Cannot Ping External Network Adapter After Configuring RRAS as a VPN Server (258030)


The information in this article applies to:

  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
This article was previously published under Q258030

SYMPTOMS

After you configure the Routing and Remote Access Service (RRAS) as a virtual private network (VPN) server in Windows 2000 Server or Windows Server 2003 with two or more network adapters, pinging the external network adapter does not work. This behavior occurs only while RRAS is running. Pinging the external network adapter succeeds when RRAS is stopped.

CAUSE

When you use the Routing and Remote Access Server Setup Wizard to configure RRAS as a VPN server. The wizard prompts you for the network adapter to be used for the Internet connection. Choosing an adapter on the Internet Connection page specifies the external adapter, which is the network adapter on which RRAS applies Input and Output filters similar to the following:

Src AddrSrc MaskDest AddrDest MaskProtocolSrc PortDest PortDescription
AnyAnyAnyAny47AnyAnyGRE
AnyAnyAnyAnyTCP1723AnyPPTP Inbound
AnyAnyAnyAnyTCPAny1723PPTP Outbound
AnyAnyAnyAnyUDP500500ISAKMP
AnyAnyAnyAnyUDP17011701L2TP


To see a which filters are defined for an adapter:
  1. Start the Routing and Remote Access snap-in in Microsoft Management Console (MMC).
  2. Expand the IP Routing node in the left pane.
  3. Click General in the left pane.
  4. Right-click the adapter listed in the right pane, and then click Properties.
  5. You can view and edit the Inbound and Outbound filters on the General tab.

RESOLUTION

To allow pinging to and from the external network adapter, add Inbound and Outbound filters to the adapter to allow Internet Control Message Protocol (ICMP) packets to be processed on the adapter.

Note The Windows Server 2003 implementation of the TCP/IP protocol supports ICMP router solicitations and the receipt of ICMP router advertisements, but they are disabled by default. Routing and Remote Access supports ICMP router advertisements. For more information about how to enable ICMP router solicitation, see the Windows Server 2003 "Routing and Remote Access" Help topic.

To enable ICMP router discovery:
  1. Start the Routing and Remote Access snap-in in MMC.
  2. In the left pane, click General under the IP Routing node.
  3. In the right pane, right-click the adapter that has been configured as the external adapter, and then click Properties.
  4. Click Input Filters.
  5. Click Add.
  6. In the Protocol box, click ICMP.
  7. Click OK, and then click OK.
  8. Click Output Filters, and then repeat the previous three steps.
For additional information about the changes made by the Routing and Remote Access Setup Wizard, click the following article number to view the article in the Microsoft Knowledge Base:

256644 Description of Remote Access Wizards

STATUS

This behavior is by design to tighten security on the Internet VPN server.
Modification Type:MajorLast Reviewed:9/22/2003
Keywords:kbenv kbprb KB258030
©2003 Microsoft Corporation. All rights reserved.