SSTP on Windows 2008 cannot ping in either direction

Question

I have the following setting going on.

Server: Configured windows 2008 server as AD, DHCP, DNS, CA and RRAS. To make long story short, RRAS can accept SSTP connection and clients get connected fine. Clients get IP address.

Client: Windows 7 OS

Configuration:

I have a linux firewall at the perimeter. The port has been opened to forward 443 to an internal IP address and port on the RRAS server.

The private network is on a 10.100.0.0/16 subnet.

RRAS server has 2 NIC. NIC1=10.100.85.15 and NIC2=10.100.85.16. NIC2 is accepting SSTP connections from the public internet. The adapter settings on NIC2 only has the static IP and subnet. No gateway and DNS servers are configured on NIC2 (this I did based on something I read somewhere regarding setting up PPTP on Windows 2003). NIC1 has the top priority out of the 2 NICs.

RRAS has been setup for VPN only (no NAT). The IP address allocation is static and it is from the pool of 10.100.77.250 to 10.100.77.254 (the same subnet as the private network).

I have allowed ICMP any on either direction in the inbound and outbound filters.

Windows Firewall has been configured to allow pretty much everything - and then at this configuration I have turned off the Windows Firewall Service.

I have not added any static routes to RRAS.

As mentioned earlier, the VPN client is able to connect to RRAS over SSTP and get and IP address. Client is able to ping the RRAS gateway (10.100.77.250), NIC1 and NIC2.

Issue:

The client cannot ping to any machine other than the RRAS server

More Debug Information:

I installed Microsoft Network Monitor on RRAS server to monitor the ICMP packets. I do see the ICMP request going from client (say 10.100.77.251) to RRAS to destination server (say 10.100.20.10), and 10.100.20.10 responds with ICMP reply back to 10.100.77.251 with ethernet address of NIC1. At this point, here is the routing table from the RRAS server.

===========================================================================
Interface List
 12 ...7a dd d0 eb af 8c ...... Citrix PV Ethernet Adapter #0
 13 ...7e ab 6f 21 e8 30 ...... Citrix PV Ethernet Adapter #1
 26 ........................... RAS (Dial In) Interface
  1 ........................... Software Loopback Interface 1
 14 ...00 00 00 00 00 00 00 e0  isatap.{BCF77165-229C-410C-AE43-D71B6D902F6A}
 27 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter
 15 ...00 00 00 00 00 00 00 e0  isatap.{4705FD1E-0998-43A4-9EBE-46776B90B205}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.100.0.1     10.100.85.15    356
       10.100.0.0      255.255.0.0         On-link      10.100.85.15    356
       10.100.0.0      255.255.0.0         On-link      10.100.85.16    358
    10.100.77.253  255.255.255.255    10.100.77.253    10.100.77.254     31
    10.100.77.254  255.255.255.255         On-link     10.100.77.254    286
     10.100.85.15  255.255.255.255         On-link      10.100.85.15    356
     10.100.85.16  255.255.255.255         On-link      10.100.85.16    358
   10.100.255.255  255.255.255.255         On-link      10.100.85.15    356
   10.100.255.255  255.255.255.255         On-link      10.100.85.16    358
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      10.100.85.16    358
        224.0.0.0        240.0.0.0         On-link      10.100.85.15    356
        224.0.0.0        240.0.0.0         On-link     10.100.77.254    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      10.100.85.16    358
  255.255.255.255  255.255.255.255         On-link      10.100.85.15    356
  255.255.255.255  255.255.255.255         On-link     10.100.77.254    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 13    266 fe80::/64                On-link
 12    266 fe80::/64                On-link
 12    266 fe80::a8b1:77f:5eb0:d5a8/128
                                    On-link
 13    266 fe80::f8a0:2a9d:bee9:e688/128
                                    On-link
  1    306 ff00::/8                 On-link
 13    266 ff00::/8                 On-link
 12    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

I know there is some routing issue...and I have tried all combinations to insert a route add in the RRAS but nothing works. Any help is greatly appreciated.

