#StackBounty: #windows #vpn #tcp #windows-server-2019 #rras Windows RRAS NAT Vastly Slows Down Native (Non-VPN) TCP Connections of Server

Bounty: 50

So I have a Windows Server 2019 (Server A) set up with the RRAS (Routing and Remote Access) role. It is configured with the built-in NAT in such a way that VPN clients have access to the internet via the server’s public interface.

For clients this works flawlessly, but native connections (e.g. TCP) from the server itself (Server A, which runs the RRAS role) become laughably slow. (Connections to Server A work as fast as expected) When testing via PowerShell’s Test-NetConnection I get successful TCP connections to a remote TCP server (Server B) (completely unrelated to the VPN/Server A, EDIT: but with an IP that has the same network prefix) that take up to 15 seconds (sic!) to complete.
Pings from Server A to the exact same Server B are in the ballpark of single-digit milliseconds and work without any delay, irrespective of RRAS/NAT settings.

The issue only compes up if RRAS is enabled with NAT AND the RRAS network interface is enabled (i.e. after startup of the server or startup of the RRAS service there was at least one client connected). Before this state or if NAT is disabled for RRAS, connections establish almost instantly.

I first manually deleted all RRAS relevant routes in the routing table – to no avail. Then I inspected the packets with WireShark. Turns out the TCP packet exchange and packet reception are just as fast as if RRAS NAT was disabled. Seems like the packets are simply not properly forwarded to the program executing the request.

What’s boggling my mind is that the connection eventually does succeed, but is simply excrutiatingly slow. What could be the culprit here? Do I have to resort to a separate RRAS VPN Server?


Get this bounty!!!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.