VERY frustrating 2000 server RRAS/VPN problem

Discussion in 'Server Networking' started by Guest, Apr 2, 2004.

  1. Guest

    Guest Guest

    i setup rras as a remote access server. i leave the default remote access
    policy alone. i then open the properties for a user account and on the
    dial-in tab i click to ALLOW remote access via dial in or vpn. guess what? a
    vpn connection attempt is denied and says the user does not have dialin
    rights! ive rebooted, logged in physically at the machine, logged off, tried
    again... same thing! whats the problem? the server is a member of a domain
    but is NOT a domain controller. would there be a setting on the default
    domain security policy that could be screwing me up?
     
    Guest, Apr 2, 2004
    #1
    1. Advertisements

  2. Hi,

    Are you using a local user account or domain account? If domain account,
    make sure there is no local account with the same name on the server.

    Also, is there more than one DC? Check to see if the dial in permissions
    replicated to all DCs if using a domain account.

    If you change the RAS policy to Grant remote access permissions based on the
    conditions, does this work?

    -Matt
     
    Matthew [MSFT], Apr 2, 2004
    #2
    1. Advertisements

  3. Guest

    Guest Guest

    since the machine is a stand alone server i am using the local administrator
    account. would the fact that there is also an account named administrator in
    AD be causing a problem? there is on,y one DC. i have not changed the policy
    to GRANT because my understanding of the default policy is that access will
    be allowed IF dialin access is permitted at the user level as long as day
    and time restrictions do not match. please advise...



     
    Guest, Apr 2, 2004
    #3
  4. If you are using the domain name when logging one with the VPN client, then
    the server is mostlikely trying to use the domain admin account.

    When logging on, try using the context machinename\username, where machine
    name is the RRAS server name.

    Another thing to try would be creating a new user locally that does not have
    a domain account and give it dial in permissions.

    On your VPN connection properties, leave the domain name blank when logging
    on.



    --
    [This posting is provided AS IS
    with no warranties, and confers
    no rights.]
     
    Matthew [MSFT], Apr 2, 2004
    #4
  5. Guest

    Guest Guest

    great! i can connect now. however i cant ping any machines on the network. i
    imagine i need to create a static route somewhere. i know that when using
    dialin access via a phone modem to act as in ISP a static route must be
    created with 0.0.0.0... would this be the same case?


     
    Guest, Apr 2, 2004
    #5
  6. This would depend on the way you are handing out addresses to clients. If
    you giving addresses to clients that match the internal network, you should
    not have to add a static route. If they are not the same, then internal
    clients would need to either point to the RAS server as a default gateway,
    or have individual local routes to point them back to the RAS server for
    that subnet.

    I would suggest using the same subnet either by creating a static pool in
    RRAS using the internal subnet, or using DHCP (this is default) to hand out
    addresses to RAS clients. I would check to see what address your client
    gets using IPconfig. If you see a 169.254.x.x, then the RRAS server
    probably is not getting addresses from DHCP. I would then go to a Static
    pool.

    The IP options are configured from the RRAS MMC. Right click on the server
    name, go to properties, and then IP.

    -Matt

    --
    [This posting is provided AS IS
    with no warranties, and confers
    no rights.]
     
    Matthew [MSFT], Apr 2, 2004
    #6
  7. Guest

    Guest Guest

    ok. RRAS is configured to use a DHCP relay agent. when i connect i do get an
    address that matches the rest of the network, however i couldnt see anything
    on the network except the rras server. i added a static route of 0.0.0.0 to
    the LAN adapter in RRAS and now i CAN see the rest of the network. could you
    provide an explanation as to why this is?


     
    Guest, Apr 2, 2004
    #7
  8. Your client machine receives an address when connecting (or it should),
    therefore it is already in the same subnet (or it should be), so there is no
    "routing",...you can not "route" to where you are already at to start with.
    You need to verify which address your client is receiving and verify
    specifically which machine you can ping and which you cannot, and the subnet
    each is in if there are multiple subnets. Knowing *all* this makes a big
    difference when trying to troublshoot this type of stuff.


    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Apr 2, 2004
    #8
  9. The DHCP relay does not need to be configured if you are only using this as
    a RAS server. Under DHCP relay, you should have the internal adapter
    listed, but in the DHCP relay properties, you do not need to have your
    internal server listed. The RAS server will automatically take 10 ip
    addresses from the DHCP scope when started. It will hand these out to the
    clients when they logon.

    I have seen this to be an issue when trying to access internal resources.



    --
    [This posting is provided AS IS
    with no warranties, and confers
    no rights.]
     
