Server 2012 R2 RRAS NAT VPN connectivity issues
Hello all,
I'm having trouble making IKEv2 connections to my VPN server from the Internet after changing my home lab network infrastructure to use Server 2012 R2 RRAS NAT routing. Despite all of the appearances of a proper configuration, it appears that NAT-T is not
working properly.
Let me preface my questions/issues with some critical infrastructure disclosures/explanations to help troubleshoot this issue:
1. This is a home lab environment with no impact to corporate production systems in any way. All information garnered from help in this session is understood to be as-is.
2. The entire environment is on Server 2012 R2 Hyper-V. I’ve configured trunking on all of the layer 2 (Cisco Catalyst switch) etherchannels, and I’ve configured trunking on the Hyper-V vSwitches. I have no issue with internal routing or NAT or with attaching
to VPN from an internal VLAN, which indicates that routing (Layer 3) is not at issue here since everything goes where it should.
3. The NAT server and the VPN server are two separate Windows Server 2012 R2 Std. Hyper-V VMs. The NAT server has 1 NAT uplink to/from my ISP and 5 router interfaces (NICs with no gateways specified). I have a static IP, so it’s not an IP changing anywhere.
I have all of the port forwarding on the public NAT interface configured properly. Email, web, and application access work fine from out-to-in. The VPN server has 2 NICs: one on a VPN VLAN and the other on an internal VLAN.
4. I ran Netmon from my corporate office and saw that IKEv2 traffic to my host over UDP 500 was successful (I got a response back), but the connection to UDP 4500 was attempted 3 times and then fails. Since UDP 4500 is the NAT-T port, I’m thinking this is
where the fault is occurring. I also ran Netmon from the NAT router itself and found that traffic was flowing from the Internet to the VPN server up the stack to Layer 3.
5. As a test, I turned off Windows firewall on both the VPN server and the NAT server. This made no difference, so firewall is not at play here.
6. My certificates are configured properly with my external VPN address and appropriate SANs pointing to the public IP address. These same certificates worked without issue prior to the migration to Server 2012 R2 RRAS as my NAT router.
The actual error I'm receiving is Error 809 which indicates a problem with the connectivity to the VPN server, presumably through the NAT router. Prior to the change to virtual routing, I was using a Linksys E3000 with L2TP/PPTP passthrough enabled and had
no issues connecting to my VPN server remotely.
Some questions I have specifically regarding Server 2012 R2 RRAS and NAT:
1. Is NAT-T "turned on" by default? Are there any settings required through netsh or elsewhere that I might have overlooked to enable NAT Traversal?
2. How can I test if NAT-T is working outside of VPN testing?
3. Is it Microsoft's recommendation/requirement that VPN and NAT be collocated on the same server? I noticed in the NAT forwarding rules that the pre-defined L2TP forwarder says "L2TP on this server." Does that indicate that L2TP can't pass beyond
that server? What are the security implications for running VPN from the router?
Any help would be appreciated. I've been troubleshooting this issue for 2 weeks and cannot seem to find any documentation or help on this issue. I'm hoping if others have similar issues, this post will help point them in the right direction. I have netmon
captures to assist with troubleshooting if it comes to that. I'm certain this is NAT-T at this point, but I just can't prove it beyond a shadow of a doubt, and I have customers who have asked about using Microsoft RRAS for routing. I can't, in good conscience,
recommend it if NAT-T is problematic since most companies want some sort of VPN solution for their environment.
Respectfully yours,
Ron Arestia
Hi Ron,
Please try to create and configure the AssumeUDPEncapsulationContextOnSendRule registry value.
For detailed information, please refer to the link below:
http://support.microsoft.com/kb/926179
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Similar Messages
-
Just FYI, new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
This new guide is available on the Web at
http://technet.microsoft.com/en-us/library/dn641937.aspx. It is also available for download in Word format at TechNet Gallery at
http://gallery.technet.microsoft.com/Windows-Server-2012-R2-37eb8e17
If you work for a Cloud Service Provider (CSP) or an organization that's planning on deploying cloud technologies, you might be interested in the new Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide.
