Troubleshooting Routing and Remote Access Issues

Troubleshooting RRAS issues can sometimes be a painful process. So many elements are involved that pinpointing the cause of the problem is not as straightforward as you might hope. This section begins by addressing troubleshooting techniques for some of the most common problems.

A Service Cannot Be Accessed Remotely

You already configured the firewall, and you still cannot access a certain service from the Internet. There are many reasons why this problem can occur, but you can try to identify the problem in a systematic approach.

  • Rerun the CEICW and make sure that the appropriate boxes are selected and that the required ports are opened.

  • If you have a firewall in front of the server, make sure that the port is opened and forwarded to the SBS external network card.

  • Verify that the service you want to access is running. Also, make sure that it's listening on the appropriate port. On the SBS box run netstat ano in a command prompt to determine which processes are listening in which ports.

  • Try connecting to the resource from the internal network first. For example, if you have trouble accessing SMTP, type Telnet 25 from any machine on the network to see whether you get a response from Exchange SMTP server.

  • Connect a computer on the external segment of the SBS server making sure that it's on the same subnet as the external network card. Try to connect from that location (using the external network card IP address). If you are successful, rule out that the problem is within the SBS box.

  • Check whether your ISP is blocking that protocol. If this is the case, you might need to change ISPs or get a business class service that does not have such restrictions. Alternatively, you can use third-party services to redirect traffic to other ports (for example, offers redirection for SMTP traffic).

  • If you are using a DNS record (for example, to access the resource, try using the public IP instead. Also, verify that the DNS record is resolving to the correct IP. Two great web resources for troubleshooting DNS issues are and

  • Use a port scanner from different locations to determine where the fault occurs. FoundStone's SuperScan v4 is a great tool for this job (available for free at Online scanners such as ShieldsUP ( are also useful.

You Want to Access Your Server Remotely, But Only a Dynamic IP Address Is Available

Ideally, everyone running SBS should have a static IP address. However, the reality is that sometimes you can't get a static IP in your area, or the cost is prohibitive.

You can use a dynamic DNS service to keep a DNS record that always resolves to your most current IP address. You can obtain this service from several third-party sites, such as:




Using such services requires having either a router capable of running a dynamic DNS client or installing the client on your server. Also, some ISPs prevent certain services from being accessed remotely (most notably SMTP and HTTP access).

You Cannot Connect Remotely Using VPNError 721

If you cannot connect remotely using VPN, one possible cause is that port 1723 is not being forwarded to the SBS box. However, if you get error 721, this is usually caused if the GRE (Generic Routing Encapsulation) protocol is blocked.

If you are using a router, you must make sure that you enable protocol (not port!) GRE 47 through the router. This is sometimes called PPTP or VPN passthrough.

You Connect to the VPN Successfully, But You Can't Access Any Resources

This issue is likely caused by a routing problem. For a VPN to work, both machines must be on different subnets. In other words, if your server internal IP address is with a subnet mask of, the machine originating the VPN connection can be on any range of IP addresses except 192.168.16.x.

This is a common problem for administrators who manage more than one SBS network. If you install and support SBS systems regularly and you plan to use VPN to access them, you should put your own network on a different subnet as your clients.

You Cannot Establish More Than Five Simultaneous VPN Connections

By default when you run the Remote Access Wizard, it creates only five VPN ports for PPTP and another five ports for L2TP. If this is insufficient, you need to increase the number of PPTP ports available. Follow these steps:


Open the Routing and Remote Access console in Administrative Tools. Click on your server name to expand it, right-click on Ports, and select Properties.


On the Port Properties screen, select WAN Miniport (PPTP) and click Configure to open the Configure Device dialog box (see Figure 7.10). On the Maximum Ports box select the appropriate number of ports that you want to have available.

Figure 7.10. Configure WAN Miniport (PPTP) screen.

Internet Access Is Sluggish or Blocked While Connected to the VPN

Unfortunately, this is the expected behavior. When you activate the VPN connection, Internet traffic has to go through that connection, making it sluggish. If you are using ISA Server the client most likely will not be able to connect because it doesn't have the firewall client or the proxy settings enabled. In which case, the only workaround is to set the client to use ISA while connected to the VPN.

VPN Connection Keeps Disconnecting After a Period of Inactivity

By default the VPN connection will be dropped by the clients after 10 minutes of no activity. Although it is a good practice to disconnect the VPN as soon as you have finished using it, in some cases it might be necessary to increase this limit.

To modify that behavior, right-click on Connect to Small Business Server on the client and select Properties. Click on the Options tab, change the box that says Idle Time Before Disconnecting, and click OK.

More Troubleshooting Resources

You can find additional troubleshooting resources for the RRAS in Microsoft's TechNet:

  • NAT/basic firewall troubleshooting

  • VPN troubleshooting

Microsoft Small Business Server 2003 Unleashed
Microsoft Small Business Server 2003 Unleashed
ISBN: 0672328054
EAN: 2147483647
Year: 2005
Pages: 253
Similar book on Amazon © 2008-2017.
If you may any questions please contact us: