Cannot connect to Remote Desktop from a remote client using VPN (but VPN tunnel is okay)

Discussion in 'Windows Small Business Server' started by Alan, Mar 28, 2006.

  1. Alan

    Alan Guest

    Hi All,

    I am having trouble with a specific remote user not being able to
    establish an RDP connection through a VPN.

    Our remote users connect to our server using the VPN, and then run a
    Remote Desktop session (or TS session as appropriate) and this works
    fine. However, I have one user who has just gone on maternity leave
    who needs to be able to do this, and we are having problems.

    The VPN connection works fine, and I can see her client connected via
    VPN in the ISA Server Management console, Monitoring tab). However,
    when she tries to initate the RDP connection it fails every time.

    She is running WinXP SP2 (Home edition), and we are running SBS 2003
    Premium / ISA Server 2004. I have other people also connecting using
    the same setup and it is all fine for them. Could it be something
    about her broadband router? If the VPN (tunnel?) is established,
    shouldn't everything else work find automatically through that tunnel?

    I have pasted the output from her PC from an "IPConfig / All" command
    below (bottom).

    Thanks for any ideas you may have!

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb




    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+



    Windows IP Configuration



    Host Name . . . . . . . . . . . . : FamilyPC

    Primary Dns Suffix . . . . . . . :

    Node Type . . . . . . . . . . . . : Unknown

    IP Routing Enabled. . . . . . . . : No

    WINS Proxy Enabled. . . . . . . . : No



    Ethernet adapter Local Area Connection:



    Connection-specific DNS Suffix . :

    Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit
    Ethernet

    Physical Address. . . . . . . . . : [Mac Address Removed for
    Posting to Usenet]

    Dhcp Enabled. . . . . . . . . . . : Yes

    Autoconfiguration Enabled . . . . : Yes

    IP Address. . . . . . . . . . . . : 10.1.1.3

    Subnet Mask . . . . . . . . . . . : 255.0.0.0

    Default Gateway . . . . . . . . . : 10.1.1.1

    DHCP Server . . . . . . . . . . . : 10.1.1.1

    DNS Servers . . . . . . . . . . . : [DNS IP Removed for
    Posting to Usenet]


    Lease Obtained. . . . . . . . . . : Tuesday, 28 March 2006
    9:46:27 a.m.

    Lease Expires . . . . . . . . . . : Tuesday, 28 March 2006
    9:51:27 a.m.


    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     
    Alan, Mar 28, 2006
    #1
    1. Advertisements

  2. Alan

    Joe Guest

    Your ipconfig shows 'DNS removed'. Which means you're not using the
    SBS for DNS. Which means all kinds of things won't work. Set the VPN
    connection to get its DNS from the server, rather than a manual
    setting. This will override while the link is up, but allow the
    computer's NIC DNS settings to work otherwise.

    The remote end router should not need configuration for a VPN to be
    initiated through it, and even a domestic one really ought to be capable
    of handling the GRE protocol.
     
    Joe, Mar 28, 2006
    #2
    1. Advertisements

  3. Alan

    Alan Guest

    Hi Robert,

    I checked and the VPN connection is made (according to both the client
    and the ISA Server 2004), but she cannot ping the Terminal Server
    (either as 10.0.0.5 or as FandPServer).

    Is there another direction of inquiry I can make?

    Thanks,

    Alan.

    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Mar 29, 2006
    #3
  4. Alan,

    Is the user's local network by chance also numbered starting with 10? If so,
    the VPN connection never gets used because it has a very broad netmask of
    255.0.0.0 that tells the local machine to not route the traffic over VPN
    because that traffic is local as far as this netmask is telling it. The 255
    portion of the netmask tells the TCP stack that 10.0.0.0/8 is the network
    address and 1.1.1 is actually the host address. Yes, host addresses can be
    over 8 bits long that you are used to in the 192.168.x.0/24 networks.

    In other words...

    10.1.1.1 is my local gateway
    10.1.1.3 is my local IP
    24.x.x.x is my VPN server

    So far, the 10.1.1.3 client sees the VPN server on the separate network, so
    it connects to it and authenticates to it.

    Here is what happens next!

    10.0.0.5/8 is what you think an entirely different network (after all
    10.0.0.0/24 is different from 10.0.1.0/24, right?) - while in fact it is on
    the same network because 10 is the network number, not 10.0.1 or 10.0.2. You
    have a host address of 1.1.3 trying to contact host at 0.0.5 on the same
    network, which means that the traffic never has to go through VPN. This
    would be like 192.168.1.3/24 trying to reach 192.168.1.5/24 - you would not
    expect that to go over a VPN, right?

    By the way, that's 255.0.0.0 netmask means that 2^24-1 hosts can be on that
    network, which equals 16,777,215 machines that don't have to talk to each
    other over a VPN. That -1 is due to a broadcast address. Those who argued
    that the number should be -2 don't know about the "ip subnet-zero" Cisco
    command that has been on by defaults since the IOS12 release train.

