Questions

weird VPN problems

+
0 Votes
Locked

weird VPN problems

hhameed
Hi

Users are reporting that they can connect to our company VPN without any problem but cannot access another computer or a shared network drive.

I go in and manually type in DNS servers and it allows that user access to shared drive but only sometimes. Other times I have had to recreate the VPN connection toggle the "use default gateway on remote network" but there does not seem to be a consistent answer to this problem.

Any suggestions would be greatly appreciated.

We are running Microsoft Small Business Server 2003. Clients are a mixture of Windows XP SP3 and Windows 7.

Thanks
H.

*edit
another thing I have noticed is that once connected to the vpn if I ping another computer on the network I will get one reply back and the rest gets lost. If I ping the same computer again all packets are lost.
  • +
    0 Votes
    robo_dev

    As defined by the RFC, Kerberos uses UDP for authentication. And Windows, of course, uses Kerberos for AD authentication.

    Over a VPN, issues like latency and MTU sizes can cause UDP packets to get out of order, and UDP has no method to fix this.

    You can change the registry of a Workstation so it uses TCP for Kerberos, which helps to ensure that the Active Directory authentication does not fail at random times, since TCP has a mechanism to deal with packet fragmentation and loss.

    http://support.microsoft.com/kb/244474

    If you are getting inconsistent ping replies, then perhaps you need a static route at some part of the connection?

    Of course, some VPN devices allow split-tunneling, and some do not. Split tunneling is a big security risk, and normally it is not allowed. I believe that there may be cases where a VPN-connected workstation may be doing things that look like split tunneling, therefore the workstation VPN client software may be blocking that traffic.

    +
    0 Votes
    Sue T

    and what version of the vpn client are you using? Have you tried turning off the firewall on any of the client computers to rule that out? Are you using Cisco or something else?

    +
    0 Votes
    hhameed

    Thanks for the replies Robo_Dev and Sue T. I seem to have fixed it.
    I downloaded and ran the SBS 2003 Best practices analyser and that told me that edns should be turned off for sbs 2003.

    (EDNS0 as defined in RFC 2671)
    Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.
    To turn off the EDNS-0 feature run this from a command prompt:
    dnscmd /Config /EnableEDnsProbes 0
    Once you run this your W2K3 DNS server will never advertise its EDNS capabilities and so will never receive a UDP packet > 512 bytes.

    I did this and restarted dns server. still had problems until I restarted the RRAS service. I am able to log on to the vpn and access shares and other computers without any problems now and they seem consistent.

    I am still unsure what exactly went wrong and what exactly fixed the problem.

    Thanks again!
    H.

  • +
    0 Votes
    robo_dev

    As defined by the RFC, Kerberos uses UDP for authentication. And Windows, of course, uses Kerberos for AD authentication.

    Over a VPN, issues like latency and MTU sizes can cause UDP packets to get out of order, and UDP has no method to fix this.

    You can change the registry of a Workstation so it uses TCP for Kerberos, which helps to ensure that the Active Directory authentication does not fail at random times, since TCP has a mechanism to deal with packet fragmentation and loss.

    http://support.microsoft.com/kb/244474

    If you are getting inconsistent ping replies, then perhaps you need a static route at some part of the connection?

    Of course, some VPN devices allow split-tunneling, and some do not. Split tunneling is a big security risk, and normally it is not allowed. I believe that there may be cases where a VPN-connected workstation may be doing things that look like split tunneling, therefore the workstation VPN client software may be blocking that traffic.

    +
    0 Votes
    Sue T

    and what version of the vpn client are you using? Have you tried turning off the firewall on any of the client computers to rule that out? Are you using Cisco or something else?

    +
    0 Votes
    hhameed

    Thanks for the replies Robo_Dev and Sue T. I seem to have fixed it.
    I downloaded and ran the SBS 2003 Best practices analyser and that told me that edns should be turned off for sbs 2003.

    (EDNS0 as defined in RFC 2671)
    Server 2003's DNS server has a new capability, it can handle UDP packets greater than 512 bytes. Unfortunately some firewalls cannot pass these packets so it is desirable to have the DNS server fall back to TCP in this case as it used to do in previous versions of NT DNS.
    To turn off the EDNS-0 feature run this from a command prompt:
    dnscmd /Config /EnableEDnsProbes 0
    Once you run this your W2K3 DNS server will never advertise its EDNS capabilities and so will never receive a UDP packet > 512 bytes.

    I did this and restarted dns server. still had problems until I restarted the RRAS service. I am able to log on to the vpn and access shares and other computers without any problems now and they seem consistent.

    I am still unsure what exactly went wrong and what exactly fixed the problem.

    Thanks again!
    H.