then I lose access to my data drives as it is on a
DFS share.

The above mentioned problem is also experienced by other people in my team
that runs Vista on their laptops, XP is fine of course.

Concerning my VPN connecion, I ensure that the "Domain" option tick box is
not selected in my VPN connection to the client and only use a username and
password to connect.
 
R

Robert L [MVP - Networking]

Try to disable the Use default gateway on remote network. Please post back with the result. The details can be found here:

routing issues on vpnTo fix this issue, disable the "Use default gateway" on the Office A VPN server. ... 2) Make sure you don't uncheck Use the remote default gateway on VPN ...
http://www.chicagotech.net/routingissuesonvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi,

I am running Windows Vista and am in IT Support.

When connected via a LAN cable I have access to Exchange, network drives etc
and all works peachy. As soon as I connect to a client VPN I lose access to
all my network drives via mapped drives and UNC paths. Funnily my access to
the Exchange server is still perfect.

When I disconnect from the VPN to the client network I gain access to the
network drives again.

I ran an "nslookup" while disconnected from the VPN and only connected to
LAN via network cable and I connect to my company DNS server. Once I connect
to the VPN of the client and run "nslookup" again I connect to the DNS server
of the client. (I can confirm all this as I installed the system at the
client I am connected to via VPN)

So basically it seems that for some reason Vista has some sort of priority
setup to use the default gateway or something of the VPN connection which
takes precedance over my local LAN connection and uses all DNS, WINS etc
settings of the VPN and then I lose access to my data drives as it is on a
DFS share.

The above mentioned problem is also experienced by other people in my team
that runs Vista on their laptops, XP is fine of course.

Concerning my VPN connecion, I ensure that the "Domain" option tick box is
not selected in my VPN connection to the client and only use a username and
password to connect.
 
G

Guest

Robert,

Sorry, forgot to mention that it is actally disabled.

on the VPN connection the "default gateway" option in advanced properties of
TCP/IP is NOT enabled.

On XP it works but not Vista.

Thanks Robert
 
R

Robert L [MVP - Networking]

Posting the routing table of Vista VPN client here may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Robert,

Sorry, forgot to mention that it is actally disabled.

on the VPN connection the "default gateway" option in advanced properties of
TCP/IP is NOT enabled.

On XP it works but not Vista.

Thanks Robert
 
G

Guest

H:\>route print
---------------------------------------------------------------------------
Route Print below is when computer is NOT connected to the VPN but only to
the local LAN.

Begin (NOT connected to any VPN's, only to local LAN)

===========================================================================
Interface List
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (NOT connected to any VPN's, only to the local LAN)

---------------------------------------------------------------------------
Below is route print of the computer when it has made a VPN connection to
a client. When this VPN is active I have no access to local network drives
of DFS and nslookup automatically goes to the client DNS server over the VPN
instead of using the local.

BEGIN (VPN Connected)

===========================================================================
Interface List
23 ........................... CDC Group
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
24 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
87.86.8.202 255.255.255.255 10.16.32.1 10.16.33.61 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.202 21
192.168.0.202 255.255.255.255 On-link 192.168.0.202 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 192.168.0.202 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
24 281 fe80::5efe:192.168.0.202/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (VPN Connected)
 
R

Robert L [MVP - Networking]

Assuming 10.16.32.0 is LAN and 192.168.0.0 is remote network, the routing table look OK. You may want to use tarcert command to find out where the traffic go.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
H:\>route print
---------------------------------------------------------------------------
Route Print below is when computer is NOT connected to the VPN but only to
the local LAN.

Begin (NOT connected to any VPN's, only to local LAN)

===========================================================================
Interface List
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (NOT connected to any VPN's, only to the local LAN)

---------------------------------------------------------------------------
Below is route print of the computer when it has made a VPN connection to
a client. When this VPN is active I have no access to local network drives
of DFS and nslookup automatically goes to the client DNS server over the VPN
instead of using the local.

BEGIN (VPN Connected)

===========================================================================
Interface List
23 ........................... CDC Group
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
24 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
87.86.8.202 255.255.255.255 10.16.32.1 10.16.33.61 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.202 21
192.168.0.202 255.255.255.255 On-link 192.168.0.202 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 192.168.0.202 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
24 281 fe80::5efe:192.168.0.202/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (VPN Connected)
 
G

Guest

ok, as you confirmed routing is fine and I agree.

looking at it a bit more I have som more detail to pass on.

