problems connecting to Network Shares over VPN

Discussion in 'Server Networking' started by Donny, Aug 31, 2009.

  1. Donny

    Donny Guest

    I am having problems connecting to Network Shares over VPN
    I am suspecting that this is a network security issue and I am very weak in
    this area.

    My server is SBS 2008 and it is fully patched. All of the laptops are Vista
    Business 32 bit.
    If I connect to the VPN by using the Vista Network Login I can connect and
    everything works well, if on only if I connect through a wired connection.
    I have made sure that my first NIC to load is my wireless NIC. I cannot
    connect to VPN through a Network logon using wireless. It appears that my
    Wireless connection doesn't start or doesn’t connect until after I have
    logged into a user account.

    If I log in normally then connect to VPN, I can ping the server by DNS name
    and also by IP address, however, I cannot see any shares and I cannot connect
    to them. If I try to connect I get a message that either says “incorrect
    password or unknown username for \\server\Share†and also an error occurred
    while reconnecting S: to \\server\share or else I get: “Microsoft Windows
    Network: The network path was not foundâ€

    I don't know what to look for in order to determine if the problem is on the
    remote workstation, the Server or the Router. The company is small, about 10
    users, and we use a Linksys WRT160N router. I would change routers if I knew
    that the router was the issue.

    The server event log doesn't show any VPN or connection/logon errors in it.
    The router log is empty.
     
    Donny, Aug 31, 2009
    #1
    1. Advertisements

  2. Do you logon local user or domain user? It could be credentials issue. try
    net use domainname\username to map the drive. or this search result may
    help.
    Can access remote computer via VPN occasionally
    However, when the same user access the VPN, he uses cached credentials
    to access the remote computer. The VPN user may lose the cached credentials
    and may ...
    www.chicagotech.net/casestudy/vpnaccess1.htm


    --
    Bob Lin, Microsoft-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com
     
    Bob Lin \(MS-MVP\), Sep 1, 2009
    #2
    1. Advertisements

  3. Donny

    Donny Guest

    I am logging in with the Domain username, not the local one. I think that
    this is a DNS issue but I don't know what I need to do to fix it. Here is
    some more information:
    I have some more information on this. After I connect with VPN and i go to
    Network and Sharing center it says that my network is unathenticated. My VPN
    IP address is 192.168.2.22
    Going on the server 192.168.2.5 I found the following:

    C:\Users\svradmin>ping adminassist

    Pinging adminassist.epic.local [192.168.2.36] with 32 bytes of data:
    Reply from 192.168.2.5: Destination host unreachable.

    Ping statistics for 192.168.2.36:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

    C:\Users\svradmin>ping 192.168.2.22

    Pinging 192.168.2.22 with 32 bytes of data:
    Reply from 192.168.2.22: bytes=32 time=23ms TTL=128

    Ping statistics for 192.168.2.22:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 24ms, Average = 23ms

    C:\Users\svradmin>tracert 192.168.2.22

    Tracing route to ADMINASSIST [192.168.2.22]
    over a maximum of 30 hops:

    1 23 ms 24 ms 24 ms ADMINASSIST [192.168.2.22]

    Trace complete.

    C:\Users\svradmin>nslookup adminassist
    Server: UnKnown
    Address: fe20::9661:b7f6:e3da:559f

    Name: adminassist.company.local
    Address: 192.168.2.36
     
    Donny, Sep 1, 2009
    #3
  4. Sounds like name resolution issue. Can you ping -a 192.168.2.36? Also post
    back the result of VPN client ipconfig /all may help.

    --
    Bob Lin, Microsoft-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com


     
    Bob Lin \(MS-MVP\), Sep 1, 2009
    #4
  5. Donny

    Donny Guest

    The notebook is back in the office for the day. I will post tonight.

     
    Donny, Sep 1, 2009
    #5
  6. Donny

    Donny Guest

    Here is the information from the server and also from the notebook. Sorry for
    the delay. They took it out of town for a day.

    ***From the server:

    C:\Users\svradmin>nslookup adminassist
    Server: UnKnown
    Address: fe80::9691:b7f6:e3da:589f

    Name: adminassist.company.local
    Address: 192.168.2.36

    C:\Users\svradmin>ping -a 192.168.2.36

    Pinging 192.168.2.36 with 32 bytes of data:
    Reply from 192.168.2.5: Destination host unreachable.
    Reply from 192.168.2.5: Destination host unreachable.
    Reply from 192.168.2.5: Destination host unreachable.
    Reply from 192.168.2.5: Destination host unreachable.

