I have one of the weirdest routing problems I've ever seen in RRAS. I have the following configuration, : Boston: -All clients default routed to the RRAS Server -Network: 192.168.1.0 -RRAS Server: 192.168.1.29 --Windows 2003 SP 2 (Enterprise Server) --PPTP Server --Static route set to the remote route on the 192.168.2.0 network --One NIC, default routed to 192.168.1.1 (DSL Router to the cloud) Fairfax: -All clients default routed to the RRAS Server -Network: 192.168.2.0 -RRAS Server: 192.168.2.29 --Windows 2008 (Enterprise Server) --PPTP Server --Static route set to the remote route on the 192.168.1.0 network --One NIC, default routed to 192.168.2.1 (DSL Router to the cloud) These servers have a route called BostonFairfaxRoute. It's set up identically on both servers, using that username and the username's password. The RRAS servers connect the remote route successfully. The problem lies in the ability to successfully route packets. The following scenarios result: 192.168.2.29: CAN PING 192.168.1.29 192.168.1.29: Cannot ping 192.168.2.29 Clients on 192.168.2.0 network: Cannot ping 192.168.1.29 Clients on the 192.1.0 network: Cannot ping 192.168.2.29 If the path between 192.168.2.29 and 192.168.1.29 didn't make it either way I'd understand the problem. The confusing part is that it works one way! I've never seen this before and have no idea how to solve it. I've verified all of the settings more than once in what's a very common system for me to setup. Anyone have any ideas?
Posting the routing tables on both servers may help. -- Bob Lin, MS-MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
If the clients on their respective network are already "default routed" to their respective RRAS Box then there is no "static route" that I can think of that should be there. The RRAS boxes already "know" about the IP Segment on the opposite end since they are directly connected to it. The Clients only need to know where their RRAS Box is,...they do not need to "know" specifically about the opposite LAN. But then it has been a while since I worked with RRAS and I have a tendency to think of it in terms of how I would a traditional router appliance. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats.
Robert, That completely slipped my mind, I had every intention of posting the routing tables. This is the table from Boston: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.29 20 72.85.61.11 255.255.255.255 192.168.1.1 192.168.1.29 20 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 192.168.1.0 255.255.255.0 192.168.1.29 192.168.1.29 20 192.168.1.10 255.255.255.255 192.168.2.201 192.168.2.201 1 192.168.1.11 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.1.29 255.255.255.255 127.0.0.1 127.0.0.1 20 192.168.1.255 255.255.255.255 192.168.1.29 192.168.1.29 20 192.168.2.0 255.255.255.0 192.168.1.10 192.168.2.201 1 192.168.2.201 255.255.255.255 127.0.0.1 127.0.0.1 50 192.168.2.255 255.255.255.255 192.168.2.201 192.168.2.201 50 224.0.0.0 240.0.0.0 192.168.1.29 192.168.1.29 20 224.0.0.0 240.0.0.0 192.168.2.201 192.168.2.201 50 255.255.255.255 255.255.255.255 192.168.1.29 192.168.1.29 1 255.255.255.255 255.255.255.255 192.168.2.201 192.168.2.201 1 Default Gateway: 192.168.1.1 -- And this is the table from Fairfax: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.29 286 67.101.123.140 255.255.255.255 192.168.2.1 192.168.2.29 31 127.0.0.0 255.0.0.0 On-link 127.0.0.1 306 127.0.0.1 255.255.255.255 On-link 127.0.0.1 306 127.255.255.255 255.255.255.255 On-link 127.0.0.1 306 192.168.1.0 255.255.255.0 192.168.2.201 192.168.1.10 31 192.168.1.10 255.255.255.255 On-link 192.168.1.10 286 192.168.2.0 255.255.255.0 On-link 192.168.2.29 286 192.168.2.29 255.255.255.255 On-link 192.168.2.29 286 192.168.2.200 255.255.255.255 On-link 192.168.2.200 306 192.168.2.255 255.255.255.255 On-link 192.168.2.29 286 224.0.0.0 240.0.0.0 On-link 127.0.0.1 306 224.0.0.0 240.0.0.0 On-link 192.168.2.29 286 224.0.0.0 240.0.0.0 On-link 192.168.2.200 306 255.255.255.255 255.255.255.255 On-link 127.0.0.1 306 255.255.255.255 255.255.255.255 On-link 192.168.2.29 286 255.255.255.255 255.255.255.255 On-link 192.168.2.200 306 255.255.255.255 255.255.255.255 On-link 192.168.1.10 286
The routing tables look good to me. Where the traffic stop if using tracert from Fairfax to Boston? Do you have NAT/Firewall enabled? -- Bob Lin, MS-MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
If the VPN link is up and the static routes are in place, that is perfectly reasonable. Since the two routers are linked by a point to point connection, the setup can be looked at as a simple (slow) IP router. Packets reaching one VPN router addressed to the "other" site are delivered directly by the VPN router at the other end, just like one IP router connecting two segments. What happens between the two routers can be ignored as far as routing is concerned (except the speed!) Even firewalls can be ignored because the original private addressed packet is encrypted and encapsulated when it goes through the firewall. It is just the payload of the packet. The firewall only sees the header of the public addressed wrapper.