1. Tracert results for trying to ping remote server on client lan

C:\>tracert apollo.cdcgroup.com

Tracing route to apollo.contoso.com [192.168.0.10]
over a maximum of 30 hops:

1 * * * Request timed out.
2 9 ms 8 ms 9 ms apollo.contoso.com [192.168.0.10]

this should be irrelevant as I can access all of these fine anyway

2. Ping to both IP addresses of servers on local lan (10.16) and client lan
(192.168) using IP address
3. ping to both IP addresses of server on local lan (10.16) and client lan
(192.168) using FQDN works fine
4. Like mentioned before Exchange works fine as it points directly to the
Exchange server and I can ping servers fine on my LAN so that is fine
5. Our main data share is on DFS, thus our drives are mapped using
"\\mycompany.co.uk\dfs\(sharename)", when trying to browse to UNC
"\\mycompany.couk" while not connected to the VPN it works fine and I can see
the DFS share. When I am connected to the VPN I can see the DFS share but
when trying to open it I get the following error
"\\mycompany.co.uk\dfs is not accesible, you might not have permission to
use this network resource. Contact administrator blah blah. The username
could not be found"

I really think the problem is to do with DNS, I assume DFS is heavily
reliant on DNS and also when I am connected to a VPN of (192.168) and run
"nslookup" I authenticate on the DNS of the DC of my client on (192.168) and
not my own DNS on (10.16). If nslookup goes to the DNS server on the domain
that the VPN connects to it must screw up my laptop connections etc. As soon
as the VPN is dropped all my shares come alive.

Thanks again for your help. I hope my descriptions are detailed enough
 
R

Robert L [MVP - Networking]

To confirm if it is the DNS settings, can you do net view \\ipaddress\dfs? Also it is better to setup WINS in VPN connection. This link may help,

Name resolution on VPNName resolution is big issue in VPN access. If your VPN server doesn't setup correctly or the VPN client can't receive the VPN DNS and WINS settings, ...
http://www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
ok, as you confirmed routing is fine and I agree.

looking at it a bit more I have som more detail to pass on.

1. Tracert results for trying to ping remote server on client lan

C:\>tracert apollo.cdcgroup.com

Tracing route to apollo.contoso.com [192.168.0.10]
over a maximum of 30 hops:

1 * * * Request timed out.
2 9 ms 8 ms 9 ms apollo.contoso.com [192.168.0.10]

this should be irrelevant as I can access all of these fine anyway

2. Ping to both IP addresses of servers on local lan (10.16) and client lan
(192.168) using IP address
3. ping to both IP addresses of server on local lan (10.16) and client lan
(192.168) using FQDN works fine
4. Like mentioned before Exchange works fine as it points directly to the
Exchange server and I can ping servers fine on my LAN so that is fine
5. Our main data share is on DFS, thus our drives are mapped using
"\\mycompany.co.uk\dfs\(sharename)", when trying to browse to UNC
"\\mycompany.couk" while not connected to the VPN it works fine and I can see
the DFS share. When I am connected to the VPN I can see the DFS share but
when trying to open it I get the following error
"\\mycompany.co.uk\dfs is not accesible, you might not have permission to
use this network resource. Contact administrator blah blah. The username
could not be found"

I really think the problem is to do with DNS, I assume DFS is heavily
reliant on DNS and also when I am connected to a VPN of (192.168) and run
"nslookup" I authenticate on the DNS of the DC of my client on (192.168) and
not my own DNS on (10.16). If nslookup goes to the DNS server on the domain
that the VPN connects to it must screw up my laptop connections etc. As soon
as the VPN is dropped all my shares come alive.

Thanks again for your help. I hope my descriptions are detailed enough
 
G

Guest

VPN Connection

DNS settings - Vpn connection has the main DC DNS details manually put in.
Also it has the DNS suffix of remote domain entered with he option "register
this connections addresses in DNS" ticked

WINS - VPN connection has the Main DC WINS details manually put in as well,
MAIN DC is DNS and WINS server on remote network. "Enable NetBIOS over
TCP/IP" is also ticked

---------------------------------------------------------
Net View when NOT connected to the VPN

I run the command "net view \\mycompany.co.uk\dfs" but on both occasions I
get "Error 5 occured, Access is Denied". On my company network I have normal
user priveliges and only admin rights over my own laptop. I tried with the
"net view \\10.16.x.x\dfs" with the same result.

Net View when CONNECTED to the VPN

These results are exactly the for both ways
---------------------------------------------------------------------
BEGIN

Net View command "net view \\mycompany.co.uk" with VPN NOT connected

C:\Windows\system32>net view \\mycompany.co.uk
Shared resources at \\mycompany.co.uk

Share name Type Used as Comment

-----------------------------------------------
dfs Disk [Offline Share]
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.