Update: Converted the AD machine to a single NIC configuration. Here is the routing table on client and RRAS when the Client is connected.

===========================================================================
Interface List
 12 ...7a dd d0 eb af 8c ...... Citrix PV Ethernet Adapter #0
 22 ........................... RAS (Dial In) Interface
  1 ........................... Software Loopback Interface 1
 23 ...00 00 00 00 00 00 00 e0  Microsoft ISATAP Adapter
 14 ...00 00 00 00 00 00 00 e0  isatap.{4705FD1E-0998-43A4-9EBE-46776B90B205}
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0       10.100.0.1     10.100.85.15    356
       10.100.0.0      255.255.0.0         On-link      10.100.85.15    356
    10.100.77.252  255.255.255.255    10.100.77.252    10.100.77.254     31
    10.100.77.254  255.255.255.255         On-link     10.100.77.254    286
     10.100.85.15  255.255.255.255         On-link      10.100.85.15    356
   10.100.255.255  255.255.255.255         On-link      10.100.85.15    356
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      10.100.85.15    356
        224.0.0.0        240.0.0.0         On-link     10.100.77.254    286
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link      10.100.85.15    356
  255.255.255.255  255.255.255.255         On-link     10.100.77.254    286
===========================================================================
Persistent Routes:
  Network Address          Netmask  Gateway Address  Metric
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
          0.0.0.0          0.0.0.0       10.100.0.1  Default 
===========================================================================

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
 12    266 fe80::/64                On-link
 12    266 fe80::a8b1:77f:5eb0:d5a8/128
                                    On-link
  1    306 ff00::/8                 On-link
 12    266 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

Client

===========================================================================
Interface List
 23...........................VPN
 10...08 00 27 e9 14 91 ......Intel(R) PRO/1000 MT Desktop Adapter
  1...........................Software Loopback Interface 1
 11...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
 13...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2
===========================================================================

IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.123.2   192.168.123.15     10
         10.0.0.0        255.0.0.0    10.100.77.254    10.100.77.252     11
    10.100.77.252  255.255.255.255         On-link     10.100.77.252    266
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
    192.168.123.0    255.255.255.0         On-link    192.168.123.15    266
   192.168.123.15  255.255.255.255         On-link    192.168.123.15    266
  192.168.123.255  255.255.255.255         On-link    192.168.123.15    266
  216.218.195.214  255.255.255.255    192.168.123.2   192.168.123.15     11
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link    192.168.123.15    266
        224.0.0.0        240.0.0.0         On-link     10.100.77.252    266
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
  255.255.255.255  255.255.255.255         On-link    192.168.123.15    266
  255.255.255.255  255.255.255.255         On-link     10.100.77.252    266
===========================================================================
Persistent Routes:
  None

IPv6 Route Table
===========================================================================
Active Routes:
 If Metric Network Destination      Gateway
  1    306 ::1/128                  On-link
  1    306 ff00::/8                 On-link
===========================================================================
Persistent Routes:
  None

I now have two SSTP clients connected to the RRAS server. Both clients can ping each other, but neither can ping can any server in the private network. — Bits Nibble Bytes, Feb 23 '12 at 05:22

score 2 · Answer 1 · answered Feb 21 '12 at 19:54

Two things I noticed. 1) AD should never have more than one NIC. A multi-homed DC is not supported by MS. But I don't think that's causing your problem. 2) You turned off the Windows Firewall Service. Probably not a good idea. Try turning the service back on and running the following command to disable the profiles.

Netsh advfirewall set allprofiles state off

I'm still not sure if this will solve your problem, but those two things jumped out at me.

Massimo · Answer 2 · 2012-02-21T20:46:08.460

There are lots of things going on here.

First of all, when Windows' RRAS is configured to allocate IP addresses to VPN clients using a static address pool, it will default to a /24 subnet mask, i.e. 255.255.255.0; also, it will not supply additional routes to the VPN clients.

