VPN and XP SP2 woes

[Sue Morton]

(I searched this ng but did not find any information to help me. If I
missed a relevant post in this ng or another, please direct me there, thank
you.)


I installed SP2 a week ago from stand-alone offline install file (270meg).
XP Professional SP1 base systems (two of them). No problems installing SP2,
installation was smooth and normal.

All has been working fine with both machines and I am quite happy with the
enhancements to applications such as IE and Outlook Express.

Today I needed to access my employer's private network via VPN connection.
This was previously working fine under SP1. Under SP2, VPN appears to
connect normally and successfully, I do not see anything unusual there, no
error messages, send and receive bytes are about right for initial logon. I
am assigned an IP on my employer's network, a network admin there can see
the IP as having been assigned to my machine.

But my machine cannot access any resources on the remote network, and does
not respond to any pings, etc. When I attempt to do a tracert or ping to
one of the resources on the remote network, the host name cannot be
resolved. If I try with IP address instead of host name, all attempts time
out with no success. The VPN icon in systray never 'lights up' again, and
the byte count (sending and receiving) never increases after the initial
logon.

I re-verified XP firewall is still turned off in network properties. Opening
Network Connections folder does not show 'firewalled' next to any
connections (LAN, VPN are the only two).

I do not see that anything has changed on my VPN settings. I tried this
with both machines and the results were identical.

In deperation I uninstalled SP2 from one of the machines. VPN is working
fine again on that machine.

Any ideas? TIA for any help.

Thanks,

 

[Greg Lirette [MSFT]]

Sue,

Is your VPN connection using only Microsoft software or is it third party?

Thanks,
Greg Lirette


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Sue Morton]

Thanks for reply, Greg. Stock MS VPN, and is almost entirely default values
on all the property sheets. Employer's network is NT.

If you need to know config I can provide that (except for private info).

Thanks in advance for any help. I am baffled.
--
Sue Morton

Sue,

Is your VPN connection using only Microsoft software or is it third party?

Thanks,
Greg Lirette


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Greg Lirette [MSFT]]

I was just asking to see if you may be impacted by the localhost issue.
That should not as far as I am aware impact you if you are not using a third
party VPN. It wouldn't hurt to test the fix just to be sure. You may want
to check with your IT people to see if they can reproduce what you are
seeing.

--
This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks for reply, Greg. Stock MS VPN, and is almost entirely default
values
on all the property sheets. Employer's network is NT.

If you need to know config I can provide that (except for private info).

Thanks in advance for any help. I am baffled.

 

[Sue Morton]

We are not on XP at my employer, everything is still Win2k there.

It is my personal machines at home that are XP.

There has to be something simple to this problem, I just don't know what it
could be... still looking and searching kb, technet, google, whatever.

Any further help or anything I could check on would be great. I have one
machine still on SP2 and one rolled back, with identical VPN connections on
them. I am all set to do some comparisons, if I just knew what I was
comparing.

 

[Greg Lirette [MSFT]]

I think I recall seeing a post that was related to this in one of the other
newsgroups.

This may not be related at all but did you try to disable the firewall?


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Greg Lirette [MSFT]]

Can you test this registry change?

HKLM\CCS\services\IPSec\AssumeUDPEncapsulationContextOnSendRule DWORD to 2

 

[Sue Morton]

Hi Greg,

As per my original post, XP firewall is turned off globally. No connections
are firewalled.

I did find the problem, and it was simple just as I thought it probably
would be.

Per the SOP from my employer, to set up VPN connections into their network,
the advanced TCP/IP settings box 'use default gateway on remote network' is
to be UNchecked.

Now under XP SP2, checking this box has corrected the problem. VPN now sees
all my ping, tracert, etc. requests for my employer's network and appears to
be working fine.

Not sure why the instructions are to UNcheck this box when setting up VPN.
The UNchecked box does work just fine under Win2k and XP SP1. Something
broken has now been fixed?

Since I solved the problem, I did not try your registry key below. (I think
you meant HKLM\*system*\CCS... ). Should anyone else try it.

This was a stupid problem to be sure, but I would like to see this tested
and put in the kb and/or technet where a search can find it.

Thanks again for working with me on this.

 

[Greg Lirette [MSFT]]

Thanks Sue!

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Sue Morton]

Well I spoke a little too soon.

There is still a BIG problem.