END
----------
BEGIN

"net view \\10.16.x.x" with VPN NOT connected

C:\Windows\system32>net view \\10.16.x.x
Shared resources at \\10.16.x.x

Share name Type Used as Comment

---------------------------------------------------------------------
CertEnroll Disk Certificate Services share
dfs Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VPHOME Disk Symantec AntiVirus
VPLOGON Disk Symantec AntiVirus
The command completed successfully.

EN
----------------------------------------------------------------------------------

---------------------------------------------------------------------
BEGIN

Net View command "net view \\mycompany.co.uk" with VPN connected to remote
client

C:\Windows\system32>net view \\mycompany.co.uk
Shared resources at \\mycompany.co.uk


Share name Type Used as Comment
--------------------------------------------------
dfs Disk [Offline Share]
The command completed successfully.

END
-------------------------------------------
BEGIN

"net view \\10.16.x.x" with VPN connected to remote client

C:\Windows\system32>net view \\10.16.x.x
System error 5 has occurred.

Access is denied.

END
----------------------------------------------------

I tired to browse to DFS using \\10.16.x.x (IP address of DC on my local
network) once connected to client VPN. Once connected to remote client VPN
it seems also the default credentials used are the ones used on the VPN
connection, ie the "helpdesk" account, thus when trying to authenticate to
the DC windows uses the "helpdesk" credentials instead of my own domain
login account for mycompany, my username is andre.kritzinger.

I then manually enter my login credentials when prompted that the "Helpdesk"
account does not have access to the our local network. This allows me to
browse the standard system shared folders on a DC, ie, netlogon, sysvol etc.
There is also a "DFS" share but when trying to open that I still get the same
error - "\\10.16.x.x\dfs is not accessible. You might not have permission to
use this network resource. Contact your admin blah blah. The specified
account does not exist"

Is there any way to give the Local credentials for mycompany domain and user
account higher rights so the VPN connections credentials do not take
precedence?

Thanks yet again

Robert L said:
To confirm if it is the DNS settings, can you do net view \\ipaddress\dfs? Also it is better to setup WINS in VPN connection. This link may help,

Name resolution on VPNName resolution is big issue in VPN access. If your VPN server doesn't setup correctly or the VPN client can't receive the VPN DNS and WINS settings, ...
http://www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
ok, as you confirmed routing is fine and I agree.

looking at it a bit more I have som more detail to pass on.

1. Tracert results for trying to ping remote server on client lan

C:\>tracert apollo.cdcgroup.com

Tracing route to apollo.contoso.com [192.168.0.10]
over a maximum of 30 hops:

1 * * * Request timed out.
2 9 ms 8 ms 9 ms apollo.contoso.com [192.168.0.10]

this should be irrelevant as I can access all of these fine anyway

2. Ping to both IP addresses of servers on local lan (10.16) and client lan
(192.168) using IP address
3. ping to both IP addresses of server on local lan (10.16) and client lan
(192.168) using FQDN works fine
4. Like mentioned before Exchange works fine as it points directly to the
Exchange server and I can ping servers fine on my LAN so that is fine
5. Our main data share is on DFS, thus our drives are mapped using
"\\mycompany.co.uk\dfs\(sharename)", when trying to browse to UNC
"\\mycompany.couk" while not connected to the VPN it works fine and I can see
the DFS share. When I am connected to the VPN I can see the DFS share but
when trying to open it I get the following error
"\\mycompany.co.uk\dfs is not accesible, you might not have permission to
use this network resource. Contact administrator blah blah. The username
could not be found"

I really think the problem is to do with DNS, I assume DFS is heavily
reliant on DNS and also when I am connected to a VPN of (192.168) and run
"nslookup" I authenticate on the DNS of the DC of my client on (192.168) and
not my own DNS on (10.16). If nslookup goes to the DNS server on the domain
that the VPN connects to it must screw up my laptop connections etc. As soon
as the VPN is dropped all my shares come alive.

Thanks again for your help. I hope my descriptions are detailed enough



Robert L said:
Assuming 10.16.32.0 is LAN and 192.168.0.0 is remote network, the routing table look OK. You may want to use tarcert command to find out where the traffic go.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
H:\>route print
---------------------------------------------------------------------------
Route Print below is when computer is NOT connected to the VPN but only to
the local LAN.

Begin (NOT connected to any VPN's, only to local LAN)

===========================================================================
Interface List
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (NOT connected to any VPN's, only to the local LAN)

---------------------------------------------------------------------------
Below is route print of the computer when it has made a VPN connection to
a client. When this VPN is active I have no access to local network drives
of DFS and nslookup automatically goes to the client DNS server over the VPN
instead of using the local.

