RE: VPN, RRAS & DHCP

Hi John,

Thanks for updaing.

After researching your logs, I found the Event ID 20169

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20169
Date: 3/13/2007
Time: 9:41:30 PM
User: N/A
Computer: KENEX-DC1
Description:
The description for Event ID ( 20169 ) in Source ( RemoteAccess ) cannot be
found. The local computer may not have the necessary registry information
or message DLL files to display messages from a remote computer. You may be
able to use the /AUXSOURCE= flag to retrieve this description; see Help and
Support for details. The following information is part of the event:
169.254.23.90.

At this point, please take the following steps:

Step 1£ºChecked the Network configuration in ISA and the adapter had the
169.254.x.x
network listed under the Internal Network adapter.

Step 2: Please try to set RemoteAccess service to depend on the DHCP server
service.

Note: Please backup your registry before the action.

1. Click Start and then click Run.
2. Type "regedt32" without the quotations and click OK.
3. In the HKEY_LOCAL_MACHINE window, expand System -> CurrentControlSet ->
Services -> RemoteAccess.
4. In the right pane, double-click the value DependOnService and append
"dhcpserver" to the value.
5. Reboot the server to see whether the issue still occurs.

Step 3: The problem occurred after you install ISA server. It seems that
ISA blocks the DHCP, please help me collect the ISA Info and logs for
further research:

1. Please help to gather the ISA Info:

1) Download the file from the following
URL:http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server.
3) Double click Isainfo.js. This will generate 2 files
ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in the
current folder.
4) Please send these files to me.

2. Please also help to gather the ISA logs:

1) Schedule a down time.
2) Open ISA 2004 management console.
3) Expand the server node and highlight 'Monitoring'.
4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
Pane' is showed there.
5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
Tasks', and then switch the 'log storage format' from 'MSDE database'
(default) to 'File'.
6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
'Logging Tasks', and then switch the 'log storage format' from 'MSDE
database' (default) to 'File'.
8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
9) Click 'Apply' to save changes and update the configuration.
10) Temporarily disable the Firewall service.To do that, please click
Monitoring | Services tab, and then right click 'Microsoft Firewall' to
choose 'Stop'.
11) Clear the current existing W3C logs. To do that, go to the log
saving directory and clean any existing .W3C logs. By default, the logs
will be saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF
may not be able to deleted, that's normal.) You may backup them first and
then delete them.
12) Go back to the ISA 2004 management console, and then start the
stopped 'Microsoft Firewall' service.
13) Reproduce the problem, stop the service, and then gather the
resulting W3C files to me for analysis.

Please send the information to v-robeli@xxxxxxxxxxxxx with subject:
PostReview-38293510-VPN, RRAS & DHCP.

I am looking forward to hear from you.

If you need further assistance, please don't hesitate to let me know.

