Routing and Remote Access Server & VPN

We have Server Windows 2008 R2, which is our domain, but also DHCP server controller. On this server we have Setup RRA for VPN and it works fine. We had to stop our DC due to a failure and after I got the domain controller to the top and it is a problem for users that connect to the VPN.

When users try to connect to the VPN, it connects successfully. But they did not access network as usual. I looked in the VPN properties, and it receives an IP address of 169.254.xxx.xx which is not the correct network IP address. So while the user who is remote think they are connected, they are currently not connected.

Does anyone have advice what is the cause of this and how to troubleshoot or resolve?

Hello

Given that you are working on Windows 2008 R2 please post your question here:

http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home

Tags: Windows

Similar Questions

  • Routing and remote access - on three subnetworked, two subnet unable to reach to the internet!

    Hello

    Good evening everyone.

    I had a problem in Routing and remote access on windows 2003 server.  This server is already configured as a file server, domain server, and application server. Also configured as a router (thanks to access routing & remote) to connect the three different networks with each other. If this server has three NICs installed and each separate NIC network cards represent.

    three different networks are - 192.42.160.0/24, 192.42.161.0/24, 192.42.162.0/24

    Three cards of the NETWORK adapter installed on the server as with the IP - next

    NIC - 1 = 192.42.160.220, Sub - 255.255.255.0, gateway - No.

    NIC - 2 = 192.42.161.220, Sub - 255.255.255.0, gateway - 192.161.220.112 (this ip address for internet access then 4 g router IP)

    -3 = 192.42.162.220, NETWORK cards, Sub - 255.255.255.0, gateway - No.

    Now the question is I can get Internet & (also scathing in router ip 192.42.161.112) one network i.e. - 192.42.161.0/24, BUT when I try to access the internet from another two network (192.42.160.0/24 & 192.42.162.0/24) I can not access and in addition can not ping to internet router ip - 192.42.161.112...

    So, how do I access the internet to another two network also?

    I was already the configuration of static routing for all three network but I wasn't always successful. I don't really know what exactly static routing this should be done in access routing & remote area so that all three network can reach to the internet?

    Here is the result of the current track...

    D:\Documents and Settings\Administrateur > route print

    IPv4 routing table
    ===========================================================================
    List of the interface
    0x1 ........................... MS TCP Loopback interface
    0x2... 00 30 05 8f ad 5 c... Broadcom NetXtreme Gigabit Ethernet - Mi Teefer2
    niport
    0 x 3... 0E 00 c4 f8 a7 0c... Network Intel(r) PRO/1000 GT Desktop Adapter - Teefer2 M
    iniport
    0 x 4... 0E 00 0c a7 c5 85... Intel (r) PRO/1000 GT Desktop Adapter #2 - Teefer
    2 miniport
    ===========================================================================
    ===========================================================================
    Active routes:
    Network Destination gateway metric Interface subnet mask
    0.0.0.0 0.0.0.0 192.42.161.112 192.42.161.220 1
    127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
    192.42.160.0 255.255.255.0 192.42.160.220 192.42.160.220 20
    192.42.160.220 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.42.160.255 255.255.255.255 192.42.160.220 192.42.160.220 20
    192.42.161.0 255.255.255.0 192.42.161.220 192.42.161.220 20
    192.42.161.220 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.42.161.255 255.255.255.255 192.42.161.220 192.42.161.220 20
    192.42.162.0 255.255.255.0 192.42.162.220 192.42.162.220 20
    192.42.162.220 255.255.255.255 127.0.0.1 127.0.0.1 20
    192.42.162.255 255.255.255.255 192.42.162.220 192.42.162.220 20
    224.0.0.0 240.0.0.0 192.42.160.220 192.42.160.220 20
    224.0.0.0 240.0.0.0 192.42.161.220 192.42.161.220 20
    224.0.0.0 240.0.0.0 192.42.162.220 192.42.162.220 20
    255.255.255.255 255.255.255.255 192.42.160.220 192.42.160.220 1
    255.255.255.255 255.255.255.255 192.42.161.220 192.42.161.220 1
    255.255.255.255 255.255.255.255 192.42.162.220 192.42.162.220 1
    Default gateway: 192.42.161.112
    ===========================================================================
    Persistent routes:
    None

    Sorry if I'm not able to explain properly. Please let me know if you have to explain more about it...