    Ping statistics for 192.168.2.36:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

    C:\Users\svradmin>

    ***From the Notebook off site with VPN connected.

    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : ADMINASSIST
    Primary Dns Suffix . . . . . . . : company.local
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : company.local

    PPP adapter Company VPN Connection:

    Connection-specific DNS Suffix . : company.local
    Description . . . . . . . . . . . : Company VPN Connection
    Physical Address. . . . . . . . . :
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    IPv4 Address. . . . . . . . . . . : 192.168.2.15(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.255
    Default Gateway . . . . . . . . . : 0.0.0.0
    DNS Servers . . . . . . . . . . . : 192.168.2.5
    Primary WINS Server . . . . . . . : 192.168.2.5
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Wireless LAN adapter Wireless Network Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
    Physical Address. . . . . . . . . : 00-1A-73-82-49-26
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::c5d:18d5:4104:1b19%10(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.0.113(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Thursday, September 03, 2009 6:39:42 PM
    Lease Expires . . . . . . . . . . : Friday, September 04, 2009 6:39:42 PM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DHCPv6 IAID . . . . . . . . . . . : 218110579
    DHCPv6 Client DUID. . . . . . . . :
    00-01-00-01-11-C0-B3-57-00-1B-24-81-B1-B

    DNS Servers . . . . . . . . . . . : 192.168.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
    Physical Address. . . . . . . . . : 00-1B-24-81-B1-B7
    DHCP Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::c464:32ad:ed1:9e1d%9(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.0.125(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Lease Obtained. . . . . . . . . . : Thursday, September 03, 2009 6:39:45 PM
    Lease Expires . . . . . . . . . . : Friday, September 04, 2009 6:39:45 PM
    Default Gateway . . . . . . . . . : 192.168.0.1
    DHCP Server . . . . . . . . . . . : 192.168.0.1
    DHCPv6 IAID . . . . . . . . . . . : 234887972
    DHCPv6 Client DUID. . . . . . . . :
    00-01-00-01-11-C0-B3-57-00-1B-24-81-B1-B

    DNS Servers . . . . . . . . . . . : 192.168.0.1
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter Local Area Connection*:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 2:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft Tun Miniport Adapter
    Physical Address. . . . . . . . . : 02-00-54-55-4E-01
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 9:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . : company.local
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Local Area Connection* 12:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes

    C:\Windows\system32>


    Microsoft Windows [Version 6.0.6002]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Users\stuart>net use s: \server12\data
    s: has a remembered connection to \\server12\data. Do you
    want to overwrite the remembered connection? (Y/N) [Y]:
    System error 67 has occurred.

    The network name cannot be found.


    C:\Users\stuart.>ping server12

    Pinging server12.company.local [192.168.2.5] with 32 bytes of data:
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=22ms TTL=127

    Ping statistics for 192.168.2.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 23ms, Average = 22ms

    C:\Users\stuart>ping 192.168.2.5

    Pinging 192.168.2.5 with 32 bytes of data:
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127
    Reply from 192.168.2.5: bytes=32 time=23ms TTL=127

    Ping statistics for 192.168.2.5:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 23ms, Maximum = 23ms, Average = 23ms

    C:\Users\stuart>net view server12
    Shared resources at server12


    Share name Type Used as Comment

    -------------------------------------------------------------------------------
    RedirectedFolders Disk [Offline Share]
    The command completed successfully.

    C:\Users\stuart>

     
    Donny, Sep 4, 2009
    #6
  7. We have some configuration issues with this system. It seems to me the SBS
    is multihomed computers with two NICs (wired and wireless). It is not
    recommended. Also you may want to disable IPv6 on the server for
    troubleshooting. You may compare both VPN server and client routing table to
    see where the traffic will go.

    --
    Bob Lin, Microsoft-MVP, MCSE & CNE
    Networking, Internet, Routing, VPN Troubleshooting on
    http://www.ChicagoTech.net
    How to Setup Windows, Network, VPN & Remote Access on
    http://www.HowToNetworking.com


     
    Bob Lin \(MS-MVP\), Sep 4, 2009
    #7
  8. Donny

    Donny Guest

    Hello again,
    We have a wired and wirelesss network in the office, however, the server
    only has 1 NIC. How should I proceed with this?
    I don't think I can disable IP v6 as this is a SBS Server and Exchange puts
    up a major fuss is IP v6 is disabled.

    Ho do I compare both VPN server and client routing tables?

