Lan to Lan - SBS 2003 / Draytek 2800

Discussion in 'Windows Small Business Server' started by NetworkFusion, May 11, 2008.

  1. Hi, I am experiencing trouble with my VPN’s I have recently setup and was
    wondering if someone has any experience, and could point me in the right
    direction.

    Setup:

    PPTP connection between the router and SBS 2003 Premium (with ISA 2004)
    Code:

    Site A Site B
    Site C
    Site Type Main Branch A
    Branch B
    Device SBS 2003 Prem Vigor 2800 Vigor
    2800
    Lan Address 192.168.16.2 10.43.1.1
    192.168.1.1
    Subnet Mask 255.255.255.0 255.255.255.0
    255.255.255.0
    Public IP sbs.******.co.uk ey.******.co.uk
    cr.******.co.uk


    I basically followed the Draytek guide for making this work (although it was
    outdated and didn’t include ISA). I created a user, setup the RRAS network
    connection, and fiddled with settings in ISA. If you need more info on this I
    can provide it.

    At the moment both of these sites are connecting, but I am experiencing
    strange behaviour and was wondering if I have setup the connections
    correctly.

    Problems:

    Branch A: sometimes a connection will be added to the “Remote Access
    Clients†instead of “Network Interfacesâ€. When the branch router instigates
    the connection the users of the VPN not to be able to get internal websites,
    but they can still reach external websites and internal network locations.
    Also I get regular errors in the event log stating: “Event ID: 14147. ISA
    Server detected routes through the network adapter Network Connection that do
    not correlate with the network to which this network adapter belongs. When
    networks are configured correctly, the IP address ranges included in each
    array-level network must include all IP addresses that are routable through
    its network adapters according to their routing tables. Otherwise valid
    packets may be dropped as spoofed. The following ranges are included in the
    network's IP address ranges but are not routable through any of the network's
    adapters: 10.255.255.255-10.255.255.255;. Note that this event may be
    generated once after you add a route, create a remote site network, or
    configure Network Load Balancing and may be safely ignored if it does not
    re-occur.â€
    Branch B: reports regular errors in the event log stating: “Event ID: 20050.
    The user Domain\CrVPN connected to port VPN5-6 has been disconnected because
    no network protocols were successfully negotiated.â€

    I have also posted this on the draytek UK forum:
    http://www.forum.draytek.co.uk/viewtopic.php?t=11113 however you need to
    register to view the posts.

    Thanks,

    Robin
     
    NetworkFusion, May 11, 2008
    #1
    1. Advertisements

  2. Hello Robin,

    Thank you for your post.
    My name is Gary Wang, and it is my pleasure to work with you on this issue!
    Please allow me to confirm that my understandings are correct. As I
    understand it, the issue is:

    You have set up site to site PPTP VPN to connect 3 sites by ISA 2004 on SBS
    2003 Premium. However, the VPN not work normally. In Branch A, the VPN user
    will be add to "Remote Access Clients" instead of "Network Interfaces" and
    they are not able to get internal websites and met Event ID 14147 on SBS.
    In Branch B, there are lots of event 20050 reported.

    If I have misunderstood your concerns please feel free to let me know.

    At the beginning, we need to set customer expectation, this is a hardware
    router related issue. We can only provide help about VPN settings on SBS.
    For the router side configuration, the customer need to connect the vendor
    for help.

    Then, please make the customer to use this document to verify the
    site-to-site VPN established steps:

    Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and
    Third-Party Gateways
    http://www.microsoft.com/technet/isa/2004/plan/sitetositeipsec.mspx

    Site-to-Site VPN in ISA Server 2004
    http://www.microsoft.com/technet/isa/2004/plan/sitetositevpn.mspx

    Suggestion 1:
    ==============

    The event 14147 can happen if the internal Network Card of the ISA server
    is configured with a default gateway. The first step to resolve this issue
    is to remove the default gateway from the internal interface of the ISA
    server. A default gateway should only exist on the external interface of
    the ISA server.

    This problem can also be a result of routing and firewall policy rule
    configuration. If the routing table on the ISA Server computer is different
    from the ISA Server configuration you may experience problems with
    connecting to resources through ISA. If there are multiple subnets that are
    part of the internal network then the addresses for all subnets need to be
    included in the internal network element. You should not create a seperate
    network object for subnets not in the same range as the subnet used by the
    ISA server. Many times customers will create additional network objects and
    attempt to establish a route or NAT network rule to allow traffic between
    the range used by the new network rule and the internal network.