With that 'use default gateway on remote computer' box checked in VPN, ALL
traffic (IE, OE, etc.) tries to go over VPN now. This doesn't work as my
employer has these connections blocked. My employer confirmed this was the
reason the box is to be UNchecked as per our SOP for setting up VPN
connections. With the box UNchecked, the PC will use the internet
connection for IE and OE.

In OE I tried changing the account connection tab from 'use any available
connection' to 'LAN' in order to force the OE connections over my internet
connection and not the VPN one. This did not work, the request still does
not go over my internet connection.

I'll have to roll back SP2 until this is corrected.

 

[Jonathan Duke]

I have noticed the same problem since I applied SP2. I
completely disabled the firewall to make sure that wasn't
a problem, and the VPN would stop sending traffic after
10-15 seconds. Once I checked that box, all of my VPN
traffic worked, but then I was unable to access email,
web, etc. just as Sue experienced.

A coworker of mine also had the same issue, and I also
had the issue on my home computer, so it's obviously
something that changed in SP2 since all 3 of our
computers had just been upgraded to the new service pack.

The strange thing was that the VPN connection would work
long enough to access resources on the network. For
example, I could bring up a remote desktop connection for
long enough to log in and bring up the desktop of our
database server, but then it would hang. The connection
was not disconnected; it just stopped sending packets.

I later tried running "ipconfig /all" repeatedly from the
command prompt upon connecting to the VPN. After being
connected for about 10 seconds, I noticed that the
address of the gateway and the DNS servers would change.
Any ideas on this? I'm not at work now but I could get
more info Monday if it would help. It seems like one of
them (maybe the gateway) would go blank, and I remember
seeing duplicate entries in the DNS server list.

I'm surprised more people haven't reported this. This is
the first thread I've found with this same problem. I
would imagine there are a lot of people out there using
the default MS VPN adapter with Windows XP. But I
installed the pack just as Sue did with the 270 MB
download a couple of weeks ago, so maybe a lot of people
haven't gotten it through Windows Update yet.

 

[Jonathan Duke]

I added registry change Greg mentioned in an earlier
message, but I noticed that the change was for an IPSec
connection, and it didn't fix the problem. However, my
VPN connection is a PPTP connection, not L2TP/IPSec.
Which type of VPN connection do you have, Sue? I'm
wondering if this problem is specific to just the PPTP
connection type in SP2.

Greg, are there any other registry hacks I could try?

I'm not going to roll back the service pack installation
because I'd rather have all of the new features than just
remove this problem. I guess I'll just have to do
without my email while I'm on the VPN until this is
fixed, but I hope it will be soon.

 

[Sue Morton]

Hello Jonathan,

We are not yet on IPSec. yet either, so you could very well be right, the
problem may be specific to PPTP connections.

I'm on VPN far too many hours a day to do without my private email. So
I really need it fixed.

Thanks for adding your information to this thread.

I wonder if there is a way to get this information in front of Microsoft,
besides burning one of our two no-charge support calls that comes with XP?

 

[Dave Wisel]

Thank you, Jonathan, for posting this, I really appreciate knowing you've
seen the same problem. I too saw what looked like a good connection for
the first 10 seconds or so, then nada after that unless I route all traffic
over the VPN connection. This just flat doesn't work for me since my
employer has a lot of services blocked (SMTP is example) and with good
reason.

I was hoping I wasn't alone with just a couple of weird machines, and you've
confirmed that. But I'm also sorry that I'm not alone, that means there is
indeed something amiss here and not just some rare oddity with my
installations.

I have a feeling 80% (90%?) of XP users don't VPN, which is why we're not
seeing more posts on this.

Thanks again. I hope we have a solution soon.

I believe this was Microsoft's solution to a huge security hole in
Windows XP and VPN. If you are able to access the Internet while
PPTP'd into your corporate network, if your machine is unpatched you
are technically bypassing the corporate Firewall and allowing Internet
traffic in to the corporate network. My understanding is that many
companies (including Microsoft) were bitten by this hole during the
SQL Slammer outbreak.

Of course, there is a way to get around it, just like pretty much
anything but you do need some information about your corporate
network, including the class C Subnet that you are using! It's still
a somewhat manual process but I am working on a way to automate it.
Modify your PPTP connection properties so that "Use default gateway on
remote network" is UNchecked. VPN to the corporate network, then run
IP config and note your IP addressed assigned by your PPTP server.
This will be your gateway address for adding a new route. At a
command prompt type the following command (substituting your corporate
network information. The example assumes you are using the 10.10.10.0
network).


route add 10.10.10.0 mask 255.255.255.0 10.10.10.50

Again, in this example the company uses the 10.10.10.0 network and the
IP Address assigned to the client by the RAS server is 10.10.10.50.

