Server 2012 R2 RRAS NAT VPN connectivity issues

Similar Messages

• Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide

  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  This new guide is available on the Web at
  http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
  http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
  If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
  You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
  in this article.)
  The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
  traffic routing between virtual and physical networks, including the Internet.
  You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
  available VLAN IDs.
  If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
  Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
  For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
  http://www.microsoft.com/download/details.aspx?id=39284
  With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
  and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
  with BGP.
  Thanks -
  James McIllece

  Hi,
  It is very useful , thanks for your sharing .
  Best Regards
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Server 2012 R2 RRAS Multitenant Gateway GUI

  "The new RRAS Multitenant Gateway Deployment Guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable
  datacenter and cloud network traffic routing between virtual and physical networks, including the Internet." I have server 2012 R2 installed on a vm with Remote Access server role  and Routing and Remote Access Service (RRAS) role  installed
  how do I configure this for NAT? (I did find a powershell script but I want to do this through the ui) without SCVMM.
  Peplink Balance 210 dual wan router (Bell and Cogeco)
  2 ProLiant physical servers
  2 Nics per server
  5 static ips
  2 Virtual Switches
  Server 2012 R2 host
  Server 2012 R2 Essentials (Domain 1)
  Server 2012 R2 Essentials (Domain 2)
  Server 2012 R2 (Domain 3)
  http://technet.microsoft.com/en-us/library/dn641923.aspx
  New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
  http://blogs.technet.com/b/wsnetdoc/archive/2014/03/26/new-windows-server-2012-r2-rras-multitenant-gateway-deployment-guide.aspx
  Multitenant security and isolation with Hyper 2012
  http://blog.marcosnogueira.org/multitenant-security-and-isolation-with-hyper-2012/
  Here is the situation I have a client that operates 3 small companies out of one location he has a generator plus great physical security and relatively new network cabling I plan to create a couple of vlans on the peplink. I decided to go with server 2012
  essentials (he wants to use RWA) all of the vm’s will be under a very light load on the first server with 1 server to test backups and 2 IO safe drives.
  Diagram
  http://i61.tinypic.com/rct0ti.png
  Thanks in Advance.

  Hi,
  Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.
  Don't hesitate to try your hand at it.
  Here are some articles about PowerShell,
  Using Windows PowerShell
  http://technet.microsoft.com/en-us/library/dn425048.aspx
  PowerShell
  http://technet.microsoft.com/en-us/library/ff950685.aspx
  Hope this helps.
  Steven Lee
  TechNet Community Support

• Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

  Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?

  I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
  trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
  The problem was the separated System Reserved Partition. After I removed using this instructions:
  http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
  The upgrade ran ok, and now have my DC as Windows 2012 R2.
  Hope that helps!.

• ASA 5505 vpn connection issues

  Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
  hostname ciscoasa
  domain-name .com
  enable password w3iW.W8jLtqmhFnt encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
   nameif inside
   security-level 100
   ip address 10.10.10.1 255.255.255.0
  interface Vlan2
   nameif outside
   security-level 0
   ip address 72.xxx.xx.xx 255.255.255.0
  interface Ethernet0/0
   switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  ftp mode passive
  dns server-group DefaultDNS
   domain-name .com
  access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
  55.255.0
  access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
  .255.0
  access-list OUTSIDEACL extended permit icmp any any
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/flash
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list NONATACL
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDEACL in interface outside
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 inside
  http 10.10.10.1 255.255.255.255 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map VPNMAP 13 match address VPNACL
  crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
  crypto map VPNMAP 13 set transform-set ESPDESMD5
  crypto map VPNMAP interface outside
  crypto isakmp identity address
  crypto isakmp enable outside
  crypto isakmp policy 13
   authentication pre-share
   encryption des
   hash md5
   group 2
   lifetime 86400
  telnet 10.10.10.0 255.255.255.0 inside
  telnet 192.1.1.0 255.255.255.0 outside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  dhcpd dns 192.1.1.6 192.1.1.4
  dhcpd wins 192.1.1.6 192.1.1.4
  dhcpd ping_timeout 750
  dhcpd domain .com
  dhcpd auto_config outside
  dhcpd address 10.10.10.10-10.10.10.40 inside
  dhcpd enable inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  tunnel-group 76.xxx.xxx.xx type ipsec-l2l
  tunnel-group 76.xxx.xxx.xx ipsec-attributes
   pre-shared-key *
  tunnel-group 68.xx.xxx.xxx type ipsec-l2l
  tunnel-group 68.xx.xxx.xxx ipsec-attributes
   pre-shared-key *
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:229af8a14b475d91b876176163124158
  : end
  ciscoasa(config)#reciated