You may already know that in Windows Server® 2012 R2, the Remote Access server role includes the Routing and Remote Access Service (RRAS) role service. (It also includes DirectAccess and Web Application Proxy, however those role services will not be discussed
in this article.)
The new deployment guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable datacenter and cloud network
traffic routing between virtual and physical networks, including the Internet.
You can use the gateway with VM networks by using either Hyper-V Network Virtualization or Virtual Local Area Networks (VLANs) - but using Network Virtualization is recommended due to VLAN limitations such as difficult management and a limited number of
available VLAN IDs.
If you're using System Center Virtual Machine Manager (SC VMM), you can use SC VMM to deploy Windows Server Gateway; however even if you are using SC VMM, you can manage the gateway with the same Windows PowerShell commands that are used for the RRAS Multitenant
Gateway. (Some Windows Server Gateway features are configurable only with Windows PowerShell.)
For information on deploying Windows Server Gateway with SCVMM, see the Test Lab Guide: Windows Server 2012 R2 Hyper-V Network Virtualization with System Center 2012 R2 VMM, at
http://www.microsoft.com/download/details.aspx?id=39284
With the RRAS Multitenant Gateway, you can create site-to-site VPN connections between your tenants' physical locations and your cloud datacenter. You can also provide tenants with point-to-site VPN connections that allow tenant Administrators to access
and manage their VM resources from anywhere. The RRAS Multitenant Gateway also allows you to configure Network Address Translation (NAT), so that tenant VMs can access the Internet, and you can deploy dynamic routing by configuring the gateway and tenant gateways
with BGP.
Thanks -
James McIlleceHi,
It is very useful , thanks for your sharing .
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Server 2012 R2 RRAS Multitenant Gateway GUI
"The new RRAS Multitenant Gateway Deployment Guide demonstrates how to use Windows PowerShell to deploy RRAS as a virtual machine (VM)-based multitenant software gateway and Border Gateway Protocol (BGP) router that allows CSPs and Enterprises to enable
datacenter and cloud network traffic routing between virtual and physical networks, including the Internet." I have server 2012 R2 installed on a vm with Remote Access server role and Routing and Remote Access Service (RRAS) role installed
how do I configure this for NAT? (I did find a powershell script but I want to do this through the ui) without SCVMM.
Peplink Balance 210 dual wan router (Bell and Cogeco)
2 ProLiant physical servers
2 Nics per server
5 static ips
2 Virtual Switches
Server 2012 R2 host
Server 2012 R2 Essentials (Domain 1)
Server 2012 R2 Essentials (Domain 2)
Server 2012 R2 (Domain 3)
http://technet.microsoft.com/en-us/library/dn641923.aspx
New! Windows Server 2012 R2 RRAS Multitenant Gateway Deployment Guide
http://blogs.technet.com/b/wsnetdoc/archive/2014/03/26/new-windows-server-2012-r2-rras-multitenant-gateway-deployment-guide.aspx
Multitenant security and isolation with Hyper 2012
http://blog.marcosnogueira.org/multitenant-security-and-isolation-with-hyper-2012/
Here is the situation I have a client that operates 3 small companies out of one location he has a generator plus great physical security and relatively new network cabling I plan to create a couple of vlans on the peplink. I decided to go with server 2012
essentials (he wants to use RWA) all of the vm’s will be under a very light load on the first server with 1 server to test backups and 2 IO safe drives.
Diagram
http://i61.tinypic.com/rct0ti.png
Thanks in Advance.Hi,
Windows PowerShell is a task-based command-line shell and scripting language designed especially for system administration.
Don't hesitate to try your hand at it.
Here are some articles about PowerShell,
Using Windows PowerShell
http://technet.microsoft.com/en-us/library/dn425048.aspx
PowerShell
http://technet.microsoft.com/en-us/library/ff950685.aspx
Hope this helps.
Steven Lee
TechNet Community Support -
Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?
I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
The problem was the separated System Reserved Partition. After I removed using this instructions:
http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
The upgrade ran ok, and now have my DC as Windows 2012 R2.