Best regards,

Robert Li(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================

This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
<Thread-Topic: VPN, RRAS & DHCP
<thread-index: AcdnWS/NOU95+wlSRD6mrHHFrSSLPw==
<X-WBNR-Posting-Host: 82.69.60.79
<From: =?Utf-8?B?Y2FybHRvbmpvaG4=?= <carltonjohn@xxxxxxxxxxxxxxxxxxxxxxxxx>
<References: <284861F9-B321-4E83-9067-A2BB6509278B@xxxxxxxxxxxxx>
<F7E0F70A-B417-48D3-B7EC-7D59DE465199@xxxxxxxxxxxxx>
<6V9o9gUZHHA.3820@xxxxxxxxxxxxxxxxxxxxxx>
<3EF5E21F-D8FA-4033-8261-8123BF77E72F@xxxxxxxxxxxxx>
<vmnKIWiZHHA.3800@xxxxxxxxxxxxxxxxxxxxxx>
<Subject: RE: VPN, RRAS & DHCP
<Date: Thu, 15 Mar 2007 16:25:15 -0700
<Lines: 318
<Message-ID: <9D39B89E-7A37-4808-9117-0413FC15455E@xxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain;
< charset="Utf-8"
<Content-Transfer-Encoding: 8bit
<X-Newsreader: Microsoft CDO for Windows 2000
<Content-Class: urn:content-classes:message
<Importance: normal
<Priority: normal
<X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
<Newsgroups: microsoft.public.windows.server.sbs
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:23200
<NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<
<Hi, Robert
<
<You hopefully should have received the MPS report.
<In respect of the items you've also suggested:
<
<1) DHCP is authorised - green arrow
<2) DHCP correctly bound to Internal NIC.
< Also DHCP is set to use domain administrator's account
<3) ISA firewall client was not used by the VPN client computer
< I think this cause unlikely since DHCP server side addresses not being
<reserved.
<4) I've asked the customer to try this. Unlikely response will come before
<Wednesday next (Mar 21)
<
<John
<
<"Robert Li [MSFT]" wrote:
<
<> Hi John,
<>
<> Thanks for updating.
<>
<> Since the problem occured when the ISA firewall is installed, the issue
<> could be related to the DHCP service configuration or the client
<> workstation. To isolate the problem, please try the following action
plan:
<>
<> 1. Open DHCP console. Check the status of the local server. Do you see a
<> green arrow on the server icon? If not, right-click the server name and
<> choose 'Authorize' to enable the DHCP service.
<>
<> 2. If the server status is correct, right-click the server name and
choose
<> 'Properties'. In 'Advanced' tab, click 'Bindings' button. Make sure that
<> the DHCP service is listening to the SBS server's internal NIC.
<>
<> 3. Is ISA firewall client installed on the client workstations? If so,
you
<> may want to disable the Firewall client and then try the address
<> refreshing. What's the result?
<>
<> 4. Go to a workstation. Open a command prompt. Input the command 'Netsh
<> interface ip reset all' and press 'Enter'. Reboot the workstation to see
if
<> the problem will be resolved.
<>
<> If the problem still exists, please kindly send me the MPS Report for
<> further research.
<>
<> I am looking forward to hear from you.
<>
<> Have a nice day.
<>
<> Best regards,
<>
<> Robert Li(MSFT)
<>
<> Microsoft CSS Online Newsgroup Support
<>
<> Get Secure! - www.microsoft.com/security
<>
<> =====================================================
<>
<> This newsgroup only focuses on SBS technical issues. If you have issues
<> regarding other Microsoft products, you'd better post in the
corresponding
<> newsgroups so that they can be resolved in an efficient and timely
manner.
<> You can locate the newsgroup here:
<> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<>
<> When opening a new thread via the web interface, we recommend you check
the
<> "Notify me of replies" box to receive e-mail notifications when there
are
<> any updates in your thread. When responding to posts via your
newsreader,
<> please "Reply to Group" so that others may learn and benefit from your
<> issue.
<>
<> Microsoft engineers can only focus on one issue per thread. Although we
<> provide other information for your reference, we recommend you post
<> different incidents in different threads to keep the thread clean. In
doing
<> so, it will ensure your issues are resolved in a timely manner.
<>
<> For urgent issues, you may want to contact Microsoft CSS directly.
Please
