May 23 2019 05:37 AM
I have the following scenario:
I configured a Windows 2012R2 Server as RAS server. When I connect per VPN, I can RDP to the server only by the RAS IP (which comes from DHCP) not by the main IP. I can reach all other clients in the remote network.
Why isn't it possible to RDP the server over the main IP?
Regards
Jan
May 23 2019 07:15 AM - edited May 23 2019 07:17 AM
I guess by "main IP" you mean public? Might try from PowerShell from source and target to see if its listening.
Test-NetConnection -ComputerName "192.168.49.142" -CommonTCPPort "RDP" -InformationLevel "Detailed"
or also try;
May 24 2019 01:57 AM - edited May 24 2019 03:30 AM
Please excuse my unclear expression.
The server has one ethernet connection (main IP) and through the RAS dial-in a RAS interface. Here is the ipconfig result:
Windows-IP-Konfiguration
Hostname . . . . . . . . . . . . : DC-02
Prim„res DNS-Suffix . . . . . . . : myDomain.local
Knotentyp . . . . . . . . . . . . : Broadcast
IP-Routing aktiviert . . . . . . : Ja
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : myDomain.local
PPP-Adapter RAS (Dial In) Interface:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : RAS (Dial In) Interface
Physische Adresse . . . . . . . . :
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv4-Adresse . . . . . . . . . . : 192.168.124.30(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.255
Standardgateway . . . . . . . . . :
NetBIOS ber TCP/IP . . . . . . . : Aktiviert
Ethernet-Adapter Ethernet:
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Gigabit-Netzwerkverbindung Intel(R) 82574L
Physische Adresse . . . . . . . . : 00-0C-29-AB-15-DA
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::603a:6364:2baa:fff3%11(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.124.16(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Standardgateway . . . . . . . . . : 192.168.124.21
DHCPv6-IAID . . . . . . . . . . . : 335547433
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-24-63-71-63-00-0C-29-AB-15-DA
DNS-Server . . . . . . . . . . . : 192.168.124.16
127.0.0.1
NetBIOS ber TCP/IP . . . . . . . : Aktiviert
Tunneladapter isatap.{CA9379ED-7C5E-4220-9155-2DCB041ECD2A}:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Tunneladapter isatap.{6E06F030-7526-11D2-BAF4-00600815A4BD}:
Medienstatus. . . . . . . . . . . : Medium getrennt
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #3
Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
I can ping the server trough the VPN connection, but neither can I RDP nor will I get any DNS results.
PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"
WARNUNG: TCP connect to (192.168.124.16 : 3389) failed
ComputerName : 192.168.124.16
RemoteAddress : 192.168.124.16
RemotePort : 3389
NameResolutionResults : 192.168.124.16
MatchingIPsecRules :
NetworkIsolationContext : Internet
InterfaceAlias : Statcontrol
SourceAddress : 192.168.124.25
NetRoute (NextHop) : 192.168.124.30
PingSucceeded : True
PingReplyDetails (RTT) : 60 ms
TcpTestSucceeded : False
PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.16
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.124.16
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Zeitüberschreitung bei Anforderung an UnKnown.
PS C:\WINDOWS\system32>
When I use the RAS-dialin IP I can RDP and get DNS results.
PS C:\WINDOWS\system32> Test-NetConnection -ComputerName "192.168.124.30" -CommonTCPPort "RDP" -InformationLevel "Detailed"
ComputerName : 192.168.124.30
RemoteAddress : 192.168.124.30
RemotePort : 3389
NameResolutionResults : 192.168.124.30
MatchingIPsecRules :
NetworkIsolationContext : Internet
InterfaceAlias : Statcontrol
SourceAddress : 192.168.124.25
NetRoute (NextHop) : 192.168.124.30
TcpTestSucceeded : True
PS C:\WINDOWS\system32> nslookup www.google.de 192.168.124.30
Server: UnKnown
Address: 192.168.124.30
Nicht autorisierende Antwort:
Name: www.google.de
Addresses: 2a00:1450:4001:818::2003
172.217.21.195
Any hints?
May 24 2019 06:32 AM - edited May 24 2019 08:16 AM
Looks like 192.168.124.16 is not listening on 3389 or firewall issues when using the VPN. Also try;
Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"
on target machine. tracert from source to target by both connections may also provide something useful.
May 24 2019 10:02 AM
I can RDP the machine from within the remote LAN perfectly on 192.168.124.16:
PS C:\Windows\System32> Test-NetConnection -ComputerName "192.168.124.16" -CommonTCPPort "RDP" -InformationLevel "Detailed"
ComputerName : 192.168.124.16
RemoteAddress : 192.168.124.16
RemotePort : 3389
AllNameResolutionResults :
MatchingIPsecRules :
NetworkIsolationContext : Private Network
IsAdmin : False
InterfaceAlias : Ethernet
SourceAddress : 192.168.124.16
NetRoute (NextHop) : 0.0.0.0
PingSucceeded : True
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded : True
The tracert from source to target looks like this:
PS C:\WINDOWS\system32> tracert 192.168.124.16
Routenverfolgung zu 192.168.124.16 über maximal 30 Hops
1 60 ms 60 ms 58 ms 192.168.124.30
2 59 ms 59 ms 61 ms 192.168.124.16
Ablaufverfolgung beendet.
PS C:\WINDOWS\system32> tracert 192.168.124.30
Routenverfolgung zu 192.168.124.30 über maximal 30 Hops
1 62 ms 60 ms 60 ms 192.168.124.30
Ablaufverfolgung beendet.
The firewall on the target server is turned off.
It seems that there is no routing from RAS-dialin interface to the ethernet interface except for the icmp protocol.