Hope that helps!. -
ASA 5505 vpn connection issues
Hello I am having some issues with getting my vpn connection working on a new site. I get no internet connection when hooking up the asa. My current config is below. I have included a packet trace from my remote site to my main site. Any help would be appriciated, I am not very experanced in coniguring the devices.
hostname ciscoasa
domain-name .com
enable password w3iW.W8jLtqmhFnt encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 10.10.10.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 72.xxx.xx.xx 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name .com
access-list NONATACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.2
55.255.0
access-list VPNACL extended permit ip 10.10.10.0 255.255.255.0 192.1.1.0 255.255
.255.0
access-list OUTSIDEACL extended permit icmp any any
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/flash
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list NONATACL
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDEACL in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http 10.10.10.1 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESPDESMD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map VPNMAP 13 match address VPNACL
crypto map VPNMAP 13 set peer 68.xx.xxx.xxx
crypto map VPNMAP 13 set transform-set ESPDESMD5
crypto map VPNMAP interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 13
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
telnet 10.10.10.0 255.255.255.0 inside
telnet 192.1.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd dns 192.1.1.6 192.1.1.4
dhcpd wins 192.1.1.6 192.1.1.4
dhcpd ping_timeout 750
dhcpd domain .com
dhcpd auto_config outside
dhcpd address 10.10.10.10-10.10.10.40 inside
dhcpd enable inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
tunnel-group 76.xxx.xxx.xx type ipsec-l2l
tunnel-group 76.xxx.xxx.xx ipsec-attributes
pre-shared-key *
tunnel-group 68.xx.xxx.xxx type ipsec-l2l
tunnel-group 68.xx.xxx.xxx ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:229af8a14b475d91b876176163124158
: end
ciscoasa(config)#reciatedHello Belnet,
What do the logs show from the ASA.
Can you post them ??
Any other question..Sure..Just remember to rate all of the community answers.
Julio -
Hello,
i try to setup a IPSEC VPN (Site-by-Site or if not possible Client-BySite) between a Netgear Pro Safe Router and Windows Server 2012.
The Problem: Tunnel is up and running, but no Ping, no traffic at all.
the Server 2012 uses HyperV and has one hardware-NIC with public ip, lets say 123.123.123.1.
if no site-by-site is possible in my situation with built-in-tools this server would be only a client-site which would "dial-up" to the netgear box.
the server has a second virtual NIC with IP 192.168.137.1. Routing and RAS is enabled, because there are two virtual other servers whichs has 192.168.137.2 and 192.168.137.3.
The Netgear-ProSafe has public ip 122.122.122.1 and LAN-Subnet 192.168.21.0/24.
I created the Tunnel in the Advanced-Firewall-Options-Window. Both, Windows and the Router, say, the VPN-Tunnel is okay. Also, i can see ESP-Packets with wireshark.
If i ping (from router to server and other direction) i get no response. Some people said, the RAS itselfe could not accept packages, but i tried from one of the virtual clients also (192.168.137.2) and no ping there also.
i tried to add a route for subnet 192.168.21.0 with 192.168.137.1 as gateway but that didn't helped also.
now, after all this time i spend today to this problem i'm a bit confused.
as i know vpn-connections there are always virtual devices, and routes for the vpn-subnets assigned to this device.
the windows firewall does not create any device, and it does not create any route - i suppose, this is because "routing and ras or windows firewall-service" does this work "internally". is that correct? do i need any routes?
i was wondering why the ICMP packet from my ping in wireshark had the public ip as source (123.123.123.1) and not the "internal" 192.168.137.1 - and i tried to restrict the vpn-rule only for the virtual internal NIC but this isn't possible, as
it is no option inside the gui.
it would be great if somebody could explain me how config and packages SHOULD look....i've never used the built-in vpn/ipsec/ras services before, so i don't know how things has to be for a correct working environment. also, i need a solution and any help
to solve the problem would be great also!
now i try to sleep one night - maybe i get some nice idea after some hours of sleeping. good night.