I hope this helps those of you that are having the problem.

Thanks.

Dave Wisel
Systems Manager
RDA Corporation

 

[Jonathan Duke]

Thanks Dave. That did partially fix the problem for me.
I wish it were easier to automate, but I can live with
that solution until it's fixed. FYI, here's what's
happening with mine.

Before the 10-15 seconds have passed, this line is in the
routing table:
10.0.0.0, 255.0.0.0, 10.10.41.137, 10.10.41.137, 1
and everything works fine.

However, after that time has passed, that line disappears
and is replaced by this line:
10.10.41.0, 255.255.255.0, 10.10.41.137, 10.10.41.137, 1
and then nothing works.

So the problem for me was that all of their servers
(including DNS) behind their VPN were on the 10.10.40.x
subnet instead of 10.10.41.x where my IP was, so once
that entry changed I was unable to access anything. Any
idea what would cause that to change after 15 seconds of
being connected?

I have also sent an email to MS support about this.

 

[Dave Wisel]

Thanks Dave. That did partially fix the problem for me.
I wish it were easier to automate, but I can live with
that solution until it's fixed. FYI, here's what's
happening with mine.

Before the 10-15 seconds have passed, this line is in the
routing table:
10.0.0.0, 255.0.0.0, 10.10.41.137, 10.10.41.137, 1
and everything works fine.

However, after that time has passed, that line disappears
and is replaced by this line:
10.10.41.0, 255.255.255.0, 10.10.41.137, 10.10.41.137, 1
and then nothing works.

So the problem for me was that all of their servers
(including DNS) behind their VPN were on the 10.10.40.x
subnet instead of 10.10.41.x where my IP was, so once
that entry changed I was unable to access anything. Any
idea what would cause that to change after 15 seconds of
being connected?

I have also sent an email to MS support about this.

Problem solved! (At least on our network). The main requirements are
that you are assigning addresses to your VPN clients via DHCP and that
the DHCP server is running Windows 2003. You will probably need a
separate scope for your VPN clients too. If you set the following
option for LAN clients, it could wreak havok on your internal network.

In 2003 DHCP there is standard DHCP option called "Classless Static
Routes". The code for the option is 249. The option allows you to
set static routes and push them to the RAS clients. To use Jonathan
as an example you should setup a static route for 10.0.0.0 with a
netmask of 255.0.0.0. The gateway address should be set to the
default gateway for the subnet of the RAS servers internal subnet. In
your case it's probably 10.10.41.1. This will push the correct route
to the client and allow the VPN connection to behave as expected. For
a MUCH better explanation of how to set this up and the security
ramifications of doing it, please see this article:

http://www.microsoft.com/technet/community/columns/cableguy/cg1003.mspx

I hope this helps everyone.

Regards,

Dave Wisel
Systems Manager
RDA Corporation

 

[Sue Morton]

Hello Dave,

Thank you very much for this information. I had been 'googling' on the net,
looking for ways around this, and had found the 'route add' info. I was
about to try it when you came along. Your instruction works perfectly for
me.

Now if you come up with a way to automate this... seems like a windows
script should do the trick. I shall have to examine that. Feel free to
beat me to it.

Thank you again for your help.

 

[Sue Morton]

Dang I spoke too soon. Nothing is going over my VPN connection.

I guess I don't have the route added in correctly?

 

[Sue Morton]

Dave,

(Sorry, you can tell I'm not knowledgeable about this aspect of the system.)

I think I have it working now. Here's what I did:

I connected VPN, default gateway box Checked, and got a route print.

Disconnected, and connected VPN, default gateway box UNchecked. Got a route
print.

Besides the default gateway, and the IP assigned by my employer, the only
difference in the two route prints was this line:

Net Dest Mask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.1.29.182 10.1.29.182 1

I did a 'route add' as follows:

route add 0.0.0.0 mask 0.0.0.0 10.1.29.182

And this did the trick. I now seem to be able to connect to my employer's
shared resources AND send my personal email and internet over my direct
connection.

Thanks again Dave.

 

[Sue Morton]

Nope, not quite there yet... dang!!!!

The route print still looks the same, and my VPN IP hasn't changed. But now
everything is going over my employer's connection again.

Do I need to fool with the metrics, to get things routing over the right
gateways?

Arrrg.

P.S. Below example indicates I added the 'before' IP, not the 'after' IP, I
did use the correct ('after') IP. I wasn't very clear.