    Thank you all.

    Mahesh

    Hello Manu,

    Please post this question in the forums TechNet for Windows Server 2003. They will be able to guide you further.

    http://social.technet.Microsoft.com/forums/WindowsServer/en-us/home

  • The Routing and remote access could not start, error 214500037 (0x80004005)

    My windows server 2003 r2, failed to start the Routing and remote access services. And in the event an observer log, it has error code
    Event ID: 7024, with service specific error 2147500037 (0x80004005)
    I tried to reset tcp/ip and replace ias.mdb and dnary.mdb by a new, but it did not work.

    Thank you

    Hi budhihartono,

    Since you are facing problems with windows server 2003 r2, it would be better suited in the Technet Windows forum. Please post your question in the following TechNet Windows server forum to improve assistance:

    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer

  • Routing and remote access to the Server 2003

    I configured the remote access and routing service in my Server 2003 duly NAT enabled. All my clients are not in the field. All use internet and intranet connection using my proxy authentication provided by the administrator of the proxy server. I would like to restrict the clients except intranet connection. How to limit the customer?

    Post in the Windows Server Forums:
    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/

  • VPN error 868 the name of the remote access server is not resolved

    I use Windows 7 Home Premium and you want to configure a VPN with my office network that uses the Check Point Safe@Office.  I am unable to log in and get the error that does not resolve the name of the remote access server and Windows cannot find the host using DNS name.  Any suggestions on what to try to fix the problem?  I set up the VPN connection according to the instructions of our network administrator.  We use XP in the office.

    Hello
    Welcome to the Microsoft answers site

    The question that you'd be better suited in the TechNet community. Please visit the link below to find a community that will provide the best support.
    http://social.technet.Microsoft.com/forums/en-us/ForefrontedgeVPN/threads

    It may be useful
    Thanks and greetings
    Support Microsoft-dieng
    Visit our Microsoft answers feedback Forum and let us know what you think
    http://social.answers.Microsoft.com/forums/en-us/answersfeedback/threads/

  • Remote access server problem ASA5510

    Hello guys,.

    I have a problem with ASA5510 configured as a remote access server. We use the client VPN in Windows XP. Look at the requirements I see no problem, but when I try to connect to the server it doesn't open the negotiation of VPN. I had the problem like this before, but at least I saw the traffic hitting the ASA. Now, I don't see anything hitting the device. I enclose the current configuration of the SAA. The VPN client on my laptop is configured correctly. Thank you in advance!

    RVR

    Hello

    Happy to help and thanks for the note.

    This command is not required, but 90% of deployment I've seen has this configured command and is the default value for the SAA. In a Word, what this command is open to IKE and IPSEC ports and also does not check ACL entering ASA for IPSEC traffic.

    In case if you do not have this command enabled, you must configure inbound ACL to allow IKE, IPSEC and text clear remote access VPN traffic after IPSEC packets get decrypted on the SAA.

    Kind regards

    Arul

    * Rate pls if it helps *.

  • Server ezvpn 887 router for remote access

    Hello.

    I'm having a problem with the implementation of remote access using easyvpn server on a router 887.  I followed the tutorials and also used Assistant cisco configuration professional easyvpn server to the configuration but still having a problem.

    I see, but Phase 1 finished, Phase 2 will fail with the following error...