May 24 2019 10:06 AM
It seems that there is no routing from RAS-dialin interface to the ethernet interface except for the icmp protocol.
Sounds like some other blocking going via this dial-up path. I was suggesting to tracert from source to target. Obviously tracert on the same subnet is not useful.
May 24 2019 10:48 AM
I was suggesting to tracert from source to target. Obviously tracert on the same subnet is not useful.
I made the tracert on the remote machine (W-05 = source), which is connected via VPN to the server (target). When I establish a VPN connection, W-05 gets an IP address from the subnet.
Here again (due to a server reboot the RAS-dialin IP changed from 192.168.124.30 to 192.168.124.31).
PS C:\WINDOWS\system32> ipconfig /all
Windows-IP-Konfiguration
Hostname . . . . . . . . . . . . : W-05
Primäres DNS-Suffix . . . . . . . : remoteDomain.local
Knotentyp . . . . . . . . . . . . : Hybrid
IP-Routing aktiviert . . . . . . : Nein
WINS-Proxy aktiviert . . . . . . : Nein
DNS-Suffixsuchliste . . . . . . . : remoteDomain.local
myDomain.local
Ethernet-Adapter Ethernet:
Verbindungsspezifisches DNS-Suffix: remoteDomain.local
Beschreibung. . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physische Adresse . . . . . . . . : 44-37-E6-81-15-12
DHCP aktiviert. . . . . . . . . . : Ja
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::281e:339e:4aaf:5ce0%5(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 192.168.140.34(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.0
Lease erhalten. . . . . . . . . . : Mittwoch, 22. Mai 2019 14:53:12
Lease läuft ab. . . . . . . . . . : Donnerstag, 30. Mai 2019 16:34:15
Standardgateway . . . . . . . . . : 192.168.140.1
192.168.145.1
DHCP-Server . . . . . . . . . . . : 192.168.140.15
DHCPv6-IAID . . . . . . . . . . . : 71579622
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-84-C3-42-44-37-E6-81-15-12
DNS-Server . . . . . . . . . . . : fe80::37af:966a:f63:f586%5
192.168.140.15
192.168.140.1
192.168.145.1
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Suchliste für verbindungsspezifische DNS-Suffixe:
remoteDomain.local
PPP-Adapter myDomain:
Verbindungsspezifisches DNS-Suffix: myDomain.local
Beschreibung. . . . . . . . . . . : myDomain
Physische Adresse . . . . . . . . :
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
IPv4-Adresse . . . . . . . . . . : 192.168.124.30(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.255
Standardgateway . . . . . . . . . :
DNS-Server . . . . . . . . . . . : 192.168.124.16
NetBIOS über TCP/IP . . . . . . . : Aktiviert
Ethernet-Adapter vEthernet (Default Switch):
Verbindungsspezifisches DNS-Suffix:
Beschreibung. . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physische Adresse . . . . . . . . : E2-15-30-C9-DE-52
DHCP aktiviert. . . . . . . . . . : Nein
Autokonfiguration aktiviert . . . : Ja
Verbindungslokale IPv6-Adresse . : fe80::fc9b:4806:cc25:a986%19(Bevorzugt)
IPv4-Adresse . . . . . . . . . . : 172.17.76.33(Bevorzugt)
Subnetzmaske . . . . . . . . . . : 255.255.255.240
Standardgateway . . . . . . . . . :
DHCPv6-IAID . . . . . . . . . . . : 333583664
DHCPv6-Client-DUID. . . . . . . . : 00-01-00-01-16-84-C3-42-44-37-E6-81-15-12
DNS-Server . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS über TCP/IP . . . . . . . : Aktiviert
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32>
PS C:\WINDOWS\system32> tracert 192.168.124.16
Routenverfolgung zu 192.168.124.16 über maximal 30 Hops
1 59 ms 58 ms 59 ms 192.168.124.31
2 62 ms 60 ms 61 ms 192.168.124.16
Ablaufverfolgung beendet.
PS C:\WINDOWS\system32>
May 24 2019 12:02 PM
May 24 2019 01:04 PM
May 24 2019 01:14 PM
Ok, gotcha. I'd still try from PowerShell
Test-NetConnection -ComputerName "xxx.xxx.xxx.xxx" -CommonTCPPort "RDP" -InformationLevel "Detailed"
From both source (pc you're connecting from) and also on target (pc you're connecting to) If it fails on source and succeeds on target then there appears to either be a firewall issue or possibly a routing issue.
and as mentioned the dual gateways could be problematic so might also try to VPN from a desktop without either Hyper-V or the dual gateways.
May 24 2019 01:50 PM
May 24 2019 01:57 PM - edited May 24 2019 02:26 PM
SolutionAgreed on routing issues. Dual gateways would likely be problematic. I'd hope by "DC-02" you didn't mean a domain controller. Multi-homing a domain controller will always cause no end to grief. If so I'd recommend installing the RASS / VPN roles on a member server.
May 24 2019 03:23 PM
May 24 2019 05:48 PM
Sounds good, you're welcome.
May 28 2019 06:02 AM - edited May 28 2019 06:14 AM
I moved the Routing and RAS role from the DC to the member server. Now everything is ok.
Thanks a lot.
May 28 2019 06:19 AM
Great news, and you're welcome.
May 24 2019 01:57 PM - edited May 24 2019 02:26 PM
SolutionAgreed on routing issues. Dual gateways would likely be problematic. I'd hope by "DC-02" you didn't mean a domain controller. Multi-homing a domain controller will always cause no end to grief. If so I'd recommend installing the RASS / VPN roles on a member server.