Windows Server 2019 with RAS-VPN (PPTP/L2tp) blocks some IP addresses

M Copious 1 Reputation point
2020-11-19T17:38:10.06+00:00

Hello,

I have a server with Windows server 2019 and the Remote Access role with the features: 'DirectAccess and VPN' and 'Routing'. The server has two NIC's, one connected to the internal network and the other one, via a router, with the WAN. The VPN uses the protocols PPTP and L2TP and it is possible to connect with the VPN over the internet.

For some users it is not possible to make a connecting with the VPN and after a lot of testing it seems that the server doesn't respond to certain IP addresses, for all protocols, pptp, icmp etc. The server has a firewall and Symantec endpoint protecting but none have a rule to block some IP addresses. In the log of the firewall I can see the incomming connect, for example a request for een ICMP ping but no response, the same for the PPTP, etc.

As far as I can see and know, there are no limitations for connections based on IP and I don't know what to check next. Are there other places in Windows Server 2019 where IP's kan be blocked?

Becasue we lost an server the Remote Access role is installed on a server that also acts as a back-up domain controller.

Thank you in advance for your time.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,744 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
544 questions

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-11-19T19:21:52.307+00:00

    Remote Access role is installed on a server that also acts as a back-up domain controller

    Multi-homing / installing RRAS role on a domain controller will always cause no end to grief for active directory domain DNS. I'd remove the second NIC and move RRAS role to its own dedicated instance of windows.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  2. Sunny Qi 11,036 Reputation points Microsoft Vendor
    2020-11-20T02:49:53.587+00:00

    Hi,

    Thanks for posting in Q&A platform.

    I would like confirm with you is there any error message when VPN client cannot connect to VPN server?

    Based on your description, my understanding is your VPN client cannot ping VPN server successfully so that it cannot obtain an available internal IP address from VPN server. Please correct me if my understanding is wrong.

    If the VPN client cannot ping VPN server successfully, I would suggest to enable File and Printer Sharing (Echo Request - ICMPv4-In) rules in both Inbound and Outbound rule of Windows Firewall.

    41237-image-1.jpg

    If the issue still existed, since there are Windows firewall and Symantec in your environment, for testing, I would suggest temporally disable Symantec to see if VPN client can connect VPN server. If not, please temporally disable both Windows Firewall and Symantec for testing.

    Best Regards,
    Sunny

    ----------

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  3. M Copious 1 Reputation point
    2020-11-24T19:47:09.737+00:00

    I wanted to answer sooner, but I've been busy with the troubleshooting of the vpn, thank you for your suggestions.

    There is a generic error when a client cannot connect, error like 'the connection was interrupted' or ' check your network settings'. I've tried turning off the firewall and Symantec, but this didn't solve the problem.

    I've examined the IP's and can't find a pattern.

    The firewall allows the echo request ICMPv4, it's just certain IP's that can't ping, this doesn't mean that the can't connect, but IP's that can't connect, can't ping the server. Today I had a strange result when pinging the server, for the address we use 'exchange.domain.nl' this points to 'office.domain.nl', but the ping command displayed this as ' OFfiCe.domain.nl', from the IP's that work it is 'office.domain.nl' without the capitals. Maybe it's nothing but it seems strange.

    Today I installed a new server with the DC role and just the RAS role, during the day I could connect from various sources: hotspot via mobile and via a mobile datastick that gets a new IP everytime it's used, so that looks hopeful but I'm still a little cautious. Tonight they are going to test the VPN.

    I will keep you informed but I'm still open for idea's and suggestions!

    0 comments
  4. Anonymous
    2020-11-24T21:05:53.623+00:00

    I installed a new server with the DC role and just the RAS role

    The multi-homing will continue to cause some unexpected results.

    --please don't forget to Accept as answer if the reply is helpful--

  5. Anonymous
    2020-11-24T21:28:06.297+00:00

    Has the domain controller been cleaned up? Also check domain health is 100%

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.