    The entire base of Comcast cable subscribers who have IP addresses that
    begin with 24, base are on the same 24/8 network because there are fewer
    than 16.8 million of us. My current Comcast netmask is 255.255.248.0 which
    means that my network address is 21 bits long and that there are 2046 (2^11)
    IP addresses (based on an 11-bit host address) on my local network. A 24 bit
    network address would indicate that only 8 bits are available for a host
    address (the total IPV4 address is 32 bits), which makes a maximum of 256
    hosts on my local network.

    So when I ping 10.0.0.5/8 from 10.1.1.3/8 instead of rerouting that traffic
    as foreign over VPN, my system thinks it's local so it looks for the machine
    on my local home network instead.

    THE FIX

    Your solution, should you want to stay with the 10/8 network range is to
    apply a netmask of 255.255.255.0 or stricter such as 255.255.255.240 for
    example (don't try this as it's quite restrictive).

    BETTER SOLUTION

    Get back to the 192.168.x.0/24 network range. You will need to run the
    Change IP wizard on SBS and then the CEICW wizard to reconfigure your DHCP
    scope. I number my clients networks by the 3rd octet in sequential order
    starting at 17. This is so I can login to multiple networks through VPNs.
    When you want to maintain VPNs to multiple clients at the same time, this
    gets to be really handy.

    Why can't you people keep things simple with 192.168.x.0/24 segmented
    networks that automatically assign correct 24-bit IP netmasks...?

    IMPORTANT NOTE

    Never ever make your office network 192.168.0.0/24 or 192.168.1.0/24 as
    those are default ranges for home networks and will bring you a lot of pain
    as users attempt to connect through VPN, establish a link successfully, and
    then can't do anything as the connection is considered local by the local
    network adapter due to its broad 255-host 255.255.255.0 netmask.

    Why do I keep adding numbers of /24 or /8 or /16 after every IP address?
    It's not to confuse it, but it's because if I use different net masks, the
    results are different. 10.0.0.5/24 is on a different network than
    10.1.1.3/24. Im this case a /16 would also put them on different networks.
    However, 10.0.0.5/8 is on the same network as 10.1.1.3/8.

    Hmm second post with the same problem that I am answering tonight... I
    remember that subnets never clicked for me until I started experimenting
    with odd number of bits. The computers don't see IP addresses as 4 octects.
    They see them as a long 32-bit number and then derive which portion is the
    network and which is the host address.

    Moral of the story?

    Stay away from the 10/8 network IP range unless you know what those cryptic
    255 numbers in the subnet mask mean!!! :)

    EXTRA READING ;-)
    http://jodies.de/ipcalc?host=24.6.105.120&mask1=&mask2=255.255.248.0

    Comcast example

    http://jodies.de/ipcalc?host=10.1.1.3&mask1=8&mask2=
    http://jodies.de/ipcalc?host=10.0.0.5&mask1=8&mask2=

    What you have right now

    http://jodies.de/ipcalc?host=10.1.1.3&mask1=24&mask2=
    http://jodies.de/ipcalc?host=10.0.0.5&mask1=24&mask2=

    What could be different.

    Now go and apply the fix.
     
    Leonid S. Knyshov, Mar 30, 2006
    #4
  5. Alan

    Alan Guest


    WOW!!!

    I have just read your post three times and I am truly impressed.

    I will give it a go, and post back with a success (or otherwise)
    report.

    Thanks,

    Alan.



    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Mar 30, 2006
    #5
  6. Alan

    Alan Guest

    Hi Leonid,

    You were bang on - the issue is that the client has an IP address
    locally of 10.1.1.3 and a subnet mask of 255.0.0.0.

    Therefore, when the VPN connecton is made, and it goes looking for
    10.0.0.5 it is looking on its local area network, rather than using
    the VPN connection.

    My next question is therefore, how do I change the subnet mask on that
    client to, say, 255.255.0.0 (or 255.255.255.0)?


    As a note, I need to keep our business LANs as they are since I have
    two isolated LANs (totally isolated subnets) behind a single router
    that routes traffic according to the subnet (LAN1 is a 10.0.0.0/24
    network and LAN2 is a 192.168.0.0/16 network).

    Thanks again!

    Alan.
    --

    The views expressed are my own, and not those of my employer or anyone
    else associated with me.

    My current valid email address is:



    This is valid as is. It is not munged, or altered at all.

    It will be valid for AT LEAST one month from the date of this post.

    If you are trying to contact me after that time,
    it MAY still be valid, but may also have been
    deactivated due to spam. If so, and you want
    to contact me by email, try searching for a
    more recent post by me to find my current
    email address.

    The following is a (probably!) totally unique
    and meaningless string of characters that you
    can use to find posts by me in a search engine:

    ewygchvboocno43vb674b6nq46tvb
     
    Alan, Apr 6, 2006
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.