Yes. That is why I don't see the need to add static routes. With an IP Router there would be no static route at all. The Router (or Routers in P2P) are already aware of the segments that they are already directly connected two, so when there is only two segments there just simply would not be a static route at all. I have to trust your judgment when it comes to RRAS becuase you know it better than I do, so I am trying to understand, but I don't see any need for a static route. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Robert, I'm glad we're coming to the same conclusions on the routing tables and setup, at least I know I'm not crazy. As for the traffic, pings succeed from the Fairfax RRAS box to the Boston RASS box, and strangely enough even pinging CLIENTS on the Boston side from the Fairfax RRAS box succeeds. When pinging the Fairfax RRAS box from Boston, however, failure occurs. The tracert from the Boston RRAS box to the Fairfax RRAS box fails right from the start, so at least it doesn't appear to be erroneously routing through the DSL router. Let me know what you think, Jack
Until someone convinces me otherwise (and that may happen), I don't think there should be any static routes on the RRAS boxes and I don't think routing tables have anything to do with it. A pair or RRAS boxes in a Site-to-Site Connection each have to "dial" each other to have a "complete" two-way connection. It sounds like Fairfax has properly "dialed" Boston but Boston has not properly "dialed" Fairfax. So pings initiated from Fairfax to Boston succeed,...while pings initiated from Boston to Fairfax fail. Once a connection is "dialed" the routing table is dynamically altered,...however this is not a static route or routing table issue. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
VPN is a dialup technology. It just dials an IP# instead of a phone number and uses a Demand Dial VPN Interface instead of a Modem. Ok. Well then, I don't know what to tell you then. I don't have enough details to go futher and I don't really even know what to ask for right now. -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
Can Boston server ping Fairfax PPTP IP (I assume it is 192.168.2.200)? If not, can Fairfax server ping itself? if not, check any security software. Please post back with the result. -- Bob Lin, MS-MVP, MCSE & CNE Networking, Internet, Routing, VPN Troubleshooting on http://www.ChicagoTech.net How to Setup Windows, Network, VPN & Remote Access on http://www.HowToNetworking.com
Hi Phillip, With RRAS the only static routes required are the ones linked to the demand-dial interfaces. There are stored in the registry until the connection comes up. When the connection binds to the dd interfaces the routes are added to the routing table using the tunnel endpoint addresses. (You don't need to know about them in ISA because the setup wizard looks after it). The dd interfaces are really just being used as something to bind the static routes to. You don't need to use dial on demand - you can connect manually and make the connection persistent. The static routes (the ones which route the traffic for the "other" site through the VPN link) are set up before the connection exists. The dd interfaces are really just like symbolic names. They are something to use as a name for the interface in the static route which will be replaced by the IP address when the connection is made. So as long as the VPN router is the default gateway for each site, routing between the sites is automatic when the VPN link comes up and binds to both routers. There is only one link, but it can be activated from either end. Either router can call the other to initiate the connection. The vital thing is that when it calls, it uses the name of the dd interface on the answering router as its username. That ensures that the dd interface becomes active and the static route is added to the routing table. If it uses some other username, the connection binds to the default internal interface (as used by a client-server VPN connection) and you only get a host route back to the calling router, not a subnet route to the machines behind the router. If this happens site to site routing fails of course.
Ok. That's what I thought. It is the only one link being activated from one side that I get tripped up on when dealing with this subject. I asked to same thing in a private email to Tom Shinder that wrote the ISA books and he said the same thing you are saying. So, good enough for me. Thanks Bill -- Phillip Windell www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. -----------------------------------------------------
