Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
I have 3 locations with 3 NS5GT's at each location. Tunnels setup to all 3 locations.
At location 1 I have set up a Windows 2003 server with RRAS.
At location 1 I have set up the ns5gt with a MIP and associated policy to map an outside IP to the RRAS server IP.
I can connect fine from outside the network.
I can ping and rdp to servers in location 2.
PROBLEM; I can't ping or rdp to servers in location 3.
I inherited this environment and I am not a networking expert. I don't know if the problems lies with the netscreens or with DNS or with RRAS. Any thoughts? Any thoughts on where I should look in the netscreen admin console?
Thank you in advance.
A few things to narrow down the issue.
From the RRAS console and location 1 setups
From your connected client
The answer to your questions:
Since you cannot reach location 3 from the RRAS this is why the remote client cannot either. This could be a problem with RRAS or routing to location 3 from your firewall.Connection test location 1 to Location 3Can you ping location 3 servers from any computer at location 1?If this works then your firewall configuration is complete and the issue will be with routing on the RRAS. But I think you don't have a tunnel or routing setup to location 3.If this does not work we need to configure your firewall to access location 3.Firewall SetupI run newer versions of the firewall with screen0s 6. So if you are running version 5 some of these functions may be in different places.See what VPN tunnels are configured. Look to see what is listed under these two VPN categories. If you have direct tunnels to both sites the gateway and IKE will be listed for both.I suspect this is your issue. You will just need to create a direct tunnel from location 1 to location 3.VPN--Autokey Advanced -- GatewayVPNs--Autokey IKEIf the location3 gateway and IKE are not listed you'll need to create a tunnel between the two sites. Here are the references you'll need.Configuration/Troubleshooting GuideYou will most likely have a lan-to-lan route based VPN.The NS5GT instructions are KB4177
Thanks Steve for your help thus far.
PINGing servers in location 3 from other servers/workstations in location 1 is successful.
There is another RRAS server setup in location 1 that can get to servers in both locations 2 and 3. I am retiring it because the previous admin put RRAS on the DC server which Microsoft doesn't recommend. So I believe that a direct tunnel from 1 to 3 is already in place.
Looking at the tunnels in the admin console as you sugggested I do see tunnels from location 1 to location 3.
Well, that's just my luck. Two possibilities and I pick one, of course the answer is the other one. This is why I don't play the lottery.
With RRAS your two most common issues would probably be having the full router enabled instead of just RRAS and not having IP routing enabled for the IP pool.
On the MS Server open the RRAS mmc under administrative tools.
You could configure and use the full router mode, but when the server is running behind another firewall/router there is no real advantage to doing so.
Again, thanks Steve.
Getting real close. I can now ping by IP and rdp by IP to a server. However I can't ping by hostname or rdp by servername.
I should stay more clearly that from my desktop I can't ping by hostname or rdp to a servername.
From my desktop I can ping by IP and rdp to a server IP address.
From the RRAS server I can do both.
That would be the enable name resolution feature. I thought this was on by default. But it has been a long time since I installed this service from scratch.
Checked configuration as suggested. All is how you describe it to be. Still no luck. So close...urgh...
Steve, it is all squared away now...I believe. Thanks for all your help. I appreciate it.
You're welcome. It always feels good when they finally work.
I am back again...
Same setup but different server. My issue this time is an Error 800 when trying to connect. I am trying to determine if the issue is on the Juniper firewall or RRAS. I've checked and rechecked all the settings and they all look correct...which means by now I have certainly missed something.
MS PPTP error 800 generally means one of two things:
1-Can't reach the server address from the client (confirm with ping). This I assume you already checked.
2-the RRAS server doesn't have any ip addresses left to allocate in the pool.
On the RRAS server you either setup a pool of addresses that get drawn from for the client connections.
Or you setup dhcp relay that picks up addresses from the local LAN dhcp server.
I've seen this error where the dhcp relay wasn't completely setup yet. And where the ip pool was either not setup yet or too small for the user base.
See the MS Troubleshooting remote access VPNs for the listing of the common errors in RRAS.
Steve, thanks for answering.
How exactly do I determine that the ports are open on the firewall, 1723, and configured correctly?
I've fiddled with DHCP, dynamically assigned addresses, selected IP range, etc
A quick check to see of the port is open is to use telnet on the remote client.
telnet vpn.mydomain.com 1723
If this connects and shows a blank screen then the port forwarding is working. If it gets refused then the firewall is not setup correctly.
On the firewall by default the pptp alg is turned on, so all you need is to forward 1723 to the server and ping if you want to be able to test.
For the RRAS IP settings, I use a configured pool.
You should also confirm that you have enough PPTP ports on the RRAS.
I was able to telnet succesfully. I've also looked at the settings you have suggested. I have a IP pool and 128 PPTP ports. I am at a loss. The settings are identical to another VPN endpoint that in another location, including the one you helped me with earlier.
At the localtion I can connect to the VPN endpoint-meaning physically on the subnet in that physcial location. It is from the outside I continue to get error 800.
If you can access on the LAN but not outside than I think you are right there is a firewall configuration issue.
Check the following:
I am going back to the firewall and am going to recreate the MIP and associated policy. However the MIP shows a status of In Use and I have no visible way to edit or remove it. So 2 questions: what does In Use mean and how can I edit or remove it?
The policy is what has the mip in use. To rebuild you'll need to remove the policy first.
Finally getting back to this. After some further research I see that the NetScreen log shows entries for Close reason : Close - TCP Fin. On the client I get errors 800 and 721. Research indicates that this is the result of the firewall not allowing GRE protocoal traffic on 47 and TCP traffic on 1723.
For the record I spoke with a Juniper tech support rep earlier who helped me with this. It was not til after I hung up that I did some more research and suspect the firewall is the problem and the RRAS server. The ticket # is 201011010644.
Do I open those ports from the policy that relates to the MIP or do I it globally? How do I verify the correct ports are open?
I went into the Policy and ensured GRE, PPTP, and TCP all were allowed. I tried to connect again and instead a new close reason of Close - TCP RST from 2 different services, SQL*NET V2 and PPTP. Research on Juniper forums indicates that
Dsabling SQL ALG may solve the issue
FW> get alg ( to see the list of ALGs )
FW> unset alg SQL enable
FW > save
This is from post http://communities.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Close-Reason-Close-TCP-RST/td-p/43003
It does sound like you are hitting the alg by accident. The log message is saying that the traffic is being identified by the firewall as meeting that profile. If it is really not sql alg traffic this will cause problems so you can disable the alg to let the traffic pass unprocessed.
The actual problem was in the policy set up for the MIP that would allow VPN traffic for GRE and PPTP traffic. In the setting for the policy the Application field needed to be set to IGNORE.