    09:43:26.515 Oct 10: ISAKMP: (2003): check IPSec proposal 8

    09:43:26.515 Oct 10: ISAKMP: turn 1, ESP_AES

    09:43:26.515 Oct 10: ISAKMP: attributes of transformation:

    09:43:26.515 Oct 10: ISAKMP: authenticator is HMAC-SHA

    09:43:26.515 Oct 10: ISAKMP: key length is 128

    09:43:26.515 Oct 10: ISAKMP: program is 1 (Tunnel)

    09:43:26.515 Oct 10: ISAKMP: type of life in seconds

    09:43:26.515 Oct 10: ISAKMP: service life of SA (IPV) 0x0 0 x 20 0xC4 0x9B

    09:43:26.515 Oct 10: ISAKMP: (2003): atts are acceptable.

    09:43:26.515 Oct 10: IPSEC (validate_proposal_request): part #1 the proposal

    09:43:26.515 Oct 10: IPSEC (validate_proposal_request): part #1 of the proposal

    (Eng. msg key.) Local INCOMING = 88.xx.xxx.174:0, distance = 80.177.185.185:0,.

    local_proxy = 0.0.0.0/0.0.0.0/0/0 (type = 4),

    remote_proxy = 192.168.21.12/255.255.255.255/0/0 (type = 1),

    Protocol = ESP, transform = NONE (Tunnel),

    lifedur = 0 and 0kb in

    SPI = 0 x 0 (0), id_conn = 0, keysize = 128, flags = 0 x 0

    09:43:26.515 Oct 10: map_db_find_best found no corresponding card

    09:43:26.515 Oct 10: IPSEC (ipsec_process_proposal): proxy unsupported identities

    09:43:26.515 Oct 10: ISAKMP: (2003): IPSec policy invalidated proposal with error 32

    'Proxy unsupported identities' research indicates a NAT problem maybe, but I don't see where this would be.  In my view, the problem is elsewhere.

    I use the VPN Client 5.0.07.0440 and using transparent tunneling IPSec (on TCP/10000) that the client is located behind a firewall/NAT device.

    Does anyone know what may be the issue?  Attached full config.

    Hello Mick

    Before that, one more try. .

    Remote control the pfs as follows

    Profile of crypto ipsec RemoteAccess

    no set pfs group2

    Remove and add the virtual model crypto back

    type of interface virtual-Template1 tunnel

    No ipsec protection RemoteAccess tunnel profile

    Profile of tunnel RemoteAccess ipsec protection

    I hope this will solve your problem

    Henin,

  • VPN Site to Site and remote access

    I have ASA certified with 25 concurrent VPN connections. I want to know if I have 20 remote tunnels and 5 Site-to-Site created on the same time tunnels, and I want to establish the new Site to the other tunnel, is him Site to Site remove the remote tunnels or can not put in place. Site at tunnels have a higher priority than the remote access or they are the same. Site at tunnels are more important to me and I need them to repress the remote access tunnels.

    Hello

    Sorry for the confusion. No you can not set the parameter like this.

    Thank you

    Gilbert

  • PIX 515E and remote access VPN

    I use a PIX 515E with: ASDM Version: 5,0000 51 PIX Version: 8.0 (4) and configure it with remote access VPN.

    I would like to get an email every time that a user login (and or disconnection) to the VPN. Remote clients use the Cisco VPN Client.

    Any help is appreciated,

    Hello

    Here is a link to the email configuration when you log in to the ASA/PIX: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc7

    Then you can create a list of message to send the logs only for the connection/disconnection of the VPN user: http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/63884-config-asa-00.html#anc18

    There is a wire that is linked here: https://supportforums.cisco.com/discussion/10798976/asa-email-logging-issue

  • Remote access ASA, VPN and NAT

    Hello

    I try to get access to remote VPN work using a Cisco VPN client and ASA with no split tunneling. The VPN works a little, I can access devices inside when I connect, but I can't access the Internet. I don't see any errors in the log ASA except these:

    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/137 dst outside:192.168.47.255/137
    1 Jul 04:59:15 % ASA-3-305006 gatekeeper: failed to create translation portmap for udp src outside:192.168.47.200/54918 dst outsidexx.xxx.xxx.xxx/53

    There is only one address public IP that is assigned to the external interface of DHCP. The Interior is 192.168.1.0/24 network which is PAT'ed to the external interface and the VPN network is 192.168.47.X.