<> check http://support.microsoft.com for regional support phone numbers.
<>
<> Any input or comments in this thread are highly appreciated.
<>
<> =====================================================
<>
<> This posting is provided "AS IS" with no warranties, and confers no
rights.
<>
<> --------------------
<> <Thread-Topic: VPN, RRAS & DHCP
<> <thread-index: AcdleW7tpvC5KfdMSs2A0/gmDj5gng==
<> <X-WBNR-Posting-Host: 82.69.60.79
<> <From: =?Utf-8?B?Q2FybHRvbmpvaG4=?=
<Carltonjohn@xxxxxxxxxxxxxxxxxxxxxxxxx>
<> <References: <284861F9-B321-4E83-9067-A2BB6509278B@xxxxxxxxxxxxx>
<> <F7E0F70A-B417-48D3-B7EC-7D59DE465199@xxxxxxxxxxxxx>
<> <6V9o9gUZHHA.3820@xxxxxxxxxxxxxxxxxxxxxx>
<> <Subject: RE: VPN, RRAS & DHCP
<> <Date: Tue, 13 Mar 2007 07:11:02 -0700
<> <Lines: 265
<> <Message-ID: <3EF5E21F-D8FA-4033-8261-8123BF77E72F@xxxxxxxxxxxxx>
<> <MIME-Version: 1.0
<> <Content-Type: text/plain;
<> < charset="Utf-8"
<> <Content-Transfer-Encoding: 8bit
<> <X-Newsreader: Microsoft CDO for Windows 2000
<> <Content-Class: urn:content-classes:message
<> <Importance: normal
<> <Priority: normal
<> <X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
<> <Newsgroups: microsoft.public.windows.server.sbs
<> <Path: TK2MSFTNGHUB02.phx.gbl
<> <Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:22580
<> <NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
<> <X-Tomcat-NG: microsoft.public.windows.server.sbs
<> <
<> <Hi, Robert
<> <
<> <Thanks for getting back on this.
<> <
<> <You're correct, RRAS users cannot obtain IP addres from SBS server when
<> and
<> <only when RRAS is set to obtain IP address from DHCP server.
<> <
<> <
<> <When RRAS is set to obtain IP address from an address pool
(192.168.25.230
<> -
<> <192.168.20.249) all works Ok except:
<> <When the RRAS service is restarted (occasionally) or the server is
<> rebooted
<> <the setting in RRAS reverts to 'Obtain IP address from DHCP server' and
<> the
<> <VPN connections subsequently fail again.
<> <
<> <I say fail but in practice both the server and clients are assigned IP
<> <addresses in the range 168.254.x.x - the automatic IP address range.
<> <
<> <
<> <Normally RRAS has 1 IP address already assigned by DHCP for the server
<> side
<> <of each VPN connection. On this SBS 2003, those leases are missing and
<> for
<> <each connection there's a system event logged 'Remote Access' Event
20169'
<> <'Unable to contact a DHCP server.
<> <
<> <
<> <This has occurred since 20th October 2006 as advised after updating was
<> <completed.
<> <
<> <This customer had SBS2003 (NOT R2) SP1 installed in August however
premium
<> <technologies SP1 and all post SP1 updates, including all from Microsoft
<> <Update were deferred to 20th October 2006.
<> <
<> <Thus on 20th October 2006 after installing ISA server 2004 & all the
then
<> <current updates remote access failed to contact a DHCP server and VPN
<> access
<> <faltered.
<> <
<> <
<> <Network Topology:
<> <
<> <LAN <--> SBS2003 <-> Router <-> Internet
<> < 192.168.25.x 192.168.1.x
<> <
<> <All external VPN clients have the issue
<> <The problem arose after installing ISA server 2004 and about 31 updates
<> <
<> <
<> <Step 1
<> <
<> <I've re-run CEICW several times:
<> <
<> <LanIP: 192.168.25.2
<> <LanSM: 255.255.255.0
<> <LanGW: -
<> <LanDNS: 192.168.25.2 Registered in DNS
<> <LanWINS: 192.168.25.2 NetBIOS enabled
<> <
<> <WanIP: 192.168.1.2
<> <WanSM: 255.255.255.0
<> <WanGW: 192.168.1.1
<> <WanDNS: 192.168.25.2 Not registered in DNS
<> <WanWINS: - NetBIOS disabled
<> <
<> <I've checked setting up against http://support.microsoft.com/?id=825763
as
<> <suggested.
<> <
<> <Setup is Manual Router, draytek 2600+, VPN definitely works through
this -
<> <there is an incoming VPN connection established as I type (IP assigned
<> from
<> <RRAS static address pool)
<> <
<> <Step 2
<> <
<> <I've re-run RAW several times. I've also tried setting up RRAS manually
<> <since manually the DHCP relay component gets installed (I set this to
<> forward
<> <to 192.168.25.2, 4 hops, 4 seconds) whereas the DHCP component doesn't
get
<> <installed when RAW is run and when RRAS is initially not configured.
<> <
<> <I've also found on occasions its advisable to run CEICW again after RAW.
