Windows Server Summit 2024
Mar 26 2024 08:00 AM - Mar 28 2024 04:30 PM (PDT)
Microsoft Tech Community
LIVE
SOLVED

RDP connection through VPN only to RAS IP not to main IP

Copper Contributor

I have the following scenario:

 

I configured a Windows 2012R2 Server as RAS server. When I connect per VPN, I can RDP to the server only by the RAS IP (which comes from DHCP) not by the main IP. I can reach all other clients in the remote network.

Why isn't it possible to RDP the server over the main IP?

 

Regards

Jan

 

15 Replies

I guess by "main IP" you mean public? Might try from PowerShell from source and target to see if its listening.

Test-NetConnection -ComputerName "192.168.49.142" -CommonTCPPort "RDP" -InformationLevel "Detailed"

or also try;

https://www.canyouseeme.org/

 

 

@Dave Patrick 

Please excuse my unclear expression.

The server has one ethernet connection (main IP) and through the RAS dial-in a RAS interface. Here is the ipconfig result:

 


Windows-IP-Konfiguration


   Hostname  . . . . . . . . . . . . : DC-02
   Prim„res DNS-Suffix . . . . . . . : myDomain.local
   Knotentyp . . . . . . . . . . . . : Broadcast
   IP-Routing aktiviert  . . . . . . : Ja
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : myDomain.local


PPP-Adapter RAS (Dial In) Interface:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : RAS (Dial In) Interface
   Physische Adresse . . . . . . . . :
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.124.30(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.255
   Standardgateway . . . . . . . . . :
   NetBIOS ber TCP/IP . . . . . . . : Aktiviert


Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Gigabit-Netzwerkverbindung Intel(R) 82574L
   Physische Adresse . . . . . . . . : 00-0C-29-AB-15-DA
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::603a:6364:2baa:fff3%11(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.124.16(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Standardgateway . . . . . . . . . : 192.168.124.21
   DHCPv6-IAID . . . . . . . . . . . : 335547433
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-24-63-71-63-00-0C-29-AB-15-DA
   DNS-Server  . . . . . . . . . . . : 192.168.124.16
                                       127.0.0.1
   NetBIOS ber TCP/IP . . . . . . . : Aktiviert


Tunneladapter isatap.{CA9379ED-7C5E-4220-9155-2DCB041ECD2A}:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
   Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja


Tunneladapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:

   Medienstatus. . . . . . . . . . . : Medium getrennt
   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #3
   Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja

I can ping the server trough the VPN connection, but neither can I RDP nor will I get any DNS results.

 

PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"
WARNUNG: TCP connect to (192.168.124.16 : 3389) failed



ComputerName            : 192.168.124.16
RemoteAddress           : 192.168.124.16
RemotePort              : 3389
NameResolutionResults   : 192.168.124.16
MatchingIPsecRules      :
NetworkIsolationContext : Internet
InterfaceAlias          : Statcontrol
SourceAddress           : 192.168.124.25
NetRoute (NextHop)      : 192.168.124.30
PingSucceeded           : True
PingReplyDetails (RTT)  : 60 ms
TcpTestSucceeded        : False





PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.16
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.124.16


DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
PS C:\WINDOWS\system32>


When I use the RAS-dialin IP I can RDP and get DNS results.

PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.30" -CommonTCPPort "RDP" -InformationLevel "Detailed"

ComputerName            : 192.168.124.30
RemoteAddress           : 192.168.124.30
RemotePort              : 3389
NameResolutionResults   : 192.168.124.30
MatchingIPsecRules      :
NetworkIsolationContext : Internet
InterfaceAlias          : Statcontrol
SourceAddress           : 192.168.124.25
NetRoute (NextHop)      : 192.168.124.30
TcpTestSucceeded        : True





PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.30
Server:  UnKnown
Address:  192.168.124.30


Nicht autorisierende Antwort:
Name:    www.google.de
Addresses:  2a00:1450:4001:818::2003
          172.217.21.195

Any hints?