Addition: After some more tests i find out that if i change the local endpoint (endpoint 1) from the virtual network (192.168.137.0/24) to the public ip of the server (123.123.123.1) inside the tunnel-rule and inside the vpn-policy of the router i can access
the netgear and other devices in the remote-network 192.168.21.0 over this ip-adresses. ping is not working, but other things seems to work fine. i want to be able to ping as well ofcourse and this wired configuration looks wrong to me...can some network-professional
help out with an explanation?
Second Addition: I can set the Local Endpoint also to "any" and it does work - but ping still does not work :-(
Third Addition: The Ping does work if i disable the NAT-Functionality on the Physical NIC. ....mhm.....I would definitly recommend the usage of a virtual router instead using windows onboard-firewall to make the site-to-site tunnel!
as you can see in my linked thread above (Link)
this scenario is not supported from microsoft! you will run into problems!
we do run a hyperv virtual machine and install the wonderful distribution pfsense inside this box. pfsense is a software-linux-router with ipsec-functionality, which works like a charm!
and by the way i recommend to not use the products of netgear! they are expensive, very slow and the service is not good!
we have good experience with Vigor-Routers! They are less expensive, the Service is very good, and the devices are much faster, AND! ...the vpn-connections stay stable up!
this experience was very time-intensive to make! hope this will help someone else in the future. -
Windows Server 2008 R2 RRAS NAT Security Concerns
Recently we are deploying Windows Server 2008 R2 as the NAT gateway of our private network. During the testing, we found that the RRAS was doing its job as the NAT gateway,
however it seemed that hosts in the private network were allowed to access any listening port opened on the server side (2008 R2). In the normal scenario, the server side will have the process "wininit.exe" running and listening on the TCP port 49152.
We confirmed that all hosts in the private network were be able to connect to TCP port 49152 opened on the server (connecting by using the NAT's public IP), which introduced lots of security concerns and made us nervous. Since the server is acting as a NAT,
IP packets sent by hosts in the private network will be translated and forwarded as if it is generated by the NAT server itself. Thus, the windows firewall will not block the connection at all while dealing with "local" traffic, which actually is
the traffic from the host in the private network.
What we need is a mechanism that can block the hosts in the private network to access the TCP/UDP ports opened on the NAT server side. Since the NAT server has it IP on
the public network assigned dynamically (DHCP), static IP filtering on the private NIC does not fit our needs (Or probably we may use some hidden but advanced filter settings?). Which policy or setting should be used in our case?Hi Daniel,
I am aware of what you are suggesting. Actually I have active the windows firewall to protect the server.
Suppose I have a network configuration as follows:
Private Network: 192.168.149.0 / 255.255.255.0 (Private NIC on server side IP:192.168.149.1)
--------------Windows 2008 R2 RRAS NAT--------------------
Public Network: 10.1.0.0 / 255.255.255.0 (Public NIC on server side IP:10.1.0.100 )
The problem is that while the windows firewall is effectively protecting my server by filtering inbound traffic from the public network, the windows firewall will not filter the traffic from
192.168.149.0 /255.255.255.0 to 10.1.0.100 (NAT's public IP)
The reason is that the TCP/UDP connection from the private network (192.168.149.0 / 255.255.255.0) to any other networks will be NATed. Suppose TCP connection from
192.168.149.23:50000 -> 10.1.0.100:1023
It will be translated by NAT and becomes
192.168.149.23:50000 <-NAT-> 10.1.0.100:60100 -> 10.1.0.100:1023
From the windows firewall's point of view, the connection is essentially a 'local' TCP connection and should be allowed regardless of any inbound filtering rules. So vulnerability is introduced. After some research, we are almost sure that the windows firewall
does not filter local traffic. Also, we are not able to guarantee any firewalls on the client side to be installed, since the nature of a NAT server is to provide such network access ability to clients and should not require the client side to change its configuration.
I do think it is a common security concern in lots of enterprise networks where Windows Servers are deployed as NAT servers. Would you mind help us address this issue and give us some advice about best-practices related?
