Microsoft KB Archive/258030

= Cannot Ping External Network Adapter After Configuring RRAS as a VPN Server =

Article ID: 258030

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q258030



SYMPTOMS
After you configure the Routing and Remote Access Service (RRAS) as a virtual private network (VPN) server in Windows 2000 Server or Windows Server 2003 with two or more network adapters, pinging the external network adapter does not work. This behavior occurs only while RRAS is running. Pinging the external network adapter succeeds when RRAS is stopped.



CAUSE
When you use the Routing and Remote Access Server Setup Wizard to configure RRAS as a VPN server. The wizard prompts you for the network adapter to be used for the Internet connection. Choosing an adapter on the Internet Connection page specifies the external adapter, which is the network adapter on which RRAS applies Input and Output filters similar to the following:

To see a which filters are defined for an adapter:
 * 1) Start the Routing and Remote Access snap-in in Microsoft Management Console (MMC).
 * 2) Expand the IP Routing node in the left pane.
 * 3) Click General in the left pane.
 * 4) Right-click the adapter listed in the right pane, and then click Properties.
 * 5) You can view and edit the Inbound and Outbound filters on the General tab.



RESOLUTION
To allow pinging to and from the external network adapter, add Inbound and Outbound filters to the adapter to allow Internet Control Message Protocol (ICMP) packets to be processed on the adapter.

Note The Windows Server 2003 implementation of the TCP/IP protocol supports ICMP router solicitations and the receipt of ICMP router advertisements, but they are disabled by default. Routing and Remote Access supports ICMP router advertisements. For more information about how to enable ICMP router solicitation, see the Windows Server 2003 "Routing and Remote Access" Help topic.

To enable ICMP router discovery:
 * 1) Start the Routing and Remote Access snap-in in MMC.
 * 2) In the left pane, click General under the IP Routing node.
 * 3) In the right pane, right-click the adapter that has been configured as the external adapter, and then click Properties.
 * 4) Click Input Filters.
 * 5) Click Add.
 * 6) In the Protocol box, click ICMP.
 * 7) Click OK, and then click OK.
 * 8) Click Output Filters, and then repeat the previous three steps.



For additional information about the changes made by the Routing and Remote Access Setup Wizard, click the following article number to view the article in the Microsoft Knowledge Base:

256644 Description of Remote Access Wizards



STATUS
This behavior is by design to tighten security on the Internet VPN server.

Keywords: kbenv kbprb KB258030

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.