 

Looks like 192.168.124.16 is not listening on 3389 or firewall issues when using the VPN. Also try;

Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"

on target machine. tracert from source to target by both connections may also provide something useful.

 

 

 

 

I can RDP the machine from within the remote LAN perfectly on 192.168.124.16:

PS C:\Windows\System32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"


ComputerName             : 192.168.124.16
RemoteAddress            : 192.168.124.16
RemotePort               : 3389
AllNameResolutionResults :
MatchingIPsecRules       :
NetworkIsolationContext  : Private Network
IsAdmin                  : False
InterfaceAlias           : Ethernet
SourceAddress            : 192.168.124.16
NetRoute (NextHop)       : 0.0.0.0
PingSucceeded            : True
PingReplyDetails (RTT)   : 0 ms
TcpTestSucceeded         : True

The tracert from source to target looks like this:

PS C:\WINDOWS\system32> tracert 192.168.124.16

Routenverfolgung zu 192.168.124.16 über maximal 30 Hops

  1    60 ms    60 ms    58 ms  192.168.124.30
  2    59 ms    59 ms    61 ms  192.168.124.16


Ablaufverfolgung beendet.
PS C:\WINDOWS\system32> tracert 192.168.124.30


Routenverfolgung zu 192.168.124.30 über maximal 30 Hops

  1    62 ms    60 ms    60 ms  192.168.124.30

Ablaufverfolgung beendet.

The firewall on the target server is turned off.

 

It seems that there is no routing from RAS-dialin interface to the ethernet interface except for the icmp protocol.

 

 

 

 

 

It seems that there is no routing from RAS-dialin interface to the ethernet interface except for the icmp protocol.

 

 

 

 



Sounds like some other blocking going via this dial-up path. I was suggesting to tracert from source to target. Obviously tracert on the same subnet is not useful.

 

 

 

 

I was suggesting to tracert from source to target. Obviously tracert on the same subnet is not useful.


I made the tracert on the remote machine (W-05 = source), which is connected via VPN to the server (target). When I establish a VPN connection, W-05 gets an IP address from the subnet.

 

Here again (due to a server reboot the RAS-dialin IP changed from 192.168.124.30 to 192.168.124.31).

 

PS C:\WINDOWS\system32> ipconfig /all

Windows-IP-Konfiguration

   Hostname  . . . . . . . . . . . . : W-05
   Primäres DNS-Suffix . . . . . . . : remoteDomain.local
   Knotentyp . . . . . . . . . . . . : Hybrid
   IP-Routing aktiviert  . . . . . . : Nein
   WINS-Proxy aktiviert  . . . . . . : Nein
   DNS-Suffixsuchliste . . . . . . . : remoteDomain.local
                                       myDomain.local


Ethernet-Adapter Ethernet:

   Verbindungsspezifisches DNS-Suffix: remoteDomain.local
   Beschreibung. . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
   Physische Adresse . . . . . . . . : 44-37-E6-81-15-12
   DHCP aktiviert. . . . . . . . . . : Ja
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::281e:339e:4aaf:5ce0%5(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 192.168.140.34(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.0
   Lease erhalten. . . . . . . . . . : Mittwoch, 22. Mai 2019 14:53:12
   Lease läuft ab. . . . . . . . . . : Donnerstag, 30. Mai 2019 16:34:15
   Standardgateway . . . . . . . . . : 192.168.140.1
                                       192.168.145.1
   DHCP-Server . . . . . . . . . . . : 192.168.140.15
   DHCPv6-IAID . . . . . . . . . . . : 71579622
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-84-C3-42-44-37-E6-81-15-12
   DNS-Server  . . . . . . . . . . . : fe80::37af:966a:f63:f586%5
                                       192.168.140.15
                                       192.168.140.1
                                       192.168.145.1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
   Suchliste für verbindungsspezifische DNS-Suffixe:
                                       remoteDomain.local


PPP-Adapter myDomain:

