my name is Aydin Aslaner, and I am a Support Escalation Engineer on the Microsoft Platform Networking Support team. Today I would like to talk about a issue that we were dealing with some time ago and which was quite interesting.
Customer reported the following problem:
Having a critical issue with RRAS in a VPN configuration on WS2008.Lab Scenario:W2K3 - single DC for domain, DNS server, and DHCP server connected to internal networkW2K8Full01 - member server connected to internal networkW2K8Full02 - RRAS/NPS/VPN member server connected to 2 networks; corp and externalW2K8Full03 - member server connected to internal networkVista01 - SP1 connected to external networkFirewalls are disabled on all machines.Problem:Vista01 connects to the VPN successfully.Vista01 *can* communicate with W2K3Vista01 *cannot* communicate with W2K8Full01 or Full03Other information:If Vista01 is on the internal network it can communicate with all hosts.W2K8Full02 can ping all hosts on both networks.Customer did not experience the same problem with WS2008 RC1, RC0, or Beta 2.Q: Can you describe more detailed what you mean with "cannot" communicate? No ping? no access to shares? no RDP?
Correct: no ping, no access to shares, no RDP...Q: Are you trying to access a resource via IP , NetBIOS Name or FQDN?
Using FQDN, NetBIOS name, or IP address has the same result.Q: Are you using PPTP , IPSEC, L2TP?
Currently using only PPTP.Q: Has this happened with Vista RTM also (no SP1 installed) ?
I have not had a chance yet to test with Vista RTM.Q: Can you check if the TCP port 139 is filtered on the corporate network please and also if ,NetBIOS over TCP/IP (NetBT) is disabled on the Windows Vista client.
This is a lab environment that I have setup from scratch. There are no filters in place. I have installed all operating systems from media using the default out of the box configuration.I did notice another symptom as follows: When attempting to connect to a share on W2K3 (on corp network) from Vista02 (on external network) I receive the following error messages:
System error 121 has occurred. The semaphore timeout period has expired.
*** Resolution *** =============================
We took network traces and could see the following:The Negotiate Protocol Response is not accepted by the Client and the Client makes a Request again and again till it RESETS the connection.We took another set of traces and saw that the IP header checksum is wrongly set to (0x100) in all the packets received from ws08.We solved the issue by disabling task offload on the Server 2008 (VPN RRAS Server)To disable task offload1. Click Start, click Run, type regedit, and then click OK.2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters3. In the right pane, make sure that the DisableTaskOffload registry entry exists. If this entry does not exist, follow these steps to add the entry: a. On the Edit menu, point to New, and then click DWORD Value.b. Type DisableTaskOffload, and then press ENTER.4. Click DisableTaskOffload.5. On the Edit menu, click Modify.6. Type 1 in the Value data box, and then press ENTER.7. Exit Registry Editor.DisableTaskOffload is by default set to 0 on 2003 Systems and on 2008 Server it is set to 0xff = 255 which is neither 0 nor 1 , basically, vista or 2k8 systems TCP/IP stack does not configure this setting, hence stopping all applications which depend on this flag to ignore it.
So that is it for now, more of these will follow in future.
EMEA GTSC Support Escalation Engineer
Microsoft Customer Service and Support
PingBack from http://windows2008security.com/windows-network/windows-server-2008-and-windows-vista-vpn-issue-with-accessing-shares/