    I think my problem is that the net.47 is not NAT'ed out properly and I don't know how to put in place exactly. I can't understand how this is supposed to work since the net VPN technically provenance from the outside already.

    Here are all the relevant config:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0
    Within 1500 MTU
    Outside 1500 MTU
    IP local pool vpnpool 192.168.47.200 - 192.168.47.220 mask 255.255.255.0
    IP verify reverse path to the outside interface
    IP audit info alarm drop action
    IP audit attack alarm drop action
    ICMP unreachable rate-limit 1 burst-size 1
    ICMP allow all outside
    Global interface (2 inside)
    Global 1 interface (outside)
    NAT (inside) 0-list of access vpn
    NAT (inside) 1 0.0.0.0 0.0.0.0
    NAT (outside) 2 192.168.47.0 255.255.255.0 outside
    static (inside, outside) tcp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    static (inside, outside) udp 3074 XBOX360 3074 netmask 255.255.255.255 interface
    public static (inside, outside) udp interface 88 88 XBOX360 netmask 255.255.255.255
    public static tcp (indoor, outdoor) https someids netmask 255.255.255.255 https interface

    I can post more of the configuration if necessary.

    Change ' nat (outside) 2 192.168.47.0 255.255.255.0 apart ' "NAT (2-list of vpn access outdoors outside)" gives these:

    1 Jul 06:18:35 % gatekeeper ASA-3-305005: no group of translation not found for udp src outside:192.168.47.200/56003 dst outside:66.174.95.44/53

    So, how I do right NAT VPN traffic so it can access the Internet?

    A few things that needs to be changed:

    (1) NAT exemption what ACL must be modified to be more specific while the traffic between the internal subnets and subnet pool vpn is not coordinated. NAT exemption takes precedence over all other statements of NAT, so your internet traffic from the vpn does not work.

    This ACL:

    list of vpn access extended permits all ip 192.168.47.0 255.255.255.0

    Should be changed to:

    extensive list of access vpn ip 192.168.47.0 255.255.255.0 allow

    (2) you don't need statement "overall (inside) 2. Here's what to be configured:

    no nat (outside) 2 192.168.47.0 255.255.255.0 outside

    no global interface (2 inside)

    NAT (outside) 1 192.168.47.0 255.255.255.0

    (3) and finally, you must activate the following allow traffic back on the external interface:

    permit same-security-traffic intra-interface

    And don't forget to clear xlate after the changes described above and connect to your VPN.

    Hope that helps.

  • Site to Site VPN and remote access on PIX 6.3 (3)

    Hello

    I have a vpn site-to site to remote access configured on the pix device. Everything works like a charm until I decide to perform authentication of the local client for remote vpn clients using the same card encryption from site to site. Thus, the tunnel from site to site is broken because that is trying to authenticate the local user.

    Is it possible to use the authentication of the remote local user for vpn clients on PIX without breaking other tunnels that use the same cryptomap?

    If the answer is to use separate crypro card so how can I assign the other encryption to use outside of the interface card, if only a single encryption card can be assigned to any given interface?

    When you configure the isakmp key, use the command

    ISAKMP KeyString keys by the peer-address [mask netmask] [No.-xauth] [No.-config-mode]

    No.-xauth will tell the isakmp won't the isakmp xauth for L2L and non-config-mode does not distribute the ip address of the peer L2L.

    Let us know if it works

    -Vikas

  • L2l VPN and remote access VPN

    Hello

    I have 2 Cisco Pix (Pix1, Pix2) 515E (8.0.4). Between these devices exist VPN L2L, which are configured on the external interfaces. On Pix2 I configured remote access VPN on the external interface, too.