<> <
<> <Step 3
<> <
<> <I can establish VPN internally with IP assignment from IP address pool
but
<> <not when set to use DHCP server
<> <
<> <Step 4
<> <
<> <The router & GRE protocol are definitely not the problem. The system
will
<> <accept VPN connections when addresses are assigned from IP address pool
<> but
<> <the DHCP assigned IP address setting causes VPN to fail.
<> <
<> <MPS report
<> <
<> <This task is running and the report will be sent as directed
<> <
<> <Many thanks on this
<> <Best regards
<> <John
<> <Carltonjohn
<> <
<> <"Robert Li [MSFT]" wrote:
<> <
<> <> Hi Carlton,
<> <>
<> <> Thanks for posting in our newsgroup.
<> <>
<> <> From your description, I know that the RRAS users cannot obtain IP
<> <> addresses from SBS server. If I am off-base, please don�¡�¯t
hesitate to
<> let
<> <> me know.
<> <>
<> <> Please let me know the following to make the situation more clearly:
<> <>
<> <> What the topology of the network, do you have a router between the
SBS
<> <> server and the Internet?
<> <> Do all the VPN clients or some of them have the issue?
<> <> Do you have ISA server installed?
<> <>
<> <> Please take the following steps to narrow down this issue:
<> <>
<> <> Step 1: Please try to rerun the CEICW wizard, the wizard help us to
<> <> configure RRAS security setting, IP Configuration, Remote access
ports
<> and
<> <> DHCP Relay automatically.
<> <>
<> <> For more information, please refer to:
<> <> 825763 How to configure Internet access in Windows Small Business
Server
<> <> 2003
<> <> http://support.microsoft.com/?id=825763
<> <>
<> <> Step 2: Please Run the Configure Remote Access wizard to configure
VPN.
<> <>
<> <> 1. Open Server Management select Configure Remote Access.
<> <> 2. Select to enable remote access and choosoe VPN access or Dial-in
<> access(
<> <> require a modem).
<> <> 2. Input the VPN Server name. You can input IP address or full
Internet
<> <> domain name of the VPN server.
<> <> 3. Finish the Wizard.
<> <> ?
<> <> Step 3: On a LAN workstation, can you establish a VPN connection to
the
<> <> server?
<> <>
<> <> For more information, please refer to:
<> <> 305550 How to configure a VPN connection to your corporate network in
<> <> Windows XP Professional
<> <> http://support.microsoft.com/?id=305550
<> <>
<> <> Step4: Please check if GRE Protocol 47 is enabled on your router. GRE
<> <> Protocol 47 is used in conjunction with PPTP to create VPNs between
<> clients
<> <> or between clients and servers. Refer to the following Knowledge Base
<> <> article for more information about GRE Protocol 47:
<> <>
<> <> 241251 VPN Tunnels - GRE Protocol 47 Packet Description and Use
<> <> http://support.microsoft.com/?kbid=241251
<> <>
<> <>
<> <> If the problem still exists, please help me collect the following
<> <> information for further research:
<> <>
<> <> MPS Report:
<> <>
<> <> a. Visit
<> <>
<>
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
<> <> 15706/MPSRPT_NETWORK.EXE to download the file.
<> <> b. Run the MPSRPT_NETWORK.EXE on the server box.
<> <> c. Wait for 10~15 minutes.
<> <> d. Open Windows explorer, navigate to
<> <> %SYSTEMROOT%\MPSReports\Network\Reports\cab\
<> <> e. Send the .cab file directly to me at v-robeli@xxxxxxxxxxxxx with
<> <> subject: PostReview-38293510-VPN, RRAS & DHCP.
<> <>
<> <> I am looking forward to hear from you.
<> <>
<> <> If you need further assistance, please don�¡�¯t hesitate to let
me know
<> <>
<> <> Best regards,
<> <>
<> <> Robert Li(MSFT)
<> <>
<> <> Microsoft CSS Online Newsgroup Support
<> <>
<> <> Get Secure! - www.microsoft.com/security
<> <>
<> <> =====================================================
<> <>
<> <> This newsgroup only focuses on SBS technical issues. If you have
issues
<> <> regarding other Microsoft products, you'd better post in the
<> corresponding
<> <> newsgroups so that they can be resolved in an efficient and timely
<> manner.
<> <> You can locate the newsgroup here:
<> <> http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<> <>
<> <> When opening a new thread via the web interface, we recommend you
check
<> the
<> <> "Notify me of replies" box to receive e-mail notifications when there
<

.