Thank you -
Puzzler... Cant access RRAS with VPN connected client
I have a series of 4 VMs running server 2012 r2;
dc- my domain and wsus server
rds- my remote desktop server for remoteapps, RRAS for connecting to VPN
sql- sql server for database needed for one of the apps published
av- hosts kaspersky and manages backups
So, I have a VPN set up through RRAS and am connecting with it and all is well. I can ping every computer on the network EXCEPT the rds server. I can ping from the rds server to the vpn client.
I am trying to use a remote app over the vpn but the remote app is unable to reach the rds server.
Does something have to be setup manually to loopback traffic to the rds server when it is coming in on the same server through RRAS?
Any insight would be appreciated!
MattHi,
According to your description, my understanding is that rds installed RRAS and configured it as VPN server, VPN client successfully ping internal clients, but failed to ping the VPN server.
Are there 2 NICs on the VPN server? One connects to internal and another connects to external?
In general, a ping packet is sent by the client from its own IP address to the external IP address of VPN server, it will be unpacked once the VPN server receives it, and the VPN server will dispatch this pack due to the internal IP address. So, if this
packet is sent to the VPN server, when it unpack the packet and find it is sent to itself, the VPN server should reply to this packet.
You may try to turn off firewall/anti-virus software temporally, and then check to see if it can successfully ping. Besides, use a monitoring tool(Network Monitor, Wireshark ) to
capture packets on both client and VPN server, check to see if the packets are sent/answered to the correctly destination.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
X-Serve freezes after Windows XP VPN connection
Running OS X Server 10.4.11 and having a problem with a L2TP VPN (Preshared Key) connection from a Windows client. The Windows Client is behind a NAT Router and the XP Registry is patched for NAT Traversal (Informations found in Microsoft KB). This Windows Client can successfully connect to our company OSX Server trough L2TP VPN , Browse the Intranet Webpages, opening Filemaker 6 Databases.
Our configuration:
Win XP Client --->NAT Router--->---L2TP VPN over ADSL--->Router(pub.IP) --->Sonic Firewall Pro 100 --->OSX Server (VPN Service)
Only browsing the User Directory and others on a Server Volume via SMB causes the server to freeze (become unresponsive). Every AFP Connection disconnects. It forces me to do a hard reboot.
Connecting with a OSX 10.4.11 Client from the same Location is fully functioning and connects without issues on the Server.
Is there something I might be overlooking in the Windows XP client configuration, or something I need to change on the server side? Anyone else having this issue?
Message was edited by: Marcel J.Does the OS X Server use a private IP number?
I know you can connect from XP if the OS X server isn't behind NAT without any registry hacks.
Otherwise I seriously doubt it works.
http://www.jacco2.dds.nl/networking/openswan-macosx.htm
"Apple's NAT-T version does not interoperate with other IPsec implementations unless they specifically support this Mac OS X quirk. Apple's Mac OS X Server is one of these implementations"
OK, I haven't tried it recently. -
Cisco ASA 5505 Remote Access IP/Sec VPN Connectivity Issues
We have a Cisco ASA that we use just for Remote Access VPN. It uses UDP and was working fine for about 2 months. Recently clients have had intermittent issues when connecting from home. The following message is display by the Cisco VPN Client :
"Secure VPN connection terminated locally by the Client. Reason 412: The remote peer is no longer responding"
Upon looking at a client side packet capture, I notice that no response is being given back to the client for the udp packets sent to the ASA on udp 500. If I login to the ASA from the LAN and send a single ping FROM the ASA, then the client can connect without issue. I don't understand the significance of the needed outbound ping since ping is not used by the client to test if the ASA is alive.
Once again this is a remote access udp ip/sec VPN. I set most of it up with the VPN wizard and then backed up the config. The issue started happening at least a month after setup (maybe two) and I restored to the saved config just in-case, but the issue remains.
Any insight would be greatly appreciated.
I'm using IOS 831 and have tried 821 and 823 as one thread that I found recommended downgraded to 821.
