我们有以下configuration:
– 地面
本地客户#N
本地服务器A(DC + RRAS)
本地服务器B(DC + RRAS)
本地服务器C … Z
—路由器/防火墙
– 公共场所
外国客户1,2 ..,#N
服务器A和B都是最新的(8月17日)Windows Server 2016 Standard。
我们在这两个服务器上都有这个问题,所以我们以服务器A为例进行简单说明。
** RRASconfiguration**:
服务器A只有一个昵称,configuration如下:
1物理网卡
以太网IF:192.168.12.41/255.255.255.0
别名IF:192.168.12.38/255.255.255.255(这是由RRAS服务器创build的)
RRAS服务器(PPTP和SSTP)的端口通过路由器从其公共IP转发到以太网IF的IP
外部客户端的configuration:
本地和外国客户端都是Windows 7到Windows 10专业版,没有进一步的相关信息,但提供了ipconfig / nmap的输出:
问题表示
外部客户端可以通过服务器A的RRAS成功连接到局域网。 但是当他们这样做,在networking层面上,他们可以连接到任何东西,但是服务器A.当连接到服务器A的一个人不能将RDP发送到服务器A时,首先就会注意到这个问题。然后,我们发现没有可服务的服务服务器A,但可以连接到任何客户端和服务器B到Z.
如果连接是相反的(外部客户端连接到服务器B的RRAS),它将连接到LAN BUT服务器B上的任何东西。
无法通过连接的RRAS访问UDP和TCP端口:
这是连接到服务器A时从外部客户端到服务器A和B的nslookup:
c:\Users\user>nslookup site.customer.com 192.168.12.41 DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 192.168.12.41 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Tempo scaduto per la richiesta a UnKnown c:\Users\user>nslookup site.customer.com 192.168.12.42 Server: moon.site.customer.com Address: 192.168.12.42 Nome: site.customer.com Addresses: 192.168.12.41 192.168.12.42 这是成功连接到服务器A后的ipconfig / all外部客户端:
c:\Users\user>ipconfig /all ... Scheda PPP CUSTOMER: Suffisso DNS specifico per connessione: site.customer.com Descrizione . . . . . . . . . . . . . : CUSTOMER Indirizzo fisico. . . . . . . . . . . : DHCP abilitato. . . . . . . . . . . . : No Configurazione automatica abilitata : Sì Indirizzo IPv4. . . . . . . . . . . . : 192.168.12.143(Preferenziale) Subnet mask . . . . . . . . . . . . . : 255.255.255.255 Gateway predefinito . . . . . . . . . : Server DNS . . . . . . . . . . . . . : 192.168.12.42 192.168.12.41 NetBIOS su TCP/IP . . . . . . . . . . : Disattivato ...
这是ServerA的tracert。
c:\Users\user>tracert -w 100 sun.site.customer.com Traccia instradamento verso sun.site.customer.com [192.168.12.41] su un massimo di 30 punti di passaggio: 1 16 ms * 14 ms 192.168.12.38 2 15 ms 15 ms 14 ms 192.168.12.41 Traccia completata.
这跟ServerB差不多。
c:\Users\user>tracert -w 100 moon.site.customer.com Traccia instradamento verso moon.site.customer.com [192.168.12.42] su un massimo di 30 punti di passaggio: 1 * 29 ms 26 ms 192.168.12.38 2 23 ms 29 ms 31 ms 192.168.12.42 Traccia completata.
Nmap服务器B:
c:\Users\user>nmap --unprivileged -P0 -F 192.168.12.42 Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-29 17:54 ora legale Europa occidentale Nmap scan report for moon.site.customer.com (192.168.12.42) Host is up (1.1s latency). Not shown: 89 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 1433/tcp open ms-sql-s 1723/tcp open pptp 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 32.27 seconds
Nmap服务器A:
c:\Users\user>nmap --unprivileged -e ppp0 -P0 -F 192.168.12.41 Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-29 17:56 ora legale Europa occidentale Nmap scan report for sun.site.customer.com (192.168.12.41) Host is up. All 100 scanned ports on sun.site.customer.com (192.168.12.41) are filtered Nmap done: 1 IP address (1 host up) scanned in 46.63 seconds
正如你所看到的,名字parsing工作正常,但是如果连接到服务器A的RRAS,到服务器A的tcp / udp连接将失败,或者如果连接到服务器B的RRAS,服务器B将失败。
服务器或外部客户端上没有RRAS或任何其他服务显示任何相关的,我认为这是正常的,因为我们在这里的networking层面有问题。
实际上,我们发现对于外部客户端,RRAS的第二个自动创build的内部IP具有已发布和可访问的服务器的A服务:
c:\Users\user>nmap --unprivileged -P0 -F 192.168.12.38 Starting Nmap 7.60 ( https://nmap.org ) at 2017-08-29 18:26 ora legale Europa occidentale Nmap scan report for 192.168.12.38 Host is up (0.19s latency). Not shown: 90 filtered ports PORT STATE SERVICE 21/tcp open ftp 80/tcp open http 88/tcp open kerberos-sec 135/tcp open msrpc 139/tcp open netbios-ssn 389/tcp open ldap 443/tcp open https 445/tcp open microsoft-ds 1723/tcp open pptp 3389/tcp open ms-wbt-server Nmap done: 1 IP address (1 host up) scanned in 38.33 seconds
问题:为了诊断和预防这种症状可以做些什么?
编辑@Raspberry请求的回复
在ServerA上执行路由打印
目前连接的是192.168.12.128和192.168.12.79的RRAS客户端
C:\Users\Vincenzo>route print =========================================================================== Elenco interfacce 14...00 50 56 ac 63 1a ......vmxnet3 Ethernet Adapter 30...........................RAS (Dial In) Interface 1...........................Software Loopback Interface 1 12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter 16...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #3 =========================================================================== IPv4 Tabella route =========================================================================== Route attive: Indirizzo rete Mask Gateway Interfaccia Metrica 0.0.0.0 0.0.0.0 192.168.12.39 192.168.12.41 271 127.0.0.0 255.0.0.0 On-link 127.0.0.1 331 127.0.0.1 255.255.255.255 On-link 127.0.0.1 331 127.255.255.255 255.255.255.255 On-link 127.0.0.1 331 192.168.12.0 255.255.255.0 On-link 192.168.12.41 271 192.168.12.79 255.255.255.255 192.168.12.79 192.168.12.38 42 192.168.12.128 255.255.255.255 192.168.12.128 192.168.12.38 42 192.168.12.38 255.255.255.255 On-link 192.168.12.38 297 192.168.12.41 255.255.255.255 On-link 192.168.12.41 271 192.168.12.255 255.255.255.255 On-link 192.168.12.41 271 224.0.0.0 240.0.0.0 On-link 127.0.0.1 331 224.0.0.0 240.0.0.0 On-link 192.168.12.41 271 224.0.0.0 240.0.0.0 On-link 192.168.12.38 297 255.255.255.255 255.255.255.255 On-link 127.0.0.1 331 255.255.255.255 255.255.255.255 On-link 192.168.12.41 271 255.255.255.255 255.255.255.255 On-link 192.168.12.38 297 =========================================================================== Route permanenti: Indirizzo rete Mask Indir. gateway Metrica 0.0.0.0 0.0.0.0 192.168.12.39 Predefinito ===========================================================================