With this setup, your Windows 7 client is getting a 10.100.77.X/24 address, which doesn't tell anything at all to it about how to reach the larger 10.100.0.0/16 network, i.e. any address where the third byte is not 77. If you are not using the VPN connection as your default gateway (which is often the case if you don't want to route all of your traffic through the VPN), then your client will simply not know how to reach anything outside the 10.100.77.0/24 subnet.

Please supply the output of a route print command on your Windows 7 PC after the VPN connection is established, so that we can check if this is the case. Of course, if you are instead using the VPN as your default gateway (which is the default on Windows VPN connections), this will not be an issue; but your network configuration would be nevertheless broken.

Also, there's a similar problem on the opposite side: if the RRAS server is not the default gateway for the computers on the remote network (which I don't think it is, as it only has internal interfaces), they will not know that they need to forward packets addressed to the 10.100.77.0/24 network to the RRAS server; this is mitigated by the fact that RRAS supports ARP proxying, so it will automatically reply "I know where this address is, give your packets to me!"; but this part of the configuration would be also broken.

As a side note, and as others have said, the two NICs are just making things worse; if you actually needed your server to have two IP addresses, you could just configure them both on the same NIC and remove a big source of problems; but you don't need them at all for RRAS to work as a VPN server. Getting rid of that second NIC and IP address is the best thing you can do... and this is even more true because that server is a domain controller.

Last thing, but not least important at all: you said you "turned off the Windows Firewall Service". Did you disable the firewall, or did you actually stop the Windows Firewall service? If you did, then restart it NOW. This was a good way to disable Windows Firewall on Windows XP and 2003, but from Vista onwards, if you stop that service the whole Windows networking stack will come crumbling down. You should restart the service, and then properly disable Windows Firewall using its configuration tools.

Addendum: you said "I have allowed ICMP any on either direction in the inbound and outbound filters". Which filters? The ones in RRAS, in the properties of network interfaces? Disable them. They are disabled by default and let everything through, but if you add any rule to them, they will block everything except what you are explicitly allowing (or the reverse, according to how you configure them). They are very rarely needed, and can be a pain to configure properly. First get everything working, then (if you really want) you can start fiddling with them.

I went ahead and removed one NIC. Reinstalled RRAS. The issue still exists. Client is able to connect and get IP address but unable to ping any servers in the private network. Packet trace shows that the private computer reponds to ICMP with a reply straight to the MAC of 10.100.85.15 (the VPN server). On the client I see the following for IP config :(Is subnet mask 255.255.255.255 correct?) IPv4 Address : 10.100.77.253(Preferred) Subnet Mask : 255.255.255.255 Default Gateway : DNS Servers : 10.100.85.15 10.100.0.1 — Bits Nibble Bytes, Feb 22 '12 at 14:15
AD with multi nic works, you just have to configure it properly - and of course, remember that you have configured such. I have a W2k3 configured in such a manner - it has AD, DNS, DHCP and RRAS (for PPTP). I followed the fundamentals (which I believe can also be extended to W2k8) found here [link](http://support.microsoft.com/kb/272294) — Bits Nibble Bytes, Feb 22 '12 at 14:17
I know AD can work with multiple NICs, but it can be a pain... and I just don't understand why would you need a second NIC at all only to have an additional address on the same network of the first one. — Massimo, Feb 22 '12 at 17:45
Please post the output of a "route print" command on the client computer (after the VPN is established). Add it to the main question instead of commenting here. — Massimo, Feb 22 '12 at 17:47
Also, what about Windows Firewall and IP filters on the RRAS server? — Massimo, Feb 22 '12 at 17:47
Windows Firewall service is turned on, Advanced Windows FW has allowed SSTP and almost every traffic. No IP filters on RRAS. It allows all inbound and outbound traffic. As I mentioned in my reply earlier, the destination private server is responding with an ICMP reply packet to the RRAS server. For some reason, the routing within the RRAS server between the NIC and RRAS Internal adapter is not happening. — Bits Nibble Bytes, Feb 23 '12 at 05:18

SSTP on Windows 2008 cannot ping in either direction

2 Answers2