Thanks much,
JustinJavier,
I logged into the ASA last time the VPN went down. I issued the following commands:
debug crypto isakmp 190
debug crypto ipsec 190
capture outside-cap interface outside match udp any any
I then used a remote access tool to access the client and tried to connect. I got absolutely nothing from debugging. So I issued the following command:
show capture outside | include 500
and also got nothing. So I issued the following command:
ping 4.2.2.2
Upon which my normal deug messaged began to showup, so I issued the show capture outside command again and recieved the expected output below:
1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100 1: 15:44:18.570160 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 868
2: 15:44:18.579269 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 444
3: 15:44:18.703866 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 172
4: 15:44:18.706567 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
5: 15:44:18.831499 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
6: 15:44:19.024061 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 76
7: 15:44:19.111963 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 60
8: 15:44:19.517185 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 204
9: 15:44:19.521350 802.1Q vlan#2 P0 REMOTE_IP.1151 > OFFICE_IP.500: udp 92
10: 15:44:19.522723 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1151: udp 252
11: 15:44:42.121957 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 868
12: 15:44:42.130822 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 444
13: 15:44:42.228397 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 172
14: 15:44:42.231036 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
15: 15:44:42.329557 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
16: 15:44:42.521091 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 76
17: 15:44:42.610167 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
18: 15:44:42.649258 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 204
19: 15:44:42.653790 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 252
20: 15:44:42.789342 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 1036
21: 15:44:42.792119 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
22: 15:44:42.800846 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 188
23: 15:44:42.892120 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 60
34: 15:44:54.446220 802.1Q vlan#2 P0 REMOTE_IP.1155 > OFFICE_IP.500: udp 92
35: 15:44:54.447913 802.1Q vlan#2 P0 OFFICE_IP.500 > REMOTE_IP.1155: udp 92
70: 15:45:01.825000 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 100
174: 15:45:03.417764 802.1Q vlan#2 P0 OFFICE_IP.10000 > REMOTE_IP.10000: udp 500
377: 15:45:07.881500 802.1Q vlan#2 P0 REMOTE_IP.10000 > OFFICE_IP.10000: udp 100
It would seem as if no traffic reached the ASA until some outbound traffic to an arbitrary public IP. In this case I sent an echo request to a public DNS server. It seems almost like a state-table issue although I don't know how ICMP ties in.
Once again, any insight would be greatly appreciated.
Thanks,
Justin -
Server 2012: Remote desktop licence manager not issuing licences
Hi,
I am battling with an problem which i cannot seem to resolve and no other forums actually come to a conclusion on how to resolve this problem!
I have a windows server 2012 server which is NOT part of a domain.
I have installed Remote Desktop Services and also installed the Remote Desktop License manager and i just cannot get the license manager to issue cals when users connect remotely via RDP
I have installed an extra two CAL's and tried using them as both a "Per User" and also "Per Device" but still does not work.
I have now run out of my grace period and cannot connect to the server at all
I have also tried changing some gpo's with no luck,
Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Licensing
"Use the specified RD license servers" = myservername
"Set the Remote Desktop licensing mode" = Per User
How can i fix this?
ThanksHi,
Thank you for posting in Windows Server Forum.
Have you seen that you have activated RDS License server before installing CAL?
Please check that the License Server should be part of ‘Terminal Server License’ group in Active Directory Domain Services. You can also configure RD License server manually by powershell commmand. Please check below article for information.
RD Licensing Configuration on Windows Server 2012
http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx
In addition, please install below Hotfix and verify the result.
No RDS license when you connect to an RDS farm in Windows Server 2012
http://support.microsoft.com/kb/2916846
Hope it helps!
Thanks.
Dharmesh Solanki -
IPad2, Verizon 3G, VPN Connectivity Issues
Greetings all. I am the systems administrator for my corporation and have seen an issue that I wish to present to the community for discussion.
For those enterprise users that have an iPad2 with Verizons 3G, are you experiencing connectivity issues while trying to connect to your VPNs from the 3G network? If so, have you found any work around to allow connectivity or does it work fine for you?
Here's a summary of my issues:
We have a VPN server built on Debian Linux that has been in operation for over four years. It handles remote VPN connections from Windows, Linux, Android, OS X, iOS, and from many different devices including multiple flavors of Apple products (iMacs, Minis, MacBooks, iPads, etc.). To date, it has performed flawlessly with assorted devices connecting to it through broadband and assorted 3G networks.