BEGIN (VPN Connected)

===========================================================================
Interface List
23 ........................... CDC Group
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
24 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
87.86.8.202 255.255.255.255 10.16.32.1 10.16.33.61 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.202 21
192.168.0.202 255.255.255.255 On-link 192.168.0.202 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 192.168.0.202 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
24 281 fe80::5efe:192.168.0.202/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (VPN Connected)
Click to expand...
Click to expand...
 
G

Guest

Problem is due to the VPN tunnel setting the logon credentials, so when
connecting
to a client it uses the VPN details for everything including what is on your
local domain,
hence the authentication issues. Run the below command to delete to
credentials.

Run "cmdkey /delete /ras" after setting up the VPN Tunnel

This will need to be done after every VPN tunnel has been created

aekritzinger said:
VPN Connection

DNS settings - Vpn connection has the main DC DNS details manually put in.
Also it has the DNS suffix of remote domain entered with he option "register
this connections addresses in DNS" ticked

WINS - VPN connection has the Main DC WINS details manually put in as well,
MAIN DC is DNS and WINS server on remote network. "Enable NetBIOS over
TCP/IP" is also ticked

---------------------------------------------------------
Net View when NOT connected to the VPN

I run the command "net view \\mycompany.co.uk\dfs" but on both occasions I
get "Error 5 occured, Access is Denied". On my company network I have normal
user priveliges and only admin rights over my own laptop. I tried with the
"net view \\10.16.x.x\dfs" with the same result.

Net View when CONNECTED to the VPN

These results are exactly the for both ways
---------------------------------------------------------------------
BEGIN

Net View command "net view \\mycompany.co.uk" with VPN NOT connected

C:\Windows\system32>net view \\mycompany.co.uk
Shared resources at \\mycompany.co.uk

Share name Type Used as Comment

-----------------------------------------------
dfs Disk [Offline Share]
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
The command completed successfully.

END
----------
BEGIN

"net view \\10.16.x.x" with VPN NOT connected

C:\Windows\system32>net view \\10.16.x.x
Shared resources at \\10.16.x.x

Share name Type Used as Comment

---------------------------------------------------------------------
CertEnroll Disk Certificate Services share
dfs Disk
NETLOGON Disk Logon server share
SYSVOL Disk Logon server share
VPHOME Disk Symantec AntiVirus
VPLOGON Disk Symantec AntiVirus
The command completed successfully.

END
----------------------------------------------------------------------------------

---------------------------------------------------------------------
BEGIN

Net View command "net view \\mycompany.co.uk" with VPN connected to remote
client

C:\Windows\system32>net view \\mycompany.co.uk
Shared resources at \\mycompany.co.uk


Share name Type Used as Comment
--------------------------------------------------
dfs Disk [Offline Share]
The command completed successfully.

END
-------------------------------------------
BEGIN

"net view \\10.16.x.x" with VPN connected to remote client

C:\Windows\system32>net view \\10.16.x.x
System error 5 has occurred.

Access is denied.

END
----------------------------------------------------

I tired to browse to DFS using \\10.16.x.x (IP address of DC on my local
network) once connected to client VPN. Once connected to remote client VPN
it seems also the default credentials used are the ones used on the VPN
connection, ie the "helpdesk" account, thus when trying to authenticate to
the DC windows uses the "helpdesk" credentials instead of my own domain
login account for mycompany, my username is andre.kritzinger.

I then manually enter my login credentials when prompted that the "Helpdesk"
account does not have access to the our local network. This allows me to
browse the standard system shared folders on a DC, ie, netlogon, sysvol etc.
There is also a "DFS" share but when trying to open that I still get the same
error - "\\10.16.x.x\dfs is not accessible. You might not have permission to
use this network resource. Contact your admin blah blah. The specified
account does not exist"

Is there any way to give the Local credentials for mycompany domain and user
account higher rights so the VPN connections credentials do not take
precedence?

Thanks yet again

Robert L said:
To confirm if it is the DNS settings, can you do net view \\ipaddress\dfs? Also it is better to setup WINS in VPN connection. This link may help,

Name resolution on VPNName resolution is big issue in VPN access. If your VPN server doesn't setup correctly or the VPN client can't receive the VPN DNS and WINS settings, ...
http://www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
ok, as you confirmed routing is fine and I agree.

looking at it a bit more I have som more detail to pass on.