     
    Donny, Sep 4, 2009
    #8
  9. Hello Donny,

    Actually, since this is SBS, it should have been posted to the SBS
    newsgroup, where those folks could have given you specific help. I
    cross-posted it for you. You can simply check back here for responses, if
    any.

    And yes, disabling IPv6 is one of the best things you can do. After all, are
    you using it? Do you have some sort of large infrasturcture using a BGP
    routing scheme (such as the backbone of a university) that is based on IPv6?
    If so, then you would need to keep IPv6. Otherwise, it's additional overhead
    that is checked during communication, and of course not used because there
    may be other machines that do not have it installed. Disabling it eliminates
    additional processing overhead and the additional IPv6 IP.

    Also, disabling the RSS/TCP Chimney feature is helpfule with network
    transfer issues associated with it.

    Read the following on how to disable IPv6. And no, it will NOT cause any
    problems with Exchange. It will help with communication between Exchange and
    the DC (even if on the same server).

    ==================================================================
    ==================================================================
    How to Disable IPv6

    There are known issues regarding IPv6 affecting communications in certain
    scenarios, such as with errors when using Outlook Anywhere such as to fix an
    Exchange/DC NSPI port 6004 communication issue, among many others. Therefore
    to eliminiate communications issues regarding whether this is a factor or
    not, it is recommended to disable IPv6 in registry on the Exchange server,
    as well as on the domain controllers, or any server for that matter,
    especially if there are no plans in using IPv6.

    To disable IPv6 on 2008 or Vista:

    Uncheck IPv6 in NIC properties
    Uncheck the two LinkLayer Topology Discovery components
    Then follow the registry changes procedure below to completely disable IPv6.

    1. Navigate to:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
    2. In the details pane, click New, and then click DWORD (32-bit) Value.
    3. Type in DisabledComponents , and then press ENTER.
    4. Double-click DisabledComponents,
    5. Type ff in Hexadecimal.
    6. So it should like this when completed:
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters]
    "DisabledComponents"=dword:000000ff

    ====
    More info:

    The installation of the Exchange Server 2007 Hub Transport role is
    unsuccessful on a Windows Server 2008-based computer
    http://support.microsoft.com/?id=952842

    Disabling IPv6 on Windows 2008 or Vista
    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

    ---

    Interesting view point by "Anteaus" publicly posted to a newsgroup post in
    thread:
    Subject: Re: Should we disable IPv6 ?
    Date: Sat, 27 Jun 2009 00:42:01 -0700
    Newsgroups: microsoft.public.windows.server.networking

    The issue, as I understand it, is that IPv4 addresses will eventually run
    out, and when they do, any new webhosts will have to use IPv6 addresses
    ONLY.
    Thus if your client-kit sticks with IPv4 after that date there will be a
    gradually-increasing number of websites which will be inaccessible to you.
    Whether this actually matters will of course depend on what you need to
    access.

    As for IPv6 being a logical step forward, I dispute that. On the contrary,
    IPv6 is a total departure from a well-proven scheme which works, to one
    which
    is not only unproven but which already has a number of identified
    compatibility bugs, for example IPv6 addresses are incompatible with UNC
    paths. Extending the existing scheme to five or six octets would be the
    simple, sensible choice, unfortunately the "Let's make things complicated"
    crew got-in on the act, as they so often do.
    ---
    ==================================================================
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
    Microsoft Certified Trainer

    For urgent issues, please contact Microsoft PSS directly. Please check
    http://support.microsoft.com for regional support phone numbers.
    ==================================================================
    ==================================================================
    ==================================================================
     
    Ace Fekay [MCT], Sep 4, 2009
    #9
  10. Donny

    Al Williams Guest

    This is from the MS SBS2008 blog regarding disabling ipv6, slightly
    different than Ace's instructions:

    http://blogs.technet.com/sbs/archive/tags/IPv6/default.aspx

    --
    Allan Williams



     
    Al Williams, Sep 4, 2009
    #10
  11. Thanks, Al. I'm glad I cross-posted it for Donny.

    Ace


     
    Ace Fekay [MCT], Sep 4, 2009
    #11
  12. Donny

    Donny Guest

    Hi there,
    I tried your suggestions. I disabled IPv6 on the server following the
    directions listed in theSBS Blogs. So far I cannot find any differences.
    After the Registry change I rebooted the server. Since the reboot the notbook
    has not been on the corporate network except through VPM. When I followed
    Bob's instuctions for gathering information (see my reply dated September 3)
    I see absolutely no difference in any field. On my Vista Notebook, my VPN
    connection still shows unauthenticated.
    After I connect, I get a message the Windows needs my current credentials
    for authentication. I am asked to lock and unlock the PC. I do this and then
    I get the messgae again.