  Hello Belnet,
  What do the logs show from the ASA.
  Can you post them ??
  Any other question..Sure..Just remember to rate all of the community answers.
  Julio

• Server 2012 Built-In IPSec VPN & RAS & HyperV-Switch & Netgear Pro Safe Router, Tunnel Ok, but no Traffic

  Hello,
  i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
  The Problem: Tunnel is up and running, but no Ping, no traffic at all.
  the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
  if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
  the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
  The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
  I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
  If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
  i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
  now, after all this time i spend today to this problem i'm a bit confused.
  as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
  the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
  i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
  it is no option inside the gui.
  it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
  to solve the problem would be great also!
  now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
  Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
  the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
  help out with an explanation?
  Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
  Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....

  I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
  as you can see in my linked thread above (Link)
  this scenario is not supported from microsoft! you will run into problems!
  we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
  and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
  we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
  this experience was very time-intensive to make! hope this will help someone else in the future.

• Windows Server 2008 R2 RRAS NAT Security Concerns

  Recently we are deploying Windows Server 2008 R2 as the NAT gateway of our private network. During the testing, we found that the RRAS was doing its job as the NAT gateway,
  however it seemed that hosts in the private network were allowed to access any listening port opened on the server side (2008 R2). In the normal scenario, the server side will have the process "wininit.exe" running and listening on the TCP port 49152.
  We confirmed that all hosts in the private network were be able to connect to TCP port 49152 opened on the server (connecting by using the NAT's public IP), which introduced lots of security concerns and made us nervous. Since the server is acting as a NAT,
  IP packets sent by hosts in the private network will be translated and forwarded as if it is generated by the NAT server itself. Thus, the windows firewall will not block the connection at all while dealing with "local" traffic, which actually is
  the traffic from the host in the private network.
  What we need is a mechanism that can block the hosts in the private network to access the TCP/UDP ports opened on the NAT server side. Since the NAT server has it IP on
  the public network assigned dynamically (DHCP), static IP filtering on the private NIC does not fit our needs (Or probably we may use some hidden but advanced filter settings?). Which policy or setting should be used in our case?

  Hi Daniel,
  I am aware of what you are suggesting. Actually I have active the windows firewall to protect the server.
  Suppose I have a network configuration as follows:
  Private Network: 192.168.149.0 / 255.255.255.0 (Private NIC on server side IP:192.168.149.1)
  --------------Windows 2008 R2 RRAS NAT--------------------
  Public Network: 10.1.0.0 / 255.255.255.0 (Public NIC on server side IP:10.1.0.100 )
  The problem is that while the windows firewall is effectively protecting my server by filtering inbound traffic from the public network, the windows firewall will not filter the traffic from
  192.168.149.0 /255.255.255.0  to  10.1.0.100 (NAT's public IP)
  The reason is that the TCP/UDP connection from the private network (192.168.149.0 / 255.255.255.0) to any other networks will be NATed. Suppose TCP connection from
  192.168.149.23:50000 -> 10.1.0.100:1023
  It will be translated by NAT and becomes
  192.168.149.23:50000 <-NAT-> 10.1.0.100:60100 -> 10.1.0.100:1023
  From the windows firewall's point of view, the connection is essentially a 'local' TCP connection and should be allowed regardless of any inbound filtering rules. So vulnerability is introduced. After some research, we are almost sure that the windows firewall
  does not filter local traffic. Also, we are not able to guarantee any firewalls on the client side to be installed, since the nature of a NAT server is to provide such network access ability to clients and should not require the client side to change its configuration.
  I do think it is a common security concern in lots of enterprise networks where Windows Servers are deployed as NAT servers. Would you mind help us address this issue and give us some advice about best-practices related?
  Thank you

• Puzzler... Cant access RRAS with VPN connected client

  I have a series of 4 VMs running server 2012 r2;
  dc- my domain and wsus server
  rds- my remote desktop server for remoteapps, RRAS for connecting to VPN
  sql- sql server for database needed for one of the apps published
  av- hosts kaspersky and manages backups
  So, I have a VPN set up through RRAS and am connecting with it and all is well.  I can ping every computer on the network EXCEPT the rds server.  I can ping from the rds server to the vpn client.
  I am trying to use a remote app over the vpn but the remote app is unable to reach the rds server. 
  Does something have to be setup manually to loopback traffic to the rds server when it is coming in on the same server through RRAS?
  Any insight would be appreciated!
  Matt

