Forum Discussion

Zeneri's avatar
Zeneri
Copper Contributor
May 23, 2019
Solved

RDP connection through VPN only to RAS IP not to main IP

I have the following scenario:   I configured a Windows 2012R2 Server as RAS server. When I connect per VPN, I can RDP to the server only by the RAS IP (which comes from DHCP) not by the main IP. I...
networking
windows server
  • Dave Patrick's avatar
    Dave Patrick
    May 24, 2019

    Agreed on routing issues. Dual gateways would likely be problematic. I'd hope by "DC-02" you didn't mean a domain controller. Multi-homing a domain controller will always cause no end to grief. If so I'd recommend installing the RASS / VPN roles on a member server.

     

     

Dave Patrick's avatar
Dave Patrick
MVP
May 23, 2019

I guess by "main IP" you mean public? Might try from PowerShell from source and target to see if its listening.

Test-NetConnection -ComputerName "192.168.49.142" -CommonTCPPort "RDP" -InformationLevel "Detailed"

or also try;

https://www.canyouseeme.org/

 

 

  • Zeneri's avatar
    Zeneri
    Copper Contributor
    May 24, 2019

    Dave Patrick 

    Please excuse my unclear expression.

    The server has one ethernet connection (main IP) and through the RAS dial-in a RAS interface. Here is the ipconfig result:

     


    Windows-IP-Konfiguration

       Hostname  . . . . . . . . . . . . : DC-02
       Prim„res DNS-Suffix . . . . . . . : myDomain.local
       Knotentyp . . . . . . . . . . . . : Broadcast
       IP-Routing aktiviert  . . . . . . : Ja
       WINS-Proxy aktiviert  . . . . . . : Nein
       DNS-Suffixsuchliste . . . . . . . : myDomain.local

    PPP-Adapter RAS (Dial In) Interface:

       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : RAS (Dial In) Interface
       Physische Adresse . . . . . . . . : 
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 192.168.124.30(Bevorzugt) 
       Subnetzmaske  . . . . . . . . . . : 255.255.255.255
       Standardgateway . . . . . . . . . : 
       NetBIOS ber TCP/IP . . . . . . . : Aktiviert

    Ethernet-Adapter Ethernet:

       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : Gigabit-Netzwerkverbindung Intel(R) 82574L
       Physische Adresse . . . . . . . . : 00-0C-29-AB-15-DA
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       Verbindungslokale IPv6-Adresse  . : fe80::603a:6364:2baa:fff3%11(Bevorzugt) 
       IPv4-Adresse  . . . . . . . . . . : 192.168.124.16(Bevorzugt) 
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Standardgateway . . . . . . . . . : 192.168.124.21
       DHCPv6-IAID . . . . . . . . . . . : 335547433
       DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-24-63-71-63-00-0C-29-AB-15-DA
       DNS-Server  . . . . . . . . . . . : 192.168.124.16
                                           127.0.0.1
       NetBIOS ber TCP/IP . . . . . . . : Aktiviert

    Tunneladapter isatap.{CA9379ED-7C5E-4220-9155-2DCB041ECD2A}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    Tunneladapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix: 
       Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #3
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    I can ping the server trough the VPN connection, but neither can I RDP nor will I get any DNS results.

     

    PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"
    WARNUNG: TCP connect to (192.168.124.16 : 3389) failed


    ComputerName            : 192.168.124.16
    RemoteAddress           : 192.168.124.16
    RemotePort              : 3389
    NameResolutionResults   : 192.168.124.16
    MatchingIPsecRules      :
    NetworkIsolationContext : Internet
    InterfaceAlias          : Statcontrol
    SourceAddress           : 192.168.124.25
    NetRoute (NextHop)      : 192.168.124.30
    PingSucceeded           : True
    PingReplyDetails (RTT)  : 60 ms
    TcpTestSucceeded        : False




    PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.16
    DNS request timed out.
        timeout was 2 seconds.
    Server:  UnKnown
    Address:  192.168.124.16

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Zeitüberschreitung bei Anforderung an UnKnown.
    PS C:\WINDOWS\system32>


    When I use the RAS-dialin IP I can RDP and get DNS results.

    PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.30" -CommonTCPPort "RDP" -InformationLevel "Detailed"

    ComputerName            : 192.168.124.30
    RemoteAddress           : 192.168.124.30
    RemotePort              : 3389
    NameResolutionResults   : 192.168.124.30
    MatchingIPsecRules      :
    NetworkIsolationContext : Internet
    InterfaceAlias          : Statcontrol
    SourceAddress           : 192.168.124.25
    NetRoute (NextHop)      : 192.168.124.30
    TcpTestSucceeded        : True




    PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.30
    Server:  UnKnown
    Address:  192.168.124.30

    Nicht autorisierende Antwort:
    Name:    www.google.de
    Addresses:  2a00:1450:4001:818::2003
              172.217.21.195

    Any hints?

     

    • Dave Patrick's avatar
      Dave Patrick
      MVP
      May 24, 2019

      Looks like 192.168.124.16 is not listening on 3389 or firewall issues when using the VPN. Also try;

      Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"

      on target machine. tracert from source to target by both connections may also provide something useful.

       

       

       

       

      • Zeneri's avatar
        Zeneri
        Copper Contributor
        May 24, 2019

        I can RDP the machine from within the remote LAN perfectly on 192.168.124.16:

        PS C:\Windows\System32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"


        ComputerName             : 192.168.124.16
        RemoteAddress            : 192.168.124.16
        RemotePort               : 3389
        AllNameResolutionResults :
        MatchingIPsecRules       :
        NetworkIsolationContext  : Private Network
        IsAdmin                  : False
        InterfaceAlias           : Ethernet
        SourceAddress            : 192.168.124.16
        NetRoute (NextHop)       : 0.0.0.0
        PingSucceeded            : True
        PingReplyDetails (RTT)   : 0 ms
        TcpTestSucceeded         : True

        The tracert from source to target looks like this:

        PS C:\WINDOWS\system32> tracert 192.168.124.16

        Routenverfolgung zu 192.168.124.16 über maximal 30 Hops

          1    60 ms    60 ms    58 ms  192.168.124.30
          2    59 ms    59 ms    61 ms  192.168.124.16

        Ablaufverfolgung beendet.
        PS C:\WINDOWS\system32> tracert 192.168.124.30

        Routenverfolgung zu 192.168.124.30 über maximal 30 Hops

          1    62 ms    60 ms    60 ms  192.168.124.30

        Ablaufverfolgung beendet.

        The firewall on the target server is turned off.

         

        It seems that there is no routing from RAS-dialin interface to the ethernet interface except for the icmp protocol.

         

         

         

         

Resources