    Can you please offer some more suggestions?
    Thank you.

     
    Donny, Sep 6, 2009
    #12
  13. Donny,

    Looking back at the laptop's ipconfig, what is that "NVIDIA nForce
    Networking" interface?

    Also, the VPN interface shows 0.0.0.0 as the gateway, and it is a static
    config, meaning it's not getting an IP from a DHCP server. I'm not sure how
    you have your VPN setup, but what normally happens is when the VPN is
    connected, (a dialup interface, so to speak), it becomes the default
    interface. So what I believe I'm seeing, is when you attempt to ping
    something on the 192.168.2.0 network, it has no gateway to send it to.

    Can you elaborate on why it's a static config or how the VPN is setup on the
    SBS? Did you set it up using the wizard? I'm sure one of the folks in the
    SBS group can better comment on how the wizard sets up VPN services, and
    what, if any, may be wrong with this setup, which *may* be the cause of
    what's going on.

    As for IPv6, since you are really not using it, I would just leave it
    disabled. It's less overhead on the SBS.

    Ace

     
    Ace Fekay [MCT], Sep 6, 2009
    #13
  14. Donny

    Bill Grant Guest

    VPN connections and dial-ups don't need default gateways. They are point
    to point connections, so they are their own gateway. Everything goes through
    the point to point link. In XP, I think the GUI showed the received IP
    address as the gateway. In Win 7 it is blank. I haven't seen 0.0.0.0 though.
     
    Bill Grant, Sep 6, 2009
    #14

  15. The 0.0.0.0 does confuse me. It also shows the VPN interface as not a DHCP
    address. I would imagine it would at least show that it was configured
    through DHCP?

    Ace
     
    Ace Fekay [MCT], Sep 6, 2009
    #15
  16. Donny

    Bill Grant Guest

    No, the client doesn't get its config from DHCP, even if the server is
    set up to use DHCP. The server leases a number of IP addresses from DHCP if
    you don't give it a static pool. The client gets its config from the server
    as part of the PPP negotiation. The config is only used for the duration of
    the connection, not for the DHCP lease time.
     
    Bill Grant, Sep 6, 2009
    #16

  17. Ok. For some reason, it just didn't look right.

    Ace
     
    Ace Fekay [MCT], Sep 6, 2009
    #17
  18. Donny

    Donny Guest

    OK I am still confused.
    I don't understand why the notebook still has a DNS entry 48 hours after
    being removed from the network and including a reboot on both the server and
    the notebook.
    I think that there is a small thing that I have missed. When I connect by
    VPN it checks the network and advises me that it is unauthenticated. Why
    would that be?

    Also if I type in Net use S: \companyserver\data I get a message asking for
    Logon credentials for the server. No matter what credentials I supply I end
    up stuck in this authentication loop.

    I set up VPN on the SBS 2008 server using the wizard located in the SBS
    console. I have used server manager to check the information, however, I am a
    bit weak here. I think it is OK, but I am not totally sure what I should be
    looking for.

    Also, I do not see anything about this in the event log.

    Help, please!!
     
    Donny, Sep 7, 2009
    #18
  19. It's saying it's not authorized? That's based on 2008's VPN policies using
    the SBS firewall. Has the laptop been joined to the domain? If so, how was
    it joined? When you use the Connect method, it pushes down the firewall
    rules to allow access to the domain. I also assume the user is part of the
    allowed VPN access group?

    What I'm getting at is the SBS2008 wizard should have handled this for you
    when you set it up. It appears that the issues is pointing to something in
    this area.

    Ace
     
    Ace Fekay [MCT], Sep 7, 2009
    #19
  20. Donny

    Donny Guest

    Hi Ace,
    To connect the computer to the domain I was on site and using a wired
    connection. Using IE7 I went: http://connect and I let the wizard handle
    the process. I did not receive any error messages so I made the assumption
    that the process worked.

    I have certain users in the VPN group. I also have a special GPO for laptops
    that use the network connect so that they can add the server share as a
    mapped drive letter.

    I don't know a lot about SBS2008 but I have wondered if I can remove the
    computer totally from the domain and perhaps even rename it and then add it
    back on. Could that resolve my problem? I have never had a wizard not work
    properly before, Is there a troubleshooting procedure?

    Thanks a lot,
     
    Donny, Sep 7, 2009
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.