[Solved] Windows File Sharing over VPN unreliable

[Vertel]

I'm servicing a client who has their network arranged across three locations, with a Windows 2008 R2 Enterprise server acting as domain controller and file server at location 1, with client machines in all three locations. The remote locations are connected in to location 1 with Zentyal-to-Zentyal VPN boxes, and everything is working correctly as far as domain communications goes, except for file sharing.

The file sharing itself is working; network drives are being mapped, you can see, access, all the good stuff. But at seemingly random intermittent moments remote locations appear to lose the ability to see the Windows 2008 server, despite pings, etc. all going through correctly at the very same moment. The problem always resolves itself in a few seconds, but one of the remote locations has some network share files constantly open and being worked on, and this network disruption completely knocks them offline and can damage their working files. When this happens, the server usually gets Windows Error ID 2012, but I've exhausted all the options searching for that error gives me. I have narrowed the problem to the VPN link, as the client machines at location 1 have absolutely no problem with extended access to file shares. I'm just not sure where to go from here, as the VPN link seems to remain up when these outages happen.

Any ideas?

[nicolasdiogo]

i have used the VPN module without the Windows Controller - and it has worked great for transferring files.
3-4 GB files transfer with not corruption or drop in communication.

regards,

[akhasis]

Any new info about this topic?

Were you able to solve this, nicolasdiogo?

Thank you!

[nicolasdiogo]

i can not find this problem

if you are able to provide details on how you encounter this problem i will look into it.

regards,

[akhasis]

I'm having the same problem. It seems that, in my case, the clients are disconnected when some other client accesses a file in the file system. But they don't disconnect from the lan (they still can ping the server, use the IM server or access the webpages that are only accessible in the LAN). They just don't seem to find the files, or are denied permission to them, or takes so long to open the file that it times out.

Any idea on what it can be? Or at least if I should blame the network, the operating system, the permissions system, open vpn software or Zentyal itself?

[nicolasdiogo]

hi were you able to verify the logs on the Zentyal server?
if the files are locked - i would presume that samba would write to a log to flag any problem.

could you time when this error ocours and have a look at samba log?

i do not resources to test this config with Win2008AD.

[christian]

something linked to this ?

(extract from Zentyal documentation)

Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.
[3]   For additional information about file sharing go to section File sharing and authentication service

[akhasis]

As far as i can remember (today is a holiday here) I don't have the file sharing module enabled. Still, as I mentioned, users are able to access the shared folders, as long as no other user accesses any other file. Anyway, I'll enable the module first thing tomorrow morning.

Just in case it could give any hint, I had Zentyal 2.2 VPN working great (file sharing was enabled and configured as a domain client, but I wasn't able to configure Zentyal 3.0.17 as a domain client when I tried).

Thanks for your clues, I'll post a follow up.

[akhasis]

Ok, samba enabled, still the same problems.

One thing I noticed, my in-LAN users can ping the file server by its name, while the ones connected through the VPN can't. Is that something normal or may have to do with the issue?

Edit: I can ping the FQDN of the file server, but not its short version.

[christian]

The answer is within Zentyal documentation:

You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to configure these clients to use Zentyal as name server. Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address. Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.

Too bad, I didn't paste it in my previous post as I thought it was clear enough 

Technically speaking, VPN can, if I understand correctly, push DNS related info but I suppose it has some limitation like need to run client as administrator?
Anyway, this option is not implemented by Zentyal.

[akhasis]

My fault, I focused in the file sharing bit and didnt see that DNS part. Sorry and thanks for your time.

Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.

I have enabled file sharing (with the most basic configuration) (see attached file). That should be enough, I think?

My VPN clients connect from another LAN. I can see in the VPN widget that they are not using the default VPN port, but are assigned a (seemingly) random one. May that have anything to do with the issue? Is there anything I have to do (open ports in the firewall, or configure them somewhere) to make them work?

I'd like to remind anyone reading this that the clients can connect and use the files, so I had already discarded the firewall or closed ports as the cause of the problem. And that no change has been made in the clients, just moved from zentyal 2.2 to 3.

[Sam Graf]

My VPN clients connect from another LAN. I can see in the VPN widget that they are not using the default VPN port, but are assigned a (seemingly) random one. May that have anything to do with the issue? Is there anything I have to do (open ports in the firewall, or configure them somewhere) to make them work?

I don't think so.

I'd like to remind anyone reading this that the clients can connect and use the files, so I had already discarded the firewall or closed ports as the cause of the problem. And that no change has been made in the clients, just moved from zentyal 2.2 to 3.

So the number of VPN servers is unchanged from the 2.2 setup? And the client bundles were not replaced because ... ? I'm just curious about that (I don't know for a fact that there is a problem here) since Zentyal 2.2 and Zentyal 3.0 are built on different Ubuntu LTS releases; my instinct would have been to update the clients as well.

[akhasis]

I wrote that the clients are still the same as before, meaning that no new software has been added, nor changes have been made to their firewalls, etc. Yes, the client bundles were replaced (many times, in fact, since I have been testing all kind of things to make it work). Also the client program was reinstalled (not sure if in all the clients, but in most of them).

Zentyal OpenVPN log indicated that there were TLS handshake errors every now and then, but can't relate them to the failures.

I turned up the verbosity of Zentyal OpenVPN logs to 6, but now there are hundreds of occurences per second, and I couldn't find any error.

[nicolasdiogo]

it seems that there are problem with Zentyal that are using internal/local LDAP as well as those using WINDOWS AD.

i will spin up a system and check this (without WINAD).

to certain - everybody is using and having problems with Zentyal 3?

Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address.

that means your clients connected through VPN do not use the Zentyal in their dns lookup.

[christian]

I don't understand why you enable file sharing on Zentyal if you do not intend to share anything 
The only potential added value could be, assuming this is configured this way, use of Zentyal as WINS server. This aside, I don't understand what it brings.

I also don't understand how VPN clients could use port that is not assigned. Very strange to me.

When you create client bundle, your supposed to include client certificate that is signed by Zentyal CA.
Depending on how you moved from 2.2 to 3.0, this may just break VPN service (I never ran Zentyal migration script but assume that it keeps CA and issued certificates)

What perhaps deserves some clarification in your initial explanation is this
 

The file sharing itself is working; network drives are being mapped, you can see, access, all the good stuff. But at seemingly random intermittent moments remote locations appear to lose the ability to see the Windows 2008 server, despite pings, etc. all going through correctly at the very same moment. The problem always resolves itself in a few seconds, but one of the remote locations has some network share files constantly open and being worked on, and this network disruption completely knocks them offline and can damage their working files

what do you mean with "to see"? If you confirm server can still be reached (e.g. ping), then I would suggest that you look at some potential error or conflict with master browser election process.