    Is it possible to achieve LAN behind Pix1, by using remote access VPN on Pix2 then VPN L2L?

    I don't want to set up remote access on Pix1.

    Thank you very much.

    Kind regards

    Vladislav

    NAT (outside) 1 140.40.30.0 255.255.255.0 (PAT for RA vpn to access the internet if you complete tunnel)

    It is simply because I have configured tunnel RA as complete tunnel instead of split, nat (outside) 1 at the RA 140.40.30.0 pool have internet access through your firewall ASA_SITE_B and translate with global ID 1 who is your external interface of the firewall SA_SITE_B. This has nothing to do with what you are trying to accomplish, but I posted it because it was part of the very common scenario. There are some example PIX 6.3 cases where you will need split tunnel so that RA users have internet access not passing not through the encrypted tunnel code 6.0 does not feature of intra-interface support but 7.x above is of the code. Other examples are that some people configure split RA RA user tunnel will have access to their local resources in their homes as the printers network etc...

    It is therefore, I need to translate 172.27.1.0/24 RA pool?

    No there is no address translation in place in this scenario to work and you don't need to translate something too long, there is no of networks that overlap in one of the SITES u do not need to translate, this scenario is completely free sheep as you access lists free of nat in two firewalls for networks involved in communication in tunnels ASA_SITE_B.

    Because I want to see IP addresses from PIX_SITE_A to 172.27.1.0/24, not 140.40.30.0/24. Is it possible to do it this way?

    Im not clear on this issue, but if I think what it means, it's possible but you need to have political NATing but I think this will make complicated setup, I would say to make this as simple as possible.

    Concerning

    All helpful PLS rate valid if it helped

  • The managed behind router switch remote access?

    What is the best way to access remotely to a switch behind a router?  I will use a switch SF300, and there is no server.

    For points of access (PA) behind a router, I give each a diffferent LAN address and port number.  In router I have forward TCP traffic with the single port/LAN IP.  Then using the port numbers with the address of the static router, the browser can remote access to the router or the attached AP.  But where do I put the managed switch LAN port number?  Assume default is port 80 and I would change to 8001 to switch #1; 8002 to switch #2; etc.  Could not find this info in the manual of configurtion.

    Hello

    At this point, I would recommend a call to the Cisco Small Business Centre at 1-866-606-1866 support so that action can be taken and your configuration can be reviewed.

    I have reproduced the concern here and I am able to remotely manage my switch SF300 with an RV082 as the router.

    My rule in the RV082 are as follows:

    Creating a custom topic UPnP service.  Create SF300 application name (it is a basic text field and can be any name), 8001 an external port and internal port 80.  I send to the address IP internal SF300 switch and click the check box.  From there on, I select Add to the list.  Once it appears in my list, I then click Save settings at the bottom of the page.

    Thank you!

    Dave

  • Problems with remote access IPSec VPN

    Dear Experts,

    Kindly help me with this problem of access VPN remotely.

    I have configured remote access VPN IPSec using the wizard. The remote client connects to fine enough seat, gets the defined IP address, sends the packets and bytes, BUT do not receive all the bytes or decrypt packets. On the contrary, the meter to guard discarded rising.

    What could be possibly responsible or what another configuration to do on the SAA for the connection to be fully functional?

    It can help to say that Anyconnect VPN is configured on the same external Interface on the ASA, and it is still functional. What is the reason?

    AnyConnect VPN is used by staff for remote access.

    Kindly help.

    Thank you.

    Hello

    So if I understand correctly, you have such an interface for LAN and WAN and, naturally, the destination networks you want to reach via the VPN Client connection are all located behind the LAN interface.

    In this case the NAT0 configuration with your software most recent could look like this

    object-group, LAN-NETWORKS-VPN network

    network-object

    network-object

    network-object

    network of the VPN-POOL object

    subnet

    destination of LAN-NETWORKS-VPN VPN-NETWORKS-LAN static NAT (LAN, WAN) 1 static source VPN-VPN-POOL

    Naturally, the naming of interfaces and objects might be different. In this case its just meant to illustrate the purpose of the object or interface.

