W2003 SP1 RRAS: wrong routing table entry after client VPN connection

[Franz Schenk]

Have a strange problem with a Windows 2003 SP1 RAS Server, configured as a
VPN Server accepting only inbound VPN IPSec connections. The RAS server is
configured as a router (LAN routing only) and a remote access server. VPN
client IP address assignment is over the internal DHCP server in the LAN and
is working fine. The DHCP Relay agent is installed and configured.

The interface connected to the internet is protected by the Windows
firewall, and all internet access (except IPsec) is disabled by the Windows
firewall. So we created some static routes so that VPN clients can access
intranet ressources.

The problem is that sometimes when VPN clients sucessfully to the VPN
server, this static routes are getting wrong entries! After disconnecting,
the routing table is ok again.

Example:
Static entry 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6
1
172.0.0.0 is the intranet, 172.29.16.1 is the LAN internal internet gateway,
172.29.16.6 is the IP address of the LAN interface of the VPN RRAS Server.
With this entry, everything works fine.

When a VPN client connects, "route print" shows the following entry (among
others):
172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 1
Both addresses 172.29.16.52 and 172.29.26.58 are IP addresses of the DHCP
scope, assigned to the VPN server.

Does anybody have an idea what's going on here? Thank you all in advance for
any help!
Franz

 

[Robert L [MS-MVP]]

The reason is VPN server is a Virtual Multihomed Server that can modify the routing table. You may many options. for example use static address pool or disable netbios over vpn as below link suggests.

Name resulotion on VPN That reason is that VPN server is a Virtual Multihomed Server. The resolution is to disable NetBIOS Over TCP/IP on all interfaces including RRAS interfaces ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Have a strange problem with a Windows 2003 SP1 RAS Server, configured as a
VPN Server accepting only inbound VPN IPSec connections. The RAS server is
configured as a router (LAN routing only) and a remote access server. VPN
client IP address assignment is over the internal DHCP server in the LAN and
is working fine. The DHCP Relay agent is installed and configured.

The interface connected to the internet is protected by the Windows
firewall, and all internet access (except IPsec) is disabled by the Windows
firewall. So we created some static routes so that VPN clients can access
intranet ressources.

The problem is that sometimes when VPN clients sucessfully to the VPN
server, this static routes are getting wrong entries! After disconnecting,
the routing table is ok again.

Example:
Static entry 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6
1
172.0.0.0 is the intranet, 172.29.16.1 is the LAN internal internet gateway,
172.29.16.6 is the IP address of the LAN interface of the VPN RRAS Server.
With this entry, everything works fine.

When a VPN client connects, "route print" shows the following entry (among
others):
172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 1
Both addresses 172.29.16.52 and 172.29.26.58 are IP addresses of the DHCP
scope, assigned to the VPN server.

Does anybody have an idea what's going on here? Thank you all in advance for
any help!
Franz

 

[Franz Schenk]

Thank you for your feedback and the intersting link. But we still have the same problem.

We had already disabled NetBIOS over IP on the Interface connected to the Internet (for security reasons). Also verified the WINS database, there were no entries of this interface. But the interface was indeed registred in DNS. Deleted this record and added the Registry keys described in the KB article to prevent DNS registration of the VPN interface.

Have then exactly followed the instruction of KB 292822, because the server is DC, DNS, WINS and also Global Catalog Server. Rebooted the server, but still have the same problem.

Also tried to use DHCP option 249 (classless static route), no help.

We don't have any porblems with name resolution, the problem is a layer deeper in the IP routing table on the VPN server that gets changed. What is the reason that a RRAS Server changes its routing table entry from 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6 to 172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 when a client connects, and changes it back to to original value, when the client disconnects ?!


Thank you all in advance for any thoughts/help
Franz
The reason is VPN server is a Virtual Multihomed Server that can modify the routing table. You may many options. for example use static address pool or disable netbios over vpn as below link suggests.

