Odd VPN Issue

[Nick2004]

We have two servers running 2003 server (not SP1 yet) one is used for file sharing printer sharing and hosts the office antirus. The other is running exchange 2003 with email antivirus software oh and both servers are running server protect anti virus software. Both servers are running A/D and are DNS servers the fileserver also has WINS server configured.

The Exchange server also has RRAS configured for a single modem to allow one of our sales guys to log in and retrieve his email.

We also have 5 remote offices all linked via VPN this is firewall to firewall VPN the VPN users are allowed complete pass through the firewall i.e. at the office end there are no limitations.

The problem we have is that every two to three weeks all the VPN users loose sight of the server running exchange. It its really strange we can ping each other either by name or IP address with no problems. But if I try to browse the VPN computer from the email server the connection times out with a permissions or semaphore error.

On the other end of the VPN the user cannot access the email server from Outlook, but can also ping the emailserver.

The fileserver has never failed in this way. Why could this run perfectly for two to three weeks then fail? The only way out is to reboot the email server which I don't like doing and still indicates we have a problem.

HELP!!!

[berrick]

i have had wierd issues with 2k3 servers. One we could not access shares on a drive in the server even thought the permissons where correct - turning the indexing service on then back on sorted that ??? also had issues with 4 or 5 clients where everything appeared ok they could browse the internet ping each other but when you tried to attach to say the IP$ shares again gave a wierd message about permissions. Further investigation we found that all these computers hadnt jioned the domain corectly removing them then adding them corrected the problem in every case. Not sure if any of this helps as your prob only happens every 2-3 weeks.

[Nick2004]

Hi - thanks for the suggestion I don't think this will help as it happens to all 5 VPN users at the same time and we created each machine at different times (over a period of months). One of them visits the main office at least once a week but only has problems (same as the other guys) over the VPN every 2 - 3 weeks.

Could a damaged TCP/IP protocol stack do it?

As I can ping the remote users and they can ping me are there any other TCP/IP diagnosis tools I could used to further investigate?

[berrick]

well the ping request and the fact you get an echo reply will prove you have a physical path to the IP your pinging. I guess a tracert to prove the path these icmp requests are taking.

Are you using M$ vpn or some other client?

There is definately no form of firewalling active when this is happening i have been caught out in the past when unknown to me some personel f/w s/w had been installed, i could ping everything but that was it

[Nick2004]

No firewalls other than the watchguard soho and one end and a watchguard x700 at the other.

This happens to all VPN users at once.

[Stoic Joker]

The Kerberos security protocol (used by 2k3 by default) requires (also by default) that the clocks on all machines be no more than 5min apart.

Now a 5min clock drift in 3 weeks sounds easily do-able, and I've seen clock skew cause some really flakey behavior.

Also considering there aren't any Windows services that have a three week refresh interval, I'd take a really serious look at your SNTP configuration.

[Nick2004]

Now there is something I had not thought about, how can you confirm the server or client clock is in sync with each other? The VPN users never have any problems with the fileserver which holds all the operations master roles.

[Stoic Joker]

check the time on both machines to see how far off they are. From the command line:

net time \\server_name

then

net time \\client_that_can't_connect

if they're 5 or more minutes off, on the client run:

net time \\server_name /set /yes

double check to make sure they're in sync, & then retry connection

[Nick2004]

I tried the net time \\my_workstation /query sntp and it responded that this computer was not configured to use any sntp server is this ok?

All clocks still appear to sync to the server.

I also tried running the command against the servers and they appear to be set to time.microsoft.com ?

Should all the servers sync to the PDC emulator?

[Stoic Joker]

I tried the net time \\my_workstation /query sntp and it responded that this computer was not configured to use any sntp server is this ok?

All clocks still appear to sync to the server.

I also tried running the command against the servers and they appear to be set to time.microsoft.com ?

Should all the servers sync to the PDC emulator?

<{POST_SNAPBACK}>

Hm...Let me backup a sec, to make sure we're on the same page...before I answer that.

Both servers are DCs, on the same domain, and in the same forest. Yes?

Did both servers report the same time? and if not, how far off were they?

The biggest problem people seem to run into with NTP, is that the NTP service starts up before the DNS service, so if your "time source" is identified by its FQDN...the lookup fails and the time service shuts down.

The best bet, is to configure both DCs as a "reliable Time Source" Stratum 2 time server which will have them sync with a Stratum 1 (atomic clock). Then the SNTP service will stay up & service the time service requests that are sent to it by default by all the machines in the domain.

Note: There were a few issues that were "fixed" in Win2k3 SP1, so that would be a good place to start.

I strongly recommend that you spend some "quality time" in at the MS support knowledge base to get familiar with the configuration details for the Windows Time Service...as it will help fill in the blanks left by all the info I'm not able to include here.

As a quicky shortcut, I have a reg snippet that I use to configure the time service when I'm in a hurry. If you run it on both of your DCs, it will configure them as above.

Note: You will need to restart the time service after including the changes.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config]
"MaxNegPhaseCorrection"=dword:0000d2f0
"MaxPosPhaseCorrection"=dword:0000d2f0
"AnnounceFlags"=dword:00000005

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters]
"NtpServer"="192.5.41.40,0x1"
"Type"="NTP"
"Period"="SpecialSkew"
"ReliableTimeSource"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient]
"Enabled"=dword:00000001
"SpecialPollInterval"=dword:00007080

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer]
"Enabled"=dword:00000001

The IP used for the external (stratum 1) time source is for tick.usno.navy.mil

...And yes, using it is legal.

[Nick2004]

Both servers are in the same forest and in fact domain.

All clocks are correctly synchronised at least within a few seconds.

I have not loaded SP1 as yet but this may be worth looking at.

The fault ocurred again today I could ping the VPN user by name but not browse their PC. If I tried to browse the PC the server would wait for about a minute then report a permission error reporting that I do not have sufficient priviliges to access this machine.

After a reboot I could browse the VPN user with no problem.