    Naturally I'm not sure if the NAT0 configuration is the problem if I can't really say anything for some that I can't see the configuration.

    As for the other question,

    I have not implemented an ASA to use 2 interfaces so WAN in production environments in the case usually has separate platforms for both or we may be hosting / providing service for them.

    I imagine that there are ways to do it, but the main problem is the routing. Essentially, we know that the VPN Client connections can come from virtually any public source IP address, and in this case we would need to default route pointing to the VPN interface since its not really convenient to set up separate routes for the IP address where the VPN Client connections would come from.

    So if we consider that it should be the default route on the WEBSITE of the ASA link, we run to the problem that we can not have 2 default routes on the same active device at the same time.

    Naturally, with the level of your software, you would be able to use the NAT to get the result you wanted.

    In short, the requirements would be the following

    • VPN interface has a default route, INTERNET interface has a default route to value at the address below
    • NAT0 between LAN and VPN interface configuration to make sure that this traffic is passed between these interface without NAT
    • Interfaces to special NAT configuration between LAN and INTERNET which would essentially transfer all traffic on the INTERNET interface (except for VPN traffic that we have handled in the previous step)

    The above things would essentially allow the VPN interface have the default route that would mean that no matter what the VPN Client source IP address it should be able to communicate with the ASA.

    The NAT0 configuration application would be to force ASA to pass this traffic between the LAN and VPN (pools) for VPN traffic.

    The special configuration of NAT then match the traffic from LAN to ANY destination address and send to the INTERNET interface. Once this decision is made the traffic would follow the lower value default route on this interface.

    I would say that this isn't really the ideal situation and the configuration to use in an environment of productin. It potentially creates a complex NAT configuration such that you use to manipulate the traffic instead of leave the mark of table routing choice in the first place.

    Of course, there could be other options, but I have to test this configuration before I can say anything more for some.

    -Jouni

  • EA2700 and remote access to the DVR

    Does anyone have a solution for the router settings allow access remotely
    Recorders digital windows and Linux?

    Justme2012 wrote:
    OK, so now I activated Remoting but the remote routers
    Management port is different from the default port on the DVR.

    The ports must be different. In this way it will not create a conflict. No two devices must use the same port numbers. Once again as what has been mentioned in this thread, you must use the port number provided by the manufacturer for the DVR and just leave the router uses it is default remote management port. This is to ensure that there will be no conflict. To check if the ports were opened successfully you can do an audit of port. You can use this site to check it out. http://ping.EU/port-chk/

Maybe you are looking for

  • Once BIOS updated by Satellite Pro U400-15N no longer works

    Hi all I got my BIOS update from toshiba Web site, when I used it to update my laptop, it crashed and now my computer doesn't work anymore, I tried authorized service provided, but they couldn't remedy! and said: I need to change my motherboard which

  • Satellite Pro L450D - 12 X - have lost all updates

    Suite asault malware (Win 7 Anti-Spyware), got rid of him, but lost all the updates of windows and security, Microsoft error reports whenever I try to install manually since having to return to the "system image". All the restore points are missing,

  • I forgot the password to logon.

    Original title: I can not connect because I forgot my password, and I filled the emotional.  I have not tried too many times. Is there some way that someone can help me reset my password? I need to get on my account as soon as possible.  I don't want

  • get a system for windos xp restore disk, to fix a computer that you were never created to

    I need to create a restoration/repair disc of the system on a differnet computer so I can fix that does not work, I need to do a restore/repair disc of the system to Windows XP Home Edition. Windows has been installed on the computer when it was purc

  • 80070057 error code when you try to install Service Pack 1

    I try to install Vista Service Pack 1 and when I try to install it either online or manually by downloading the entire 400 + M file, it will start and show 10 minutes later the installation failed with code 80070057 error and.  I can't find this code