Name resulotion on VPN That reason is that VPN server is a Virtual Multihomed Server. The resolution is to disable NetBIOS Over TCP/IP on all interfaces including RRAS interfaces ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Have a strange problem with a Windows 2003 SP1 RAS Server, configured as a
VPN Server accepting only inbound VPN IPSec connections. The RAS server is
configured as a router (LAN routing only) and a remote access server. VPN
client IP address assignment is over the internal DHCP server in the LAN and
is working fine. The DHCP Relay agent is installed and configured.

The interface connected to the internet is protected by the Windows
firewall, and all internet access (except IPsec) is disabled by the Windows
firewall. So we created some static routes so that VPN clients can access
intranet ressources.

The problem is that sometimes when VPN clients sucessfully to the VPN
server, this static routes are getting wrong entries! After disconnecting,
the routing table is ok again.

Example:
Static entry 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6
1
172.0.0.0 is the intranet, 172.29.16.1 is the LAN internal internet gateway,
172.29.16.6 is the IP address of the LAN interface of the VPN RRAS Server.
With this entry, everything works fine.

When a VPN client connects, "route print" shows the following entry (among
others):
172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 1
Both addresses 172.29.16.52 and 172.29.26.58 are IP addresses of the DHCP
scope, assigned to the VPN server.

Does anybody have an idea what's going on here? Thank you all in advance for
any help!
Franz

 

[Robert L [MS-MVP]]

I think this is the problem.

172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6 to 172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58

posting the routing table back may help.

Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Thank you for your feedback and the intersting link. But we still have the same problem.

We had already disabled NetBIOS over IP on the Interface connected to the Internet (for security reasons). Also verified the WINS database, there were no entries of this interface. But the interface was indeed registred in DNS. Deleted this record and added the Registry keys described in the KB article to prevent DNS registration of the VPN interface.

Have then exactly followed the instruction of KB 292822, because the server is DC, DNS, WINS and also Global Catalog Server. Rebooted the server, but still have the same problem.

Also tried to use DHCP option 249 (classless static route), no help.

We don't have any porblems with name resolution, the problem is a layer deeper in the IP routing table on the VPN server that gets changed. What is the reason that a RRAS Server changes its routing table entry from 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6 to 172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 when a client connects, and changes it back to to original value, when the client disconnects ?!


Thank you all in advance for any thoughts/help
Franz
The reason is VPN server is a Virtual Multihomed Server that can modify the routing table. You may many options. for example use static address pool or disable netbios over vpn as below link suggests.

Name resulotion on VPN That reason is that VPN server is a Virtual Multihomed Server. The resolution is to disable NetBIOS Over TCP/IP on all interfaces including RRAS interfaces ...
www.chicagotech.net/nameresolutionpnvpn.htm


Bob Lin, MS-MVP, MCSE & CNE
Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net
How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Have a strange problem with a Windows 2003 SP1 RAS Server, configured as a
VPN Server accepting only inbound VPN IPSec connections. The RAS server is
configured as a router (LAN routing only) and a remote access server. VPN
client IP address assignment is over the internal DHCP server in the LAN and
is working fine. The DHCP Relay agent is installed and configured.

The interface connected to the internet is protected by the Windows
firewall, and all internet access (except IPsec) is disabled by the Windows
firewall. So we created some static routes so that VPN clients can access
intranet ressources.

The problem is that sometimes when VPN clients sucessfully to the VPN
server, this static routes are getting wrong entries! After disconnecting,
the routing table is ok again.

Example:
Static entry 172.0.0.0 255.0.0.0 172.29.16.1 172.29.16.6
1
172.0.0.0 is the intranet, 172.29.16.1 is the LAN internal internet gateway,
172.29.16.6 is the IP address of the LAN interface of the VPN RRAS Server.
With this entry, everything works fine.

When a VPN client connects, "route print" shows the following entry (among
others):
172.0.0.0 255.0.0.0 172.29.16.52 172.29.16.58 1
Both addresses 172.29.16.52 and 172.29.26.58 are IP addresses of the DHCP
scope, assigned to the VPN server.

Does anybody have an idea what's going on here? Thank you all in advance for
any help!
Franz