    To resolve this problem, you should verify that the route table contains a
    persistent route to the segment not in the same range as the subnet used by
    the ISA server with the address of the router used to connect to that
    segment. Once this is added you should be able to create the internal
    network object addresses by adding the network adapter instead of by
    manually typing the IP address range that you want to add. To do this,
    follow these steps:

    1. Start the ISA Server Management program. To do this, click "Start",
    point to "All Programs", point to "Microsoft ISA Server", and then click
    "ISA Server Management".

    2. Expand "<name of your ISA Server computer>", and then click "Firewall
    Policy".

    3. In the right pane, click the "Toolbox" tab, and then click "Network
    Objects".

    4. Expand "Networks", and then click the network object that you want to
    modify. For example, click "Internal".

    5. Click "Edit", and then click the "Addresses" tab.

    6. Under "Address ranges", click the address range that you experience this
    issue with, and then click "Remove". For example, click the "192.168.16.1
    to 192.168.16.255" address range.

    7. Click "Add Adapter", click to select the check box of the network
    adapter that you want to add to this particular network, and then click
    "OK".

    If the IP address ranges that you expect do not appear in the "Address
    ranges" list after you add the network adapter, you must verify the ISA
    Server computer's routing table.

    More information about this issue is available in KB884496 :

    Client computers cannot access external resources, and event ID 14147
    appears in the Application log in ISA Server 2006 or in ISA Server 2004
    http://support.microsoft.com/?id=884496


    Troubleshooting Network Configuration in ISA Server 2004
    http://www.microsoft.com/technet/isa/2004/plan/ts_networks.mspx


    Suggestion 2:
    ==============

    For the issue that the VPN client cannot access internal website, I would
    like to suggest that check the following:

    1. Go to IE\Tools\Internet Options\Connections\Lan Settings, disable proxy
    settings as a test.

    2. In the properties of the VPN connection -> Networking tab -> TCP/IP
    ->advanced -> DNS -> select option 'Append these DNS suffixes in order' and
    add your domain name.


    Suggestion 3:
    ==============

    For the event 20050, based on my search, it is mostly like due to DHCP
    configuration problem. Please check the following:

    1. Make sure is there is DHCP Server Running on the network. If yes make
    sure the server (SBS) internal IP is excluded from the scope of IP range
    and make sure the DHCP configuration like subnet mask were configured
    correctly.

    2. Change RRAS with static pool settings:

    a. Right click the server's name in RRAS and choose Properties.
    b. Navigate to IP tab.
    c. Changed the RRAS settings to get IP from DHCP and restarted RRAS
    service.

    3. Reinstalled TCP/IP stack by run the command: netsh int ip reset.

    4. Reset winsock by the command: netsh winsock reset
    5. Reboot the server
    After the reboot it normal for the server to boot up a bit slow once the
    server is up test to see if VPN connect from within the network and then
    externally

    If we cannot resolve the issue after we perform the above steps, please
    help me collect some information for further investigation:

    Information Need
    ==============
    1. Run the command: Ipconfig /all on both SBS server and VPN clients and
    post back here.
    2. Run the command: Route PRINT on both SBS server and VPN clients and
    post back here.
    3. Provide the steps that how you set up VPN.
    4. Capture a screenshot of exact symptom while VPN client trying open
    internal website.
    5. Can the 3 sites ping each other without problem?

    I look forward to your reply. Also, if you have any questions or concerns,
    please do not hesitate to let me know. I am happy to help. :)

    Thank you for your time and cooperation!

    Best regards,

    Gary Wang(MSFT)

    Microsoft CSS Online Newsgroup Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    This newsgroup only focuses on SBS technical issues. If you have issues
    regarding other Microsoft products, you'd better post in the corresponding
    newsgroups so that they can be resolved in an efficient and timely manner.
    You can locate the newsgroup here:
    http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

    When opening a new thread via the web interface, we recommend you check the
    "Notify me of replies" box to receive e-mail notifications when there are
    any updates in your thread. When responding to posts via your newsreader,
    please "Reply to Group" so that others may learn and benefit from your
    issue.

    Microsoft engineers can only focus on one issue per thread. Although we
    provide other information for your reference, we recommend you post
    different incidents in different threads to keep the thread clean. In doing
    so, it will ensure your issues are resolved in a timely manner.

