Hi,

I have a odd problem, I've just installed a 2866 and moved the VPN service from a Windows 2003 Server (RRAS) to the Draytek. Everything looked to be working ok but then I noticed that clients weren't able to connect to the old Windows 2003 server (yes, I know it's old but that's a conversation for another day ), this server has file shares/printers etc.

I started to troubleshoot the issue and when I established a VPN connection I was able to ping the server and access the drives, then after a period of time this access disappeared and I was no longer able to even ping the server from the VPN connection. Re-establishing the VPN connection had no effect.

Looking at the ARP table on the server there were no entries for any of the VPN clients (there were 5 connected at the time), I checked this a number of times and the only time I did see a VPN client address appear there was no MAC address associated with it. Thinking that was a bit odd I then checked the ARP table on Windows 10 PC what was on the same network as the server and I could see all the VPN devices but they all had the same MAC address. So is it normal for all the VPN clients to have the same MAC address? could this be what is causing an issue on the Win2003 server by not being able to cope with this oddity? Is there anyway to configure the DrayTek to issue unique MAC addresses?

Thanks in advance
Rob

I don't think the duplicate MAC addresses are your problem...

I just tried VPN'ing into my 2860n from my phone and the MAC address associated with the IP address given to the phone was actually that of the 2860's WAN2 (which isn't enabled!). But thinking about, you can't normally see the MAC address of nodes on the 'other side' of a Router at all - it's just the presence of an IP address on the local network, that makes them appear to be connected like any other LAN device.

Lots of other things don't work the same either - especially broadcast-based protocols.

I suspect the latter may be at the root of your problems - I'm guessing this is a Netbios name-resolution problem...

Thanks for the reply.

NetBios - ah that takes me back! Can you expand on how NetBios name resolution would affect the ARP table or being able to ping the server?

Thanks

CTLUK wrote:
NetBios - ah that takes me back!

NetBIOS may still be lurking in your network...

You've not really provided details of the environment, but if the clients are Windows PCs and are not Active Directory members, NetBIOS may well be their only means of Name Resolution...
See: https://www.10dsecurity.com/blog-saying-goodbye-netbios.html

and he wrote:
Can you expand on how NetBios name resolution would affect the ARP table or being able to ping the server?

Well if NetBIOS is non-functional and we're talking about Ping by name, then it may well be implicated.

So,
What sort of VPN is this?
What are the clients?
What is the client software?
Can the clients Ping any resource at the Draytek end?
Are there any Firewall Rules at the client end that impact on this?

Thanks for the reply.

Ah, I should have been clearer with the ping comment, I am using IP addresses to do the ping thus eliminating name resolution at this stage.

I have managed to implement a workaround now by adding static ARP entries on the server for all the IPs used by the VPN clients (the DrayTek has a hard coded address pool as it's not the DHCP server on the network). I am still keen to get to the bottom of the issue as it has sparked my interest.

What sort of VPN is this? L2TP/IPSec
What are the clients? Windows 10
What is the client software? Windows 10 / DrayTek VPN client
Can the clients Ping any resource at the Draytek end? Yes, they can ping every other PC on the network apart from this one server
Are there any Firewall Rules at the client end that impact on this? No, the default Windows firewall is enabled but ICMP is not blocked. Clients on the same LAN can ping the server with no issue.

The focus is very much on the server being the issue, I wonder if it's a driver issue that is causing a bad ARP table, a fun one to work out.

Is RRAS still up and running on the Windows 2003 Server?

If so, can it be turned off? (I'm wondering if it interferes with the Proxy ARP mechanism, that is (presumably) being used to track down the VPN clients. Or if you've re-used the same IP addresses, maybe it has some 'memory' of where they used to be?)