Recently I purchased an iPad2 with Verizon 3G. I was able to set up the VPN connection using PPTP and connect using a Wi-Fi connection. When I turned off the Wi-Fi and attempted the same connection via Verizon 3G, it fails. I then took an associates iPad1 using AT&T 3G, set up the same connection, and was able to connect. I don't have access to an iPad2 on AT&T 3G so, I can't speak for that.
Here's the logs from the VPN server while connecting from my iPad2:
Wi-Fi
Jul 27 05:20:43 localhost pppd[31694]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:43 localhost pppd[31694]: pptpd-logwtmp: $Version$
Jul 27 05:20:43 localhost pppd[31694]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:43 localhost pppd[31694]: Using interface ppp2
Jul 27 05:20:43 localhost pppd[31694]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:46 localhost pppd[31694]: Unsupported protocol 'IPv6 Control Protocol' (0x8057) received
Jul 27 05:20:46 localhost pppd[31694]: found interface eth1 for proxy arp
Jul 27 05:20:46 localhost pppd[31694]: local IP address 192.168.1.69
Jul 27 05:20:46 localhost pppd[31694]: remote IP address 192.168.1.82
Jul 27 05:20:46 localhost pppd[31694]: pptpd-logwtmp.so ip-up ppp2 scott XXX.XXX.XXX.XXX (removed external IP for security reasons)
Quick connect, able to utilize VPN connection normally. No issues.
Verizon 3G
Jul 27 05:20:29 localhost pppd[31682]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jul 27 05:20:29 localhost pppd[31682]: pptpd-logwtmp: $Version$
Jul 27 05:20:29 localhost pppd[31682]: pppd 2.4.4 started by root, uid 0
Jul 27 05:20:29 localhost pppd[31682]: Using interface ppp2
Jul 27 05:20:29 localhost pppd[31682]: Connect: ppp2 <--> /dev/pts/4
Jul 27 05:20:32 localhost pppd[31682]: peer refused to authenticate: terminating link
Jul 27 05:20:33 localhost pppd[31682]: Connection terminated.
Jul 27 05:20:33 localhost pppd[31682]: Exit.
As you can see, the peer refuses to authenticate causing the link to be terminated while attempting to connect using Verizons network. This is with the same VPN connection settings on the iPad2 that just worked with WiFi connection from the same device.
Here's what I can verify with regards to 3G networks:
Older (<4) iPhones and iPad1 using AT&T can connect
Windows and OS X based laptops using Sprint 3G can connect
Android based smart phones using Sprint 3G can connect
I have not called Verizon or Apple Support yet but, that's next when I have the time. My initial conclusion is that there is something with Verizons 3G services that is causing the issue. It may be that Verizon is using some sort of data compression process that is problematic with VPN transmission. While the log shows an unsupported IPv6 protocol when connecting via Wi-Fi, it still negotiates a successful connection and I don't think that's the root cause for the disconnect. Thoughts?Hi Alexander,
I am running in to the exact same issue (although not with Linux). Did you ever find a fix for this? I have some support tickets open with my VAR's, but found your post and thought I would check. If I find anything I will post.
Thanks
Stu -
Windows Server 2012 Pooled Virtual Desktop collection GetVMstate issue
I am trying to create a Pooled Desktop collection with my Powered off VM and it errors out The
virtual desktop must be in a stopped state: Could not identify the state of the virtual desktop. Ensure that the RD virtualisation host server is available on the network and the virtual desktop is shut down
In the debug logs it shows.
Component RdmsModel: GetVMstate for Vm Win7_BaseVM failed with error 16386
Component RDExceptionHandler: Could not identify the state of the virtual desktop. Ensure that the RD Virtualization Host server sunflower-1.HYPERQA.NUTANIX.COM is available on the network and that the virtual
desktop Win7VMSF is shut down.
Please help on resolving this GetVMState issue.Hi Krishna,
Thank you for posting in Windows Server Forum.