    For urgent issues, you may want to contact Microsoft CSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.

    Any input or comments in this thread are highly appreciated.
    =====================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | Thread-Topic: Lan to Lan - SBS 2003 / Draytek 2800
    | thread-index: AcizfvMunFszoypTSvOMtFPxfnyNsQ==
    | X-WBNR-Posting-Host: 207.46.19.197
    | From: =?Utf-8?B?TmV0d29ya0Z1c2lvbg==?=
    <>
    | Subject: Lan to Lan - SBS 2003 / Draytek 2800
    | Date: Sun, 11 May 2008 08:52:00 -0700
    | Lines: 63
    | Message-ID: <>
    | MIME-Version: 1.0
    | Content-Type: text/plain;
    | charset="Utf-8"
    | Content-Transfer-Encoding: 8bit
    | X-Newsreader: Microsoft CDO for Windows 2000
    | Content-Class: urn:content-classes:message
    | Importance: normal
    | Priority: normal
    | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
    | Newsgroups: microsoft.public.windows.server.sbs
    | Path: TK2MSFTNGHUB02.phx.gbl
    | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:107165
    | NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
    | X-Tomcat-NG: microsoft.public.windows.server.sbs
    |
    | Hi, I am experiencing trouble with my VPN’s I have recently setup and
    was
    | wondering if someone has any experience, and could point me in the right
    | direction.
    |
    | Setup:
    |
    | PPTP connection between the router and SBS 2003 Premium (with ISA 2004)
    | Code:
    |
    | Site A Site B

    | Site C
    | Site Type Main Branch A

    | Branch B
    | Device SBS 2003 Prem Vigor 2800
    Vigor
    | 2800
    | Lan Address 192.168.16.2 10.43.1.1
    | 192.168.1.1
    | Subnet Mask 255.255.255.0 255.255.255.0
    | 255.255.255.0
    | Public IP sbs.******.co.uk ey.******.co.uk
    | cr.******.co.uk
    |
    |
    | I basically followed the Draytek guide for making this work (although it
    was
    | outdated and didn’t include ISA). I created a user, setup the RRAS
    network
    | connection, and fiddled with settings in ISA. If you need more info on
    this I
    | can provide it.
    |
    | At the moment both of these sites are connecting, but I am experiencing
    | strange behaviour and was wondering if I have setup the connections
    | correctly.
    |
    | Problems:
    |
    | Branch A: sometimes a connection will be added to the “Remote Access
    | Clients�instead of “Network Interfaces� When the branch router
    instigates
    | the connection the users of the VPN not to be able to get internal
    websites,
    | but they can still reach external websites and internal network
    locations.
    | Also I get regular errors in the event log stating: “Event ID: 14147.
    ISA
    | Server detected routes through the network adapter Network Connection
    that do
    | not correlate with the network to which this network adapter belongs.
    When
    | networks are configured correctly, the IP address ranges included in each
    | array-level network must include all IP addresses that are routable
    through
    | its network adapters according to their routing tables. Otherwise valid
    | packets may be dropped as spoofed. The following ranges are included in
    the
    | network's IP address ranges but are not routable through any of the
    network's
    | adapters: 10.255.255.255-10.255.255.255;. Note that this event may be
    | generated once after you add a route, create a remote site network, or
    | configure Network Load Balancing and may be safely ignored if it does not
    | re-occur.�
    | Branch B: reports regular errors in the event log stating: “Event ID:
    20050.
    | The user Domain\CrVPN connected to port VPN5-6 has been disconnected
    because
    | no network protocols were successfully negotiated.�
    |
    | I have also posted this on the draytek UK forum:
    | http://www.forum.draytek.co.uk/viewtopic.php?t=11113 however you need to
    | register to view the posts.
    |
    | Thanks,
    |
    | Robin
    | --
    | Delivered By Messenger Pigeon
    |
     
    Guozhen Wang[MSFT], May 13, 2008
    #2
    1. Advertisements

  3. Hello Robin

    I have had the same problem.
    The resolution was very simple.

    In Your DrayTec in VPN and Remote Access>>LAN to LAN, TCP/IP Network
    Settings, Remote Gateway IP You must type Your DrayTek IP instead of 0.0.0.0
    You must remember that in ISA, the name of Your VPN Network must be the same
    like username used in PPTP.

    Goog Lack!

    Dariusz Kozicki
     
    Dariusz Kozicki, May 15, 2008
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.