1. Tracert results for trying to ping remote server on client lan

C:\>tracert apollo.cdcgroup.com

Tracing route to apollo.contoso.com [192.168.0.10]
over a maximum of 30 hops:

1 * * * Request timed out.
2 9 ms 8 ms 9 ms apollo.contoso.com [192.168.0.10]

this should be irrelevant as I can access all of these fine anyway

2. Ping to both IP addresses of servers on local lan (10.16) and client lan
(192.168) using IP address
3. ping to both IP addresses of server on local lan (10.16) and client lan
(192.168) using FQDN works fine
4. Like mentioned before Exchange works fine as it points directly to the
Exchange server and I can ping servers fine on my LAN so that is fine
5. Our main data share is on DFS, thus our drives are mapped using
"\\mycompany.co.uk\dfs\(sharename)", when trying to browse to UNC
"\\mycompany.couk" while not connected to the VPN it works fine and I can see
the DFS share. When I am connected to the VPN I can see the DFS share but
when trying to open it I get the following error
"\\mycompany.co.uk\dfs is not accesible, you might not have permission to
use this network resource. Contact administrator blah blah. The username
could not be found"

I really think the problem is to do with DNS, I assume DFS is heavily
reliant on DNS and also when I am connected to a VPN of (192.168) and run
"nslookup" I authenticate on the DNS of the DC of my client on (192.168) and
not my own DNS on (10.16). If nslookup goes to the DNS server on the domain
that the VPN connects to it must screw up my laptop connections etc. As soon
as the VPN is dropped all my shares come alive.

Thanks again for your help. I hope my descriptions are detailed enough



Robert L said:
Assuming 10.16.32.0 is LAN and 192.168.0.0 is remote network, the routing table look OK. You may want to use tarcert command to find out where the traffic go.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
H:\>route print
---------------------------------------------------------------------------
Route Print below is when computer is NOT connected to the VPN but only to
the local LAN.

Begin (NOT connected to any VPN's, only to local LAN)

===========================================================================
Interface List
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::c4ba:cfc4:6404:b6d6/128
On-link
1 306 ff00::/8 On-link
12 266 ff00::/8 On-link
8 276 ff00::/8 On-link
===========================================================================
Persistent Routes:
None

END (NOT connected to any VPN's, only to the local LAN)

---------------------------------------------------------------------------
Below is route print of the computer when it has made a VPN connection to
a client. When this VPN is active I have no access to local network drives
of DFS and nslookup automatically goes to the client DNS server over the VPN
instead of using the local.

BEGIN (VPN Connected)

===========================================================================
Interface List
23 ........................... CDC Group
13 ...00 02 c7 e5 e5 c8 ...... Bluetooth Personal Area Network
9 ...00 13 02 2c a4 2c ...... Intel(R) PRO/Wireless 3945ABG Network
Connection
8 ...00 13 a9 2a ad 3a ...... Marvell Yukon 88E8036 PCI-E Fast Ethernet
Controller
1 ........................... Software Loopback Interface 1
12 ...02 00 54 55 4e 01 ...... Teredo Tunneling Pseudo-Interface
16 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
24 ...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
14 ...00 00 00 00 00 00 00 e0 isatap.connect.co.uk
15 ...00 00 00 00 00 00 00 e0 isatap.{3A79E4C6-8324-49D9-BD43-FC519C5770D8}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.16.32.1 10.16.33.61 20
10.16.32.0 255.255.252.0 On-link 10.16.33.61 276
10.16.33.61 255.255.255.255 On-link 10.16.33.61 276
10.16.35.255 255.255.255.255 On-link 10.16.33.61 276
87.86.8.202 255.255.255.255 10.16.32.1 10.16.33.61 21
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.0.0 255.255.255.0 192.168.0.200 192.168.0.202 21
192.168.0.202 255.255.255.255 On-link 192.168.0.202 276
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 10.16.33.61 276
255.255.255.255 255.255.255.255 On-link 192.168.0.202 276
===========================================================================
Persistent Routes:
None

IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
12 18 ::/0 On-link
1 306 ::1/128 On-link
12 18 2001::/32 On-link
12 266 2001:0:4136:e38e:1cf6:c8e3:3c1f:323d/128
On-link
8 276 fe80::/64 On-link
12 266 fe80::/64 On-link
14 281 fe80::5efe:10.16.33.61/128
On-link
24 281 fe80::5efe:192.168.0.202/128
On-link
12 266 fe80::1cf6:c8e3:3c1f:323d/128
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN DNS issues 8
VPN server without domain controller 0
how to map network drive with Cisco systems VPN Client, Vista 1
Connecting to a Network Share 4
Vista VPN causes local network shares to disconnect 4
Connecting to VPN stops Internet and Multiple Networks Issue 1
VPN Connection 1
VPN Help 5

Top