Discussion:
Server 2008 RAS Only allowing clients to see local subnet
(too old to reply)
Richard
2008-11-26 17:37:01 UTC
Permalink
Help!! Appologies if this is a bit wordy new here!

Problem / Challenge!!

Clients connecting to a 2008 RAS server are only able to connect to
resources on the same subnet as the RAS server. Other resources, including
the internet, are unavailable. As a side issue, the vpn clients can only
connect when both network cards in the server have their gateway addresse's
set to the pass through router - almost as if the vpn taffic is coming in on
NIC 1 then going back to the client via NIC 2. I susspect this is a config
issue in RAS, but rather stuck at the moment.

Ok here is the senario.

Subnet at main site is 10.10.1.x
Subnet at second site is 10.10.32.x

Two routers,

Router A has an internal address of 10.10.1.15 and handles all our site to
site links - i.e it terminates the VPN's including the one from 10.10.32.x

Router B has an internal address of 10.10.1.13 and is there to forward
inbound VPN's from mobile workers to our RAS server. It has the appropriate
ports open and forwarded to NIC B on the server below.

RAS server, clean build of Server 2008 Std, 2x NIC's, RAS role installed.
Member server of our domain.
NICS A is set as follows, ip 10.10.1.39, subnet 255.255.0.0, gateway
10.10.1.12
NIC B ip, 10.10.1.41, 255,255,255,0, 10.10.1.12

Issue:-

Clients can connect to the RAS server, receive a valid IP for the main site
and access resources at this site, however if they try to access a resource
at 10.10.32.x then they cannot. I'm pretty sure this is because the first
NIC's gateway is pointing at 10.10.1.13 instead of 10.10.1.15.

I have added static routes to RAS but the problem persists, if I add a
static route to the server itself, it can see 10.10.32.x but the clients
still cannot.

This is our second RAS server, the previous server 2003 based machine worked
with no problems until it's hdd failed. The router setting have not been
changed since then - the new server has the same IP setting as the previous
one.
However in the old server the gateway address on NIC A was set to
10.10.1.15, if I set NIC A in the new server with the "correct" gateway
address of 10.10.1.15 clients can no longer vpn in - they get no errors other
than "cannot connect".

However with NIC A set to a gateway of 10.10.1.15, the RAS server is able to
ping all our other subnets.

All other machines, at any site/subnet are able to comunicate with each
other without issues.

I have tried adding another NIC to the RAS box, but with this enabled, with
10.10.1.15 as it's gateway, stops the VPN clients from being able to connect.
Kurt
2008-11-30 00:24:01 UTC
Permalink
Multiple default gateways cause many issues. Instead of assigning a
different default gateway on each server NIC, use a static route. Only
the NIC that connects to the gateway of last resort - usually the
Internet - should have a default gateway. You can add the route at the
command line with:

route add 10.10.32.0 mask 255.255.255.0 10.10.1.15

If that doesn't work, you may need to add the same route on the VPN
clients (they should be able to find the router since it is on the same
subnet as the VPN server).

