Troubleshooting Steps for DOD Over RRAS with Proxy Server

ID: Q247247

The information in this article applies to:
  • Microsoft Windows NT Server, Enterprise Edition versions 4.0, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a

SUMMARY

This article describes some basic troubleshooting steps for users that do not have previous experience with Microsoft Routing and Remote Access Service (RRAS) and Microsoft Proxy Server.


MORE INFORMATION

These troubleshooting steps can help you if you are having problems getting Dial on Demand (DOD) to work over RRAS with Proxy Server on the same computer, and can assist you in finding most major problems (or at least help in ruling out the most common causes).

To verify basic connectivity, you can check the following items for RRAS issues.

Internet Protocol (IP) Forwarding

To verify that IP forwarding is enabled on both RRAS servers:
  1. Click Start, point to Settings, click Control Panel, and then double-click Network.


  2. Click Protocols, click Properties, and then click Routing.


  3. Make sure that the Enable IP Forwarding check box is selected.


  4. Click OK, and then click Close.


  5. Restart the computer.


Routing

You only need to have one default gateway on the computer that is connected to the Internet. On each of your wide area network (WAN) interfaces, only two routes are required. To check this configuration:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and RAS Admin.


  2. Double-click IP Routing, right-click Static Routes, and then click View IP routing table.


  3. Verify that your default gateway is set for the interface connecting to the Internet. If this route is not listed in the IP routing table dialog box, add the route using the following steps:


    1. Right-click Static Routes, and then click Add Static Route.


    2. Type the appropriate values for your default gateway in the Destination, Network Mask, and Gateway boxes.


    3. Select the interface for your network card that is connected to the Internet, and then click OK.


  4. Verify that a route exists in the IP routing table dialog box with a path to the other network segment that you want to communicate with the Internet. If this route does not exist, add the route using the following steps:


    1. Right-click Static Routes, and the click Add Static Route.


    2. Type the appropriate values for the network segment in the Destination, Network Mask, and Gateway boxes.


    3. Select the interface for your network card that is connected to the network segment (this may include multiple DOD virtual private networking connections), and then click OK.


NOTE: You need to delete any other routes that exist.

Credentials

To set up an easy-to-understand configuration for your virtual private networking (VPN) DOD interface on both RRAS servers, create duplicate users with the same name in User Manager for Domains for the interface on both WAN segments. When each side connects, make sure it is authenticating with the correct credentials (using the correct domain if the interface has the same name). If this does not work, you can create a new VPN dial-up connection. For example, on segment A, name your user and DOD interface "DOD," and on segment B, name the user and DOD interface "DOD."

Proxy Server Troubleshooting

Access Control

Disable access control on the Web Proxy and Winsock Proxy services if possible. If you are having a problem with access control, verify that all Web Proxy users have local logon permissions and make sure all Winsock proxy users are logged on to a trusted domain.

More Access Control

Verify the authentication methods (if any) that are enabled in the WWW service. To do this:
  1. Click Start, point to Programs, point to Administrative Tools, point to Microsoft Proxy Server, and then click Microsoft Management Console.


  2. Double-click Internet Information Server, double-click the server name you want to check, right-click Default Web Site, and then click Properties.


  3. Click Directory Security, and then click Edit to view the current authentication settings.


Packet Filtering

If packet filtering is enabled, be sure to disable this function when performing your troubleshooting tasks. If packet filtering must remain enabled, make sure dynamic packet filtering is enabled. To disable packet filtering:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Routing and RAS Admin.


  2. Double-click IP Routing, click Summary, right-click the interface on which you want to disable packet filtering, click Configure IP parameters, and then click to clear the Enable packet filtering check box.


Local Address Table (LAT)

The LAT should contain all internal TCP/IP addresses; it should not contain any external Internet addresses. If you make changes to the LAT, refresh the proxy clients' configuration. To check the LAT:
  1. Click Start, point to Programs, point to Administrative Tools, point to Microsoft Proxy Server, and then click Microsoft Management Console.


  2. Right-click Web Proxy, click Properties, and then click Local Address Table.


Trusts

Verify that any trust using a DOD, VPN, or other dial-up connection is still valid. If a connection is lost for more than 15 minutes, the trust may be broken. Make sure that someone with Administrator rights at each site knows how to re-create a broken trust. RRAS is not a recommended environment for maintaining a trust relationship.

Browsing Over RRAS

You can check the following items when you are attempting to troubleshoot RRAS browsing issues:
  • Check the load order of the services running on the computer.
    For information about how to this, click the article number below to view the article in the Microsoft Knowledge Base:


    • Q183537 Coexistence of RRAS, Internet Explorer, Option Pack, and Proxy
  • Verify the entries in the Lmhosts file for all network segments and add #DOM entries for both sides of the WAN.
    For additional information about this subject, click the article numbers below to view the articles in the Microsoft Knowledge Base:


    • Q180094 How to Write an LMHOSTS File for Domain Validation
    Q150800 Domain Browsing with TCP/IP and LMHOSTS Files
If the problem persists after you verify the above information, use the nbtstat -r and nbtstat -c commands to display the NetBIOS Remote Cache Name Table. The output you receive looks similar to the following example: 

   Node IpAddress: [120.120.100.1] Scope Id: []
             NetBIOS Remote Cache Name Table

   Name               Type        Host Address      Life [sec]
   -----------------------------------------------------------
   Program      <00>  UNIQUE      120.120.100.10      420
   Domain.com   <1E>  GROUP       0.0.0.0             480
   Domain.com   <1B>  UNIQUE      120.120.100.242     480
   Domain.com   <1C>  UNIQUE      120.120.120.1       -1
   Domain.com   <1B>  UNIQUE      120.120.120.1       -1
   Domain       <03>  UNIQUE      120.120.120.1       -1
   Domain       <00>  UNIQUE      120.120.120.1       -1
   Domain       <20>  UNIQUE      120.120.120.1       -1
Note the two <1B> type entries for the domain master browser in the cache; one for the network interface at 120.120.120.1 and the second address for the Network Driver Interface Specification (NDIS) WAN wrapper at 120.120.100.242 (the router address). The router 1b entry is incorrect. This is typical of a multihomed primary domain controller (PDC) registering the browser service the router TCP/IP address, as well as the internal TCP/IP address. To resolve this issue:
  1. Click Start, point to Settings, click Control Panel, double-click Network, and then click Bindings.


  2. In the Show Bindings for box, click all protocols.


  3. Double-click WINS Client(TCP/IP), click the first Remote Access WAN Wrapper entry, and then click Disable. Repeat this process for all Remote Access WAN wrapper entries.


Dial-Up Permissions

In User Manager for Domains, verify that each RRAS DOD account has the correct permissions on both network segments. To do this:
  1. Click Start, point to Programs, point to Administrative Tools, and then click User Manager for Domains .


  2. Double-click the account you want to verify, click Dialin, click Grant dialin permission to user (if necessary), and then click OK.


For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q177335 How to Create a Demand Dial PPTP Interface
Q178993 How to Use Static Routes with Routing and Remote Access Service

Additional query words:

Keywords : kbinterop kbnetwork
Version : winnt:4.0,4.0 SP4,4.0 SP5,4.0 SP6,4.0 SP6a
Platform : winnt
Issue type : kbinfo


Last Reviewed: January 7, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.