  Hi,
  According to your description, my understanding is that rds installed RRAS and configured it as VPN server, VPN client successfully ping internal clients, but failed to ping the VPN server.
  Are there 2 NICs on the VPN server? One connects to internal and another connects to external?
  In general, a ping packet is sent by the client from its own IP address to the external IP address of VPN server, it will be unpacked once the VPN server receives it, and the VPN server will dispatch this pack due to the internal IP address. So, if this
  packet is sent to the VPN server, when it unpack the packet and find it is sent to itself, the VPN server should reply to this packet.
  You may try to turn off firewall/anti-virus software temporally, and then check to see if it can successfully ping. Besides, use a monitoring tool(Network Monitor, Wireshark ) to
  capture packets on both client and VPN server, check to see if the packets are sent/answered to the correctly destination.
  Best Regards,
  Eve Wang
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• X-Serve freezes after Windows XP VPN connection

  Running OS X Server 10.4.11 and having a problem with a L2TP VPN (Preshared Key) connection from a Windows client. The Windows Client is behind a NAT Router and the XP Registry is patched for NAT Traversal (Informations found in Microsoft KB). This Windows Client can successfully connect to our company OSX Server trough L2TP VPN , Browse the Intranet Webpages, opening Filemaker 6 Databases.
  Our configuration:
  Win XP Client --->NAT Router--->---L2TP VPN over ADSL--->Router(pub.IP) --->Sonic Firewall Pro 100 --->OSX Server (VPN Service)
  Only browsing the User Directory and others on a Server Volume via SMB causes the server to freeze (become unresponsive). Every AFP Connection disconnects. It forces me to do a hard reboot.
  Connecting with a OSX 10.4.11 Client from the same Location is fully functioning and connects without issues on the Server.
  Is there something I might be overlooking in the Windows XP client configuration, or something I need to change on the server side? Anyone else having this issue?
  Message was edited by: Marcel J.

  Does the OS X Server use a private IP number?
  I know you can connect from XP if the OS X server isn't behind NAT without any registry hacks.
  Otherwise I seriously doubt it works.
  http://www.jacco2.dds.nl/networking/openswan-macosx.htm
  "Apple's NAT-T version does not interoperate with other IPsec implementations unless they specifically support this Mac OS X quirk. Apple's Mac OS X Server is one of these implementations"
  OK, I haven't tried it recently.

• Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues

  We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
  "Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
  Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
  Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
  Any insight would be greatly appreciated.
  I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
  Thanks much,
  Justin

  Javier,
  I logged into the ASA last time the VPN went down. I issued the following commands:
  debug crypto isakmp 190
  debug crypto ipsec 190
  capture outside-cap interface outside match udp any any
  I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
  show capture outside | include 500
  and also got nothing. So I issued the following command:
  ping 4.2.2.2
  Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
     1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100    1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 868
     2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 444
     3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 172
     4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
     6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 76
     7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 60
     8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 204
     9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500:  udp 92
    10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151:  udp 252
    11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 868
    12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 444
    13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 172
    14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 76
    17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 204
    19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 252
    20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 1036
    21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 188
    23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 60
    34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500:  udp 92
    35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155:  udp 92
    70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 100
  174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000:  udp 500
  377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000:  udp 100
  It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
  Once again, any insight would be greatly appreciated.
  Thanks,
  Justin

• Server 2012: Remote desktop licence manager not issuing licences

  Hi,
  I am battling with an problem which i cannot seem to resolve and no other forums actually come to a conclusion on how to resolve this problem!
  I have a windows server 2012 server which is NOT part of a domain.
  I have installed Remote Desktop Services and also installed the Remote Desktop License manager and i just cannot get the license manager to issue cals when users connect remotely via RDP
  I have installed an extra two CAL's and tried using them as both a "Per User" and also "Per Device" but still does not work.
  I have now run out of my grace period and cannot connect to the server at all
  I have also tried changing some gpo's with no luck, 
  Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
  "Use the specified RD license servers" = myservername
  "Set the Remote Desktop licensing mode" = Per User
  How can i fix this?
  Thanks

  Hi,
  Thank you for posting in Windows Server Forum.
  Have you seen that you have activated RDS License server before installing CAL?
  Please check that the License Server should be part of ‘Terminal Server License’ group in Active Directory Domain Services. You can also configure RD License server manually by powershell commmand. Please check below article for information.
  RD Licensing Configuration on Windows Server 2012
  http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
  In addition, please install below Hotfix and verify the result.
  No RDS license when you connect to an RDS farm in Windows Server 2012
  http://support.microsoft.com/kb/2916846
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• IPad2, Verizon 3G, VPN Connectivity Issues

  Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
  For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
  Here's a summary of my issues:
  We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux,  Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
  Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
  Here's the logs from the VPN server while connecting from my iPad2:
  Wi-Fi
  Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
  Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
  Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
  Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
  Jul 27 05:20:46 localhost pppd[31694]: local  IP address 192.168.1.69
  Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
  Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
  Quick connect, able to utilize VPN connection normally. No issues.
  Verizon 3G
  Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
  Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
  Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
  Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
  Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
  Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
  Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
  Jul 27 05:20:33 localhost pppd[31682]: Exit.
  As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
  Here's what I can verify with regards to 3G networks:
  Older (<4) iPhones and iPad1 using AT&T can connect
  Windows and OS X based laptops using Sprint 3G can connect
  Android based smart phones using Sprint 3G can connect
  I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?

  Hi Alexander,
  I am running in to the exact same issue (although not with Linux).  Did you ever find a fix for this?  I have some support tickets open with my VAR's, but found your post and thought I would check.  If I find anything I will post.
  Thanks
  Stu

• Windows Server 2012 Pooled Virtual Desktop collection GetVMstate issue

  I am trying to create a Pooled Desktop collection with my Powered off VM and it errors out The
  virtual desktop must be in a stopped state:  Could not identify the state of the virtual desktop.  Ensure that the RD virtualisation host server is available on the network and the virtual desktop is shut down
  In the debug logs it shows.
  Component RdmsModel: GetVMstate for Vm Win7_BaseVM failed with error 16386
  Component RDExceptionHandler: Could not identify the state of the virtual desktop. Ensure that the RD Virtualization Host server sunflower-1.HYPERQA.NUTANIX.COM is available on the network and that the virtual
  desktop Win7VMSF is shut down.
  Please help on resolving this GetVMState issue.

  Hi Krishna,
  Thank you for posting in Windows Server Forum.
  When you are configuring RDVH initially, please see that you have meet prerequisites. Remember that you need these pre-requirements:
  • Database based on SQL Server 2008 R2
  • Static IP Address for all Broker
  • Round Robin DNS
  • All RD Broker must be members of AD Windows Group (es. RDCB Server Group)
  • The group must be insert into SQL Server as sysadmin ONLY for the DB creation. After that DB will be created give the db_owner permission only for their DB
  More information.
  Windows Server 2012 R2: Unable Add New VDI Template
  In addition, we need all RD Broker must have the same SQL Native Client as main SQL Server (es. SQL Server 2012 SP1). The Connection Broker server's computer account MUST be a member of the local administrators group on the Virtual Host (RDS Host) machine and
  then reboot the server. Finally check the result.
  Windows Server 2012 Virtual Desktop Template Issue
  Hope it helps!
  Thanks.
  Dharmesh Solanki

• Windows Server 2012 R2 - Hyper-V NIC Teaming Issue

  Hi All,
  I have cluster windows server 2012 R2 with hyper-v role installed. I have an issue with one of my windows 2012 R2 hyper-v host. 
  The virtual machine network adapter show status connected but it stop transmit data, so the vm that using that NIC cannot connect to external network.
  The virtual machine network adapter using Teamed NIC, with this configuration:
  Teaming Mode : Switch Independent
  Load Balance Algorithm : Hyper-V Port
  NIC Adapter : Broadcom 5720 Quad Port 1Gbps
  I already using the latest NIC driver from broadcom.
  I found a little trick for this issue by disable one of the teamed NIC, but it will happen again.
  Anyone have the same issue with me, and any workaround for this issue?
  Please Advise
  Thanks,

  Hi epenx,
  Thanks for the information .
  Best Regards,
  Elton Ji
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Server 2012 DC behind NAT

  We have 2 sites, each with 2 domain controllers. The main site is with our servers in a hosted datacenter. We have an IPsec VPN tunnel setup between the sites, but the datacenter host does not add routes on their end for the tunnel. So the only way for servers
  at the DC to communicate with the local DCs is using NAT with their static subnet.
  I know this is not supported by MS. I found the following article, but only see it referenced for server 2003/8. I just wanted to verify this still works with server 2012 R2.
  http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspx

  I have configured NAT within AD and there would be no difference whether it be 2000, 2003, 2008 or 2012.  In my instance I have to, to have two seperate DNS instances on each side of the NAT and when computer objects are added on one side or the other
  I have to manually add them to keep them in sync.  Not the an elegant solution but it works just fine.
  To be honest I have no idea what your registry fix is about, I have never had to deal with it.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  The problem with that is the DC will overwrite static DNS entries when it tries to register it's IPs. I have tried adding the IP, but if you go and run 'ipconfig /registerdns' on the machine, it will erase the static entry.