Kurt
Post by Richard
Help!! Appologies if this is a bit wordy new here!
Problem / Challenge!!
Clients connecting to a 2008 RAS server are only able to connect to
resources on the same subnet as the RAS server. Other resources, including
the internet, are unavailable. As a side issue, the vpn clients can only
connect when both network cards in the server have their gateway addresse's
set to the pass through router - almost as if the vpn taffic is coming in on
NIC 1 then going back to the client via NIC 2. I susspect this is a config
issue in RAS, but rather stuck at the moment.
Ok here is the senario.
Subnet at main site is 10.10.1.x
Subnet at second site is 10.10.32.x
Two routers,
Router A has an internal address of 10.10.1.15 and handles all our site to
site links - i.e it terminates the VPN's including the one from 10.10.32.x
Router B has an internal address of 10.10.1.13 and is there to forward
inbound VPN's from mobile workers to our RAS server. It has the appropriate
ports open and forwarded to NIC B on the server below.
RAS server, clean build of Server 2008 Std, 2x NIC's, RAS role installed.
Member server of our domain.
NICS A is set as follows, ip 10.10.1.39, subnet 255.255.0.0, gateway
10.10.1.12
NIC B ip, 10.10.1.41, 255,255,255,0, 10.10.1.12
Issue:-
Clients can connect to the RAS server, receive a valid IP for the main site
and access resources at this site, however if they try to access a resource
at 10.10.32.x then they cannot. I'm pretty sure this is because the first
NIC's gateway is pointing at 10.10.1.13 instead of 10.10.1.15.
I have added static routes to RAS but the problem persists, if I add a
static route to the server itself, it can see 10.10.32.x but the clients
still cannot.
This is our second RAS server, the previous server 2003 based machine worked
with no problems until it's hdd failed. The router setting have not been
changed since then - the new server has the same IP setting as the previous
one.
However in the old server the gateway address on NIC A was set to
10.10.1.15, if I set NIC A in the new server with the "correct" gateway
address of 10.10.1.15 clients can no longer vpn in - they get no errors other
than "cannot connect".
However with NIC A set to a gateway of 10.10.1.15, the RAS server is able to
ping all our other subnets.
All other machines, at any site/subnet are able to comunicate with each
other without issues.
I have tried adding another NIC to the RAS box, but with this enabled, with
10.10.1.15 as it's gateway, stops the VPN clients from being able to connect.
Kurt
2008-11-30 00:35:40 UTC
Permalink
And an addendum. A better way yet would be to add the static route on
the default gateway router. That should solve all of your issues
assuming your remote clients are configured to "use default gateway on
remote network" (which is the default).

Kurt
Post by Kurt
Multiple default gateways cause many issues. Instead of assigning a
different default gateway on each server NIC, use a static route. Only
the NIC that connects to the gateway of last resort - usually the
Internet - should have a default gateway. You can add the route at the
route add 10.10.32.0 mask 255.255.255.0 10.10.1.15
If that doesn't work, you may need to add the same route on the VPN
clients (they should be able to find the router since it is on the same
subnet as the VPN server).
Kurt
Post by Richard
Help!! Appologies if this is a bit wordy new here!
Problem / Challenge!!
Clients connecting to a 2008 RAS server are only able to connect to
resources on the same subnet as the RAS server. Other resources,
including the internet, are unavailable. As a side issue, the vpn
clients can only connect when both network cards in the server have
their gateway addresse's set to the pass through router - almost as if
the vpn taffic is coming in on NIC 1 then going back to the client via
NIC 2. I susspect this is a config issue in RAS, but rather stuck at
the moment.
Ok here is the senario.
Subnet at main site is 10.10.1.x
Subnet at second site is 10.10.32.x
Two routers,
Router A has an internal address of 10.10.1.15 and handles all our
site to site links - i.e it terminates the VPN's including the one
from 10.10.32.x
Router B has an internal address of 10.10.1.13 and is there to forward
inbound VPN's from mobile workers to our RAS server. It has the
appropriate ports open and forwarded to NIC B on the server below.
RAS server, clean build of Server 2008 Std, 2x NIC's, RAS role
installed. Member server of our domain.
NICS A is set as follows, ip 10.10.1.39, subnet 255.255.0.0, gateway
10.10.1.12
NIC B ip, 10.10.1.41, 255,255,255,0, 10.10.1.12
Issue:-
Clients can connect to the RAS server, receive a valid IP for the main
site and access resources at this site, however if they try to access
a resource at 10.10.32.x then they cannot. I'm pretty sure this is
because the first NIC's gateway is pointing at 10.10.1.13 instead of
10.10.1.15.
I have added static routes to RAS but the problem persists, if I add a
static route to the server itself, it can see 10.10.32.x but the
clients still cannot.
This is our second RAS server, the previous server 2003 based machine
worked with no problems until it's hdd failed. The router setting have
not been changed since then - the new server has the same IP setting
as the previous one.
However in the old server the gateway address on NIC A was set to
10.10.1.15, if I set NIC A in the new server with the "correct"
gateway address of 10.10.1.15 clients can no longer vpn in - they get
no errors other than "cannot connect".
However with NIC A set to a gateway of 10.10.1.15, the RAS server is
able to ping all our other subnets.
All other machines, at any site/subnet are able to comunicate with
each other without issues.
I have tried adding another NIC to the RAS box, but with this enabled,
with 10.10.1.15 as it's gateway, stops the VPN clients from being able
to connect.
Loading...