When you are configuring RDVH initially, please see that you have meet prerequisites. Remember that you need these pre-requirements:
• Database based on SQL Server 2008 R2
• Static IP Address for all Broker
• Round Robin DNS
• All RD Broker must be members of AD Windows Group (es. RDCB Server Group)
• The group must be insert into SQL Server as sysadmin ONLY for the DB creation. After that DB will be created give the db_owner permission only for their DB
More information.
Windows Server 2012 R2: Unable Add New VDI Template
In addition, we need all RD Broker must have the same SQL Native Client as main SQL Server (es. SQL Server 2012 SP1). The Connection Broker server's computer account MUST be a member of the local administrators group on the Virtual Host (RDS Host) machine and
then reboot the server. Finally check the result.
Windows Server 2012 Virtual Desktop Template Issue
Hope it helps!
Thanks.
Dharmesh Solanki -
Windows Server 2012 R2 - Hyper-V NIC Teaming Issue
Hi All,
I have cluster windows server 2012 R2 with hyper-v role installed. I have an issue with one of my windows 2012 R2 hyper-v host.
The virtual machine network adapter show status connected but it stop transmit data, so the vm that using that NIC cannot connect to external network.
The virtual machine network adapter using Teamed NIC, with this configuration:
Teaming Mode : Switch Independent
Load Balance Algorithm : Hyper-V Port
NIC Adapter : Broadcom 5720 Quad Port 1Gbps
I already using the latest NIC driver from broadcom.
I found a little trick for this issue by disable one of the teamed NIC, but it will happen again.
Anyone have the same issue with me, and any workaround for this issue?
Please Advise
Thanks,Hi epenx,
Thanks for the information .
Best Regards,
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
We have 2 sites, each with 2 domain controllers. The main site is with our servers in a hosted datacenter. We have an IPsec VPN tunnel setup between the sites, but the datacenter host does not add routes on their end for the tunnel. So the only way for servers
at the DC to communicate with the local DCs is using NAT with their static subnet.
I know this is not supported by MS. I found the following article, but only see it referenced for server 2003/8. I just wanted to verify this still works with server 2012 R2.
http://blogs.technet.com/b/ad/archive/2009/04/22/dcs-and-network-address-translation.aspxI have configured NAT within AD and there would be no difference whether it be 2000, 2003, 2008 or 2012. In my instance I have to, to have two seperate DNS instances on each side of the NAT and when computer objects are added on one side or the other
I have to manually add them to keep them in sync. Not the an elegant solution but it works just fine.
To be honest I have no idea what your registry fix is about, I have never had to deal with it.
Paul Bergson
MVP - Directory Services
MCITP: Enterprise Administrator
MCTS, MCT, MCSE, MCSA, Security, BS CSci
2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
Please no e-mails, any questions should be posted in the NewsGroup.
This posting is provided AS IS with no warranties, and confers no rights.
The problem with that is the DC will overwrite static DNS entries when it tries to register it's IPs. I have tried adding the IP, but if you go and run 'ipconfig /registerdns' on the machine, it will erase the static entry.
Maybe you are looking for
-
Transfering Production variances to COPA
Hi, I have doubts about transferring Production variances to COPA. Will this functionality work both for settlement of variances to GL Variances Account and at the same time for settlement of variances to COPA? From my experience with cost centers an
-
External hard drive and lightroom
I have a macbook pro with 2 G memory. I am running out of space on my hard drive. I want to put my photos on an external drive. I want to get: a plug-in work horse for full backups another external for just photos. I tend to work around the house wit
-
What is the use of MAIN WINDOW in SCRIPTS
what is the use of MAIN WINDOW in SCRIPTS, y we con't create a script w/o main window. Title was edited by: Alvaro Tejada Galindo
-
How does one change the thickness of individual lines in 3DLine Plot? I am able to use 3D Graph Properties -> Plots -> Overlay to change the thickness of all lines, but can't figure out how to change individual lines. Is it even possible?
-
I purchased Aperture 3 about a year ago. I hardly use it because it's processing speed is so slow when editing pictures. Can I uninstall the sample library to increase the processing ability of the program? If so, how do I do that? I need simple i