Has anyone else seen this behavior?
I have a VPN server (Win2008 R2) with two network interfaces; RRAS is configured on the 'external' interface, and I am RDP'ed into the 'internal' interface. As soon as I start the RRAS service, connectivity to port 3389 on the internal interface is broken.
I can still ping the internal interface (on ipv4 only, but that's another issue); there are no static filters configured for any interface in RRAS (this is the most common cause I've found online for this behavior), and I've completely disabled the Windows host firewall.
As soon as I stop RRAS, I can RDP into the server again without issue.
This link is the closest description of the behavior I've seen, and causes me to suspect some that built-in filtering gets enabled whenever RRAS is started.
Further evidence is the large number of events in the Security event log like the following when I stop the RRAS service:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 7/12/2011 10:59:28 AM
Event ID: 5447
Task Category: Other Policy Change Events
Level: Information
Keywords: Audit Success
User: N/A
Computer: RRAS.FQDN.com
Description:
A Windows Filtering Platform filter has been changed.
Subject:
Security ID: SYSTEM
Account Name: NT AUTHORITY\SYSTEM
Process Information:
Process ID: 788
Provider Information:
ID: {00000000-0000-0000-0000-000000000000}
Name: –
Change Information:
Change Type: Delete
Filter Information:
ID: {f48ca5fa-0a0b-4c92-8176-f2fec936b1c3}
Name: L2TP Server Filter1
Type: Not persistent
Run-Time ID: 85255
Layer Information:
ID: {5926dfc8-e3cf-4426-a283-dc393f5d0f9d}
Name: Inbound Transport v4 Layer
Run-Time ID: 12
Callout Information:
ID: {5132900d-5e84-4b5f-80e4-01741e81ff10}
Name: WFP Built-in IPsec Inbound Transport v4 Layer Callout
Additional Information:
Weight: 17321535995904
Conditions:
Condition ID: {0c1ba1af-5765-453f-af22-a8f791ac775b}
Match value: Equal to
Condition value: 0x06a5
Condition ID: {3971ef2b-623e-4f9a-8cb1-6e79b806b9a7}
Match value: Equal to
Condition value: 0x11
Condition ID: {6ec7f6c4-376b-45d7-9e9c-d337cedcd237}
Match value: Equal to
Condition value: 0x01
Filter Action: Callout
When I start RRAS, matching events are generated with the Change Type being 'Add' instead.
Can anyone shed some light on what's happening here? I'm fine with RRAS enabling these filters for the external interface, but I'd like to be able to RDP into the server on the internal interface while RRAS is running.
Best Answer
Well, I'm sure there's some way to get it setup exactly as I wanted, but I reconfigured the server to have both NICs on the 'external' subnet (all of our IPs are public - .edu) and reconfigured RRAS VPN and everything is working fine without any additional static routes, etc.