   Verbindungsspezifisches DNS-Suffix: myDomain.local
   Beschreibung. . . . . . . . . . . : myDomain
   Physische Adresse . . . . . . . . :
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   IPv4-Adresse  . . . . . . . . . . : 192.168.124.30(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.255
   Standardgateway . . . . . . . . . :
   DNS-Server  . . . . . . . . . . . : 192.168.124.16
   NetBIOS über TCP/IP . . . . . . . : Aktiviert


Ethernet-Adapter vEthernet (Default Switch):

   Verbindungsspezifisches DNS-Suffix:
   Beschreibung. . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
   Physische Adresse . . . . . . . . : E2-15-30-C9-DE-52
   DHCP aktiviert. . . . . . . . . . : Nein
   Autokonfiguration aktiviert . . . : Ja
   Verbindungslokale IPv6-Adresse  . : fe80::fc9b:4806:cc25:a986%19(Bevorzugt)
   IPv4-Adresse  . . . . . . . . . . : 172.17.76.33(Bevorzugt)
   Subnetzmaske  . . . . . . . . . . : 255.255.255.240
   Standardgateway . . . . . . . . . :
   DHCPv6-IAID . . . . . . . . . . . : 333583664
   DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-84-C3-42-44-37-E6-81-15-12
   DNS-Server  . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS über TCP/IP . . . . . . . : Aktiviert
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> tracert 192.168.124.16


Routenverfolgung zu 192.168.124.16 über maximal 30 Hops

  1    59 ms    58 ms    59 ms  192.168.124.31
  2    62 ms    60 ms    61 ms  192.168.124.16


Ablaufverfolgung beendet.
PS C:\WINDOWS\system32>
 
 
Ok, well still a bit confusing. When you said;
 
I made the tracert on the remote machine (W-05 = source), which is connected via VPN to the server (target). When I establish a VPN connection, W-05 gets an IP address from the subnet.
 
It sounds to me like W-05 is the target. Also W-05 has two gateways listed which could be problematic. Looks like W-05 is a windows 10 with Hyper-V role installed that could also be complicating issues.
 
 
The RAS server DC-02 is the target. W-05 is one of several workstations /laptops connecting via VPN.
W-05 is a developer computer with visual studio. Hyper-V role is installed.

The problem occurs on all computers connecting to DC-02 via VPN. Computers in the LAN of DC-02 don‘t have any problems.

Ok, gotcha. I'd still try from PowerShell

Test-NetConnection -ComputerName "xxx.xxx.xxx.xxx" -CommonTCPPort "RDP" -InformationLevel "Detailed"

From both source (pc you're connecting from) and also on target (pc you're connecting to) If it fails on source and succeeds on target then there appears to either be a firewall issue or possibly a routing issue.

 

and as mentioned the dual gateways could be problematic so might also try to VPN from a desktop without either Hyper-V or the dual gateways.

 

 

I tried it from a different laptop. As for W-05 I tried and it failed and for DC-02 it succeeded..

I think it“s a routing problem. I can RDP several server and workstations in the DC-02 LAN through the VPN connection even DC-02 when I use the IP of the RAS-dialin interface (which can change). Just when I use the IP of the LAN interface of DC-02 it fails. Same on DNS requests.

I turned of the firewall and Kaspersky on DC-02.
best response confirmed by Zeneri (Copper Contributor)
Solution

Agreed on routing issues. Dual gateways would likely be problematic. I'd hope by "DC-02" you didn't mean a domain controller. Multi-homing a domain controller will always cause no end to grief. If so I'd recommend installing the RASS / VPN roles on a member server.

 

 

Yes it is a domain controller. I will try tomorrow to move the RAS to a member server

I“ll keep you informed.

Thanks for the moment.

Sounds good, you're welcome.

 

 

I moved the Routing and RAS role from the DC to the member server. Now everything is ok.

 

Thanks a lot.

Great news, and you're welcome.

 

 

1 best response

Accepted Solutions
best response confirmed by Zeneri (Copper Contributor)
Solution

Agreed on routing issues. Dual gateways would likely be problematic. I'd hope by "DC-02" you didn't mean a domain controller. Multi-homing a domain controller will always cause no end to grief. If so I'd recommend installing the RASS / VPN roles on a member server.

 

 

View solution in original post