Sep 282008
 

Having a critical issue with RRAS in a VPN configuration on WS2008.


Lab Scenario

W2K3 – single DC for domain, DNS server, and DHCP server connected to internal network

W2K8Full01 – member server connected to internal network

W2K8Full02 – RRAS/NPS/VPN member server connected to 2 networks; corp and external

W2K8Full03 – member server connected to internal network

Vista01 – SP1 connected to external network

Firewalls are disabled on all machines.

Problem

Vista01 connects to the VPN successfully.

Vista01 *can* communicate with W2K3

Vista01 *cannot* communicate with W2K8Full01 or Full03

Other information

If Vista01 is on the internal network it can communicate with all hosts.

W2K8Full02 can ping all hosts on both networks.

Customer did not experience the same problem with WS2008 RC1, RC0, or Beta 2.

Q: Can you describe more detailed what you mean with “cannot” communicate? No ping? no access to shares? no RDP?

Correct: no ping, no access to shares, no RDP…

Q: Are you trying to access a resource via IP , NetBIOS Name or FQDN?

Using FQDN, NetBIOS name, or IP address has the same result.

Q: Are you using PPTP , IPSEC, L2TP?

Currently using only PPTP.

Q: Has this happened with Vista RTM also (no SP1 installed) ?

I have not had a chance yet to test with Vista RTM.

Q: Can you check if the TCP port 139 is filtered on the corporate network please and also if ,NetBIOS over TCP/IP (NetBT) is disabled on the Windows Vista client.

This is a lab environment that I have setup from scratch. There are no filters in place. I have installed all operating systems from media using the default out of the box configuration.

I did notice another symptom as follows: When attempting to connect to a share on W2K3 (on corp network) from Vista02 (on external network) I receive the following error messages:

System error 121 has occurred. The semaphore timeout period has expired.

Solution

We took network traces and could see the following:

The Negotiate Protocol Response is not accepted by the Client and the Client makes a Request again and again till it RESETS the connection.

We took another set of traces and saw that the IP header checksum is wrongly set to (0×100) in all the packets received from ws08.

We solved the issue by disabling task offload on the Server 2008 (VPN RRAS Server)

To disable task offload

1. Click Start, click Run, type regedit, and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

3. In the right pane, make sure that the DisableTaskOffload registry
entry exists. If this entry does not exist, follow these steps to add the entry:

a. On the Edit menu, point to New, and then click DWORD Value.
b. Type DisableTaskOffload, and then press ENTER.

4. Click DisableTaskOffload.

5. On the Edit menu, click Modify.

6. Type 1 in the Value data box, and then press ENTER.

7. Exit Registry Editor.

DisableTaskOffload is by default set to 0 on 2003 Systems and on 2008 Server it is set to 0xff = 255 which is neither 0 nor 1 , basically, vista or 2k8 systems TCP/IP stack does not configure this setting, hence stopping all applications which depend on this flag to ignore it.

Incoming search terms:

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>