    Matthew [MSFT], Apr 2, 2004
    #9
  10. That was nice and "logical" of them to build it that way, especially since
    it complains if you don't give it a DHCP server in the Properties.
     
    Phillip Windell, Apr 2, 2004
    #10
  11. You can get an error asking for the DHCP relay agent if there are two
    network cards in the server, and the RAS IP settings are set to use the
    external adapter for client configurations. If there is only one adapter,
    this should not happen.

    If the external adapter is chosen, or if this is set to allow RAS to chose
    the adapter, it should be changed to use the internal adapter (unless there
    is a specific reason not to do so).
     
    Matthew [MSFT], Apr 2, 2004
    #11
  12. Guest

    Guest Guest

    ok, so please let me get this all straight.

    first, i only have one nic in the machine. so youre telling me that i dont
    have to configure a dhcp relay agent, NOR do i have to create a pool of ip
    addresses within RRAS... youre saying that i dont have to do either? please
    verify that and i will test it.


     
    Guest, Apr 2, 2004
    #12
  13. That confuses me more. Why wouldn't it be the external adapter since that is
    the one the VPN users are connecting to?
     
    Phillip Windell, Apr 2, 2004
    #13
  14. Guest

    Guest Guest

    ok. that config works. although im not entirely sure why. my last problem is
    that the connection hangs at the "verifying username and passowrd" stage. i
    have opened port 1723 on the cisco pix firewall and forwarded traffic to the
    server. does port 47 also need to be opened? if not, what could be the
    problem?



     
    Guest, Apr 2, 2004
    #14
  15. The problem is there is more than one way to do this stuff. Now I have
    never heard of only having one NIC in a VPN Server since the point is for it
    to accept VPN users from the internet on one side and let them use resources
    on the other side.

    Keep your eye on Matt. I think he has a good grip on what you are trying to
    do.

    --

    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com


     
    Phillip Windell, Apr 2, 2004
    #15
  16. Yes, you need to have 47 opened as well. But it is actually a protocol, not
    a port, so depending on the way your firewall lists it, you will need to
    configure it.

    -Matt
    --
    [This posting is provided AS IS
    with no warranties, and confers
    no rights.]
     
    Matthew [MSFT], Apr 2, 2004
    #16
  17. Guest

    Guest Guest

    well, the one nic is attached to a switch, which is attached to a cisco
    router and firewall. so in essence it IS attached to the internet. so i need
    to accept connections on the same adapter that is connected to the LAN. it
    works, but i want to make sure of the config. can someone elaborate? and
    also, what about port 47?


     
    Guest, Apr 2, 2004
    #17
  18. The internal card is used because that is the one we pull the rest of the
    information from (WINS address, DNS settings). So whatever settings you
    want the RAS client to get should be set on the internal adapter
    configuration.
     
    Matthew [MSFT], Apr 2, 2004
    #18
  19. Everything depends on your particular environment in regards to how many
    Network cards you need. If the server is not connected directly to the
    internet (ie. the server is behind a firewall), and the server is not
    configured to be a router (ie. routing between to subnets on your LAN), then
    you should only need on NIC.

    A DHCP relay agent is necessary to forward DHCP requests to the DHCP server.
    However, the RAS server automatically pulls addresses to hand out to the
    clients, so this should not be necessary. If you choose to use a Static
    pool instead of using DHCP, then DHCP is not used at all (just make sure
    your static pool does not contain addresses in the scope).

    FYI - One thing to keep in mind when settig up a VPN server with only one
    NIC, when you choose the VPN option in the wizard you may end up placing
    static packet filters on the NIC. This blocks all traffic besides PPTP VPN
    traffic. If you find you cannot connect to the server from internal
    clients, check the filters and delete them. These are added to protect
    cards that are enabled directly on the internet.

    Let me know if this helps.

    -Matt

    --
    [This posting is provided AS IS
    with no warranties, and confers
    no rights.]
     
    Matthew [MSFT], Apr 2, 2004
    #19
  20. Guest

    Guest Guest

    sounds good. and i dont choose the "vpn server" option in the setup wizard.
    i chose "remote access server". i hope that doesnt create any filters? my
    problem still exists where the connection hangs at "verifying username and
    password"... i also see nothing in the logs (as i have on other machines
    with this config) so i believe the firewall is blocking something. let me
    pose this to you: the the cisco router has a constant tunnel connected via
    vpn to a remote office in chicago. would that connection be using port 47
    (GRE)? if it is, maybe thats stopping my vpn server from functioning
    properly? any thoughts?


     
    Guest, Apr 2, 2004
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.