VPN and "No logon servers available" error

[Bill Cullen]

I'm testing a new VPN with the MS L2TP client (and the NAT-T update)
connecting to a Cisco PIX. I can connect successfully and I can ping
internal hosts (servers and domain controllers) using hostnames (using
both hostname and fully qualified DNS name). I'm logged on to the PC
(Windows 2000 Professional with SP4 and a member of the domain) using
cached credentials. When I try to connect to a share I get the errors:

System error 1311 has occurred.

There are currently no logon servers available to service the logon
request.

I ran a packet sniffer on the PC and another on the otherside of the
firewall. It seems that the PC is trying to do a DNS query on the
domain _ldap._tcp.dc_msdcs.ourdomain.internal. via the internet
connection (the computer is on an ADSL connection). The DNS query on
the file server (server.ourdomain.internal) however goes via the VPN
connection. The connection has the "use default gateway on remote
network" option ticked.

If I log on to the PC using a local account I can connect successfully
(I'm guessing because in that case the PC doesn't have to contact a
domain controller, only the server).

The server and domain controller are on the same subnet. The PC has a
(PIX provided) IP address from a different subnet.

When I tested the same infrastructure using PPTP I didn't have this
problem. However, we won't be using PPTP for security reasons (we are
using a third party Radius server and, if we use PPTP the traffic
won't be encrypted).

Can anyone suggest a solution (it seems like it might be a bit of a
bug in the Windows implementation of L2TP).

Thanks,

Bill

 

[Ace Fekay [MVP]]

In

I'm testing a new VPN with the MS L2TP client (and the NAT-T update)
connecting to a Cisco PIX. I can connect successfully and I can ping
internal hosts (servers and domain controllers) using hostnames (using
both hostname and fully qualified DNS name). I'm logged on to the PC
(Windows 2000 Professional with SP4 and a member of the domain) using
cached credentials. When I try to connect to a share I get the errors:

System error 1311 has occurred.

There are currently no logon servers available to service the logon
request.

I ran a packet sniffer on the PC and another on the otherside of the
firewall. It seems that the PC is trying to do a DNS query on the
domain _ldap._tcp.dc_msdcs.ourdomain.internal. via the internet
connection (the computer is on an ADSL connection). The DNS query on
the file server (server.ourdomain.internal) however goes via the VPN
connection. The connection has the "use default gateway on remote
network" option ticked.

If I log on to the PC using a local account I can connect successfully
(I'm guessing because in that case the PC doesn't have to contact a
domain controller, only the server).

The server and domain controller are on the same subnet. The PC has a
(PIX provided) IP address from a different subnet.

When I tested the same infrastructure using PPTP I didn't have this
problem. However, we won't be using PPTP for security reasons (we are
using a third party Radius server and, if we use PPTP the traffic
won't be encrypted).

Can anyone suggest a solution (it seems like it might be a bit of a
bug in the Windows implementation of L2TP).

Thanks,

Bill

I'[ve seen this error when it comes to AD, since it needs DNS to "find" and
resolve domain resources. You can set these into a hosts file to overcome
this issue, unless you can force the client to use the VPN's DNS address in
it;s IP properties, which is essential for AD.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Bill Cullen]

Ace Fekay [MVP] said the following on 9/08/2004 10:44 AM:

I'[ve seen this error when it comes to AD, since it needs DNS to "find" and
resolve domain resources. You can set these into a hosts file to overcome
this issue, unless you can force the client to use the VPN's DNS address in
it;s IP properties, which is essential for AD.

The pix (the vpn server) is supplying the ip address of the DNS
servers. I have also tried specifying the address of the DNS servers
manually. I have removed the address of the internet DNS server from
the network card's config but that didn't make any difference either.

I've done some more testing. If I put an entry for the domain in an
lmhosts file I can do a net use. If I specify a WINS server I can do
a net use. However, neither option is open to me as lmhosts files
are too difficult to maintain and management have said that the WINS
server is going.

I can do:
net use * \\server\share /user:domain\username *
which works.

I also did a packet sniff on the internal side of the vpn server. I
can see the DNS query go to the DNS server and the correct reply
come back - including the request for the AD servers. I also see
some sort of LDAP request go to the DC, I don't see a reply come
from the DC.

I can run nslookup, set type=srv, and do a lookup on
_kerberos._tcp.dc._msdcs.ourdomain.com. and get back the correct
response. So I now believe that DNS is working, although I can't
understand why a net use works when I'm not using DNS for name
resolution.

Some one pointed me at the following:
<http://www.chicagotech.net/systemer...ervers available to service the logon request>
System error 1311 - There are currently no logon servers
available to service the logon request

Symptoms: The primary purpose of logging on with cached credentials
is to enable you to access the local workstation. However, if you
have logged on by cached credentials, you may be unable to access
network resources because you have not been authenticated. For
example 1) after you log on to a w2k/xp laptop by using cached
credentials, you may be unable to access the network resources. This
issue is commonly experienced by laptop users whose computer resides
in a Windows Server domain and who log on to the computer by using
cached credentials prior to being able to establish a remote access
connection. 2) You log on to a w2k/xp laptop with a domain logon
option in a workgroup network. After you establish the connection
and you try to map the network drives, the operation may be
unsuccessful, and you may receive the following error message:
"System Error: (1311) There are currently no logon servers available
to service the logon request."
Resolutions: To authenticate the cached credentials, 1) if it is
w2k/xp, use net command, for example, net use \\servername\sharename
/user:username. 2) if xp, open Windows Explorer>Tools>Map Network
Drive. Click Connect using a different user name, enter the username
and password.

End quote.

This is what's happening. However, there must be more to it as, if I
go and plug the laptop into the internal network after logging on, I
can immediately connect.

I have also tried the "Log on using dial-up connection" option on
the Windows 2000 login screen. Doesn't make any difference.

 

[Bill Cullen]

The problem has been solved. It turned out to be an issue with an
intervening firewall blocking the LDAP reply from the DC.

 

[Ace Fekay [MVP]]

In

The problem has been solved. It turned out to be an issue with an
intervening firewall blocking the LDAP reply from the DC.

I was going to address that. The LDAP query not coming back was what
triggered my thought.

As for the net use, if its in cache, and that's what happens when you try to
resolve a single name and WINS is configured. If it finds it in cache,
LMHOSTS or WINS first (Hybrid Mode).

Glad you got it fixed!

Ace

 

[r_balest]

*The problem has been solved. It turned out to be an issue with an
intervening firewall blocking the LDAP reply from the DC. *

hi, there i'm a newbie here but I'm having trouble just like yours..can
u tell me where to turn off this? and if this isn't the problem, then
what's the problem? i keep getting this error message...thanks in
advance