Re: VPN client Microsoft network browsing - Page 2

milan.kulik · ‎04-30-2004

Hi, does anybody know how Miscrosoft network source browsing works on Cisco VPN client?

I've just configured a IPSec remote access VPN to my PIX.

I'm running Cisco VPN Client 4.0.4 on my PC (Windows 2000).

I'm not using WINS in my network. No LMHOSTS file used.

The only info configured on the PIX to send to the client is DNS server address and the default domain name.

But the client is still able to connect to the Windows2000 domain and I can see other PC through Windows Neighborhood and connect to them by simple clicking in the Network Neighborhood wiindow!

I tried to capture some packets by Observer protocol analyzer and I noticed there are some Ethernet frames sent from the PIX to the VPN client through the IPSec tunnel with following characteristics:

MAC source address:40:00:7F:06:6D:xx (the last Byte changes)

MAC destination address:45:00:00:4F:76:xx (the last Byte changes)

Protocol: 0x0A02 (Xerox PUP CAL - detected by Observer).

It looks strange to me:

1) I always thought only IP packets could be sent via IPSec tunnel, not L2 frames?

2) Could anybody explain if these frames are involved in the Microsoft browsing process?

3) generally, how the Microsoft browsing works on the Cisco VPN client without WINS or LMHOSTS in routed environment?

Thanks,

Milan

milan.kulik · ‎05-30-2004

Interesting.

I always thought my problem was WINS not running.

Are you sure when connected via VPN your PC receives the WINS server address correctly?

Regards,

Milan

fmarotta · ‎05-31-2004

I am 100%. I even see my netbios name in the WINS database with my VPN client ip address.

harizanovg · ‎05-31-2004

http://support.microsoft.com/?kbid=150800

I don't know how much of the information from the above link pertains to WIN2K even though it mentions it at the bottom of the page.

WINS server is used for name registration (that's why Frank you see the VPN clien't IP in the database) and also name resolution (when you try to ping something by name the WINS returns its IP).

WINS is not used for browsing the network neighborhood from client perspective though. WINS helps build the list of resources but it hands it over to the PDC which in turn gives it to the MasterBrowser for the segment. MasterBrowser is the one that gives the list of resources to end clients (backup Master browser to be precise) and here WINS is again not involved in providing the clients with who the MasterBrowser is.(this is all from the above link)

There are other links that I included below which seem to contradict the above statement.

Milan, for you it is normal to be unable to browse without WINS server.. I think you were able to browse the first time when on the outside of PIX because you still had the IP addresses of BackupBrowser server still cached, and the PC discovered it probably through broadcast while on the internal network.

Frank, I think you can't browse through the VPN because even though you have WINS the machine is in a workgroup and it doesn't know what domain name to request resources from. You were able to see them while inside but that was through broadcasts I think.

Other links

http://www.microsoft.com/windows2000/en/server/help/sag_WINS_und_BrowsingWithWins.htm

http://support.microsoft.com/default.aspx?scid=kb;en-us;188001

http://www.microsoft.com/resources/documentation/windows/2000/server/reskit/en-us/tcpip/part4/tcpappi.mspx

At the end of the last link there is a good section on troubleshooting browsing problems.

Check out the command Browstat.exe

Regards,

-gh

fmarotta · ‎06-01-2004

When I was inside the pix it was not through broadcasts. I purposely put my laptop on a separate broadcast segment.

harizanovg · ‎06-01-2004

any chance of cached informatin on the laptop

(WINs server IP or MAC, or Backup Browsers IP or MAC)?

if you don't mind, how did you create the separate broadcast segment - through separate VLAN, switch, proxy ARP enabled somewhere?

fmarotta · ‎06-01-2004

no chance of cached entries. Between tests i was doing a nbtstat -R. I created the separate broadcast segment with a VLAN on a 2900XL switch and was doing intervlan routing using a 2611 with subinterfaces.

harizanovg · ‎06-01-2004

Thanks Frank.

Just curious - have you tried it from the VPN but with a PC which is part of the W2K domain?

fmarotta · ‎06-01-2004

no, i haven't been able to yet. If i can i will post my results.

jeff.bankston · ‎06-01-2004

Same problem here, fixed by reverting back to the 4.0.3 client and cleaning out the goofball WINS database entries created by the client laptop registering into the domain. Our vpn server is a 2621 running 12.2(15)T12 3DES. DOn't know what's the deal, the client vpn log didn't show anything openly wrong, just killed browsing ability into our domain.

-Jeff

fmarotta · ‎06-02-2004

Does anybody know if latency has any effect on this? If I attach my laptop to the outside LAN interface on the pix it works, but if VPN in from a dial up or dsl line I cannot browse network neighborhood.

Any ideas?

Thanks

Frank

harizanovg · ‎06-02-2004

Frank,

I would be very, very, very surprised if latency is the culprit.

-GH

harizanovg · ‎06-02-2004

as a suggestion..

try to sniff traffic on the inside of the PIX comming from the VPN when on the outside of PIX and when on DSL and compare what is hitting the internal network in each case.

-GH