RE: RES: RE: ISA Server and Outbound VPN

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 12 Jun 2003 20:07:16 -0500

Hi Greg,

It sounds like the ISA firewall is a VPN client to a VPN server at the
ISP. The public address the ISA firewall uses is assigned to the VPN
connection. So, you created a DUN connectoid and then used this DUN
connectoid to create the dial-up entry in the ISA Management console.
The DUN connectoid dials up automatically when a LAT host makes an
outbound request. Right?

Is is this link that goes up and down? I wonder if it could be an MTU
issue? Also, I recall SP1 having an effect on this type of setup,
although I don't recall what the issue was because I've never personally
been abused with this type of link :)

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
Sent: Thursday, June 12, 2003 7:56 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: RE: ISA Server and Outbound VPN


http://www.ISAserver.org


Just to clarify the totality of the situation for others:

They have a wireless (ethernet) connection via private IP range to the
ISP. The ISP terminates VPN (and PPPoE) tunnels at a gateway.

The customer will make a VPN connection to the gateway VPN server at the
ISP and be provided with an external (internet) address.

This dialup process is managed by ISA Server. This operates fine while
RRAS is down.

RRAS has 2 outgoing VPN configurations that create a private tunnel
between this office and 2 other sites across the world. One, I
understand, is a central office. All sites use ISA Server, and most
sites have the capability to terminate incoming VPN's. The cetral office
at least, accepts incoming connections.

So, while I don't know much of the VPN Gateways that your discussing,
since I have focussed on the RRAS/VPN Dialup conflict at this point, it
does now sound like the configuration situation applies to them.

If I cant resolve the PPPoE installation, I will have to learn about VPN
Gateways, and I expect I will be reading your site a whole bunch more
than I already do now Tom!

Thanks again,
Greg

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Friday, 13 June 2003 1:18 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: RES: RE: ISA Server and Outbound VPN


http://www.ISAserver.org


Hi Tiago,

I don't think his situation is the same as yours. You were creating (or
trying to create) a demand dial interface to create a VPN gateway to
gateway link to join office networks over the Internet. You need to make
one side active (the 'calling' side) and one side passive (the 'call
recipient' side). The interface name must the same as the credentials
presented by the remote router because this is how RRAS determines that
it should handle the call as a VPN gateway connection, rather than a VPN
client connection! If the credentials do not match the name of the
interface answering the call, then the connection attempt is treated as
a simple VPN client call. 

The static router is required so that the demand dial interface is used
to route packets to the remote network. Also, make sure that all
networks that are joined by the VPN gateways are on the LAT, or else the
Firewall client will try to send packets to the remote network to the
Internet! That wouldn't work very well :)  Actually, all these cool
secrets and non-secrets are in my VPN gateway to gateway articles over
at www.isaserver.org/shinder 

Thanks!
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp

 


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Thursday, June 12, 2003 8:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: ISA Server and Outbound VPN


http://www.ISAserver.org


Hey Tom,

Remember that I had the same problem? 

-In RRAS, you have to set only one of the VPN interfaces as persistent,
and other as  demand-dial. 

-The VPN interface must have the same name that the user being used to
connect to the remote server

-In the static routes in RRAS, the option "use this route to initiate
demand-dial connections" on the route that reaches the remote network
can only be marked on the same side that has persistent connection
marked.

This took care of the problem here.

Tiago de Aviz
IT Consultant
MCP-CNA-AIX-CCNA-CCDA
--------------------------------
www.softsell.com.br
tiago@xxxxxxxxxxxxxxx
--------------------------------

-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Enviada em: quinta-feira, 12 de junho de 2003 00:07
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: ISA Server and Outbound VPN

http://www.ISAserver.org


Hi Greg,

Is the ISA firewall creating a VPN client connection to the ISP? Or are
you just passing PPTP through the ISA firewall?

Thanks!
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
Sent: Wednesday, June 11, 2003 9:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Server and Outbound VPN


http://www.ISAserver.org


Hi Tom,

Its my wireless network (well, I run the thing anyway) and I was at the
site checking the radio quality. Sub 10ms pings for 25 minutes
yesterday.

The lower layers are fine. While the ping was running, the vpn
connection was reconnecting constantly, which indicated to me that it
was a VPN/ISA related problem. I also tested VPN connections from my
laptop over the same connection with no issue.

The VPN Server (as the ISP we hand off to) has not reported problems
with their end so I have to presume at this point its client side. 

Thanks for the other idea's, I can and will try these. If these fail, im
going ot PPPoE!

Regards,
Greg

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Thursday, 12 June 2003 12:16 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Server and Outbound VPN


http://www.ISAserver.org


Hi Greg,

First suspect is always layer 1: routers, cables, ISPs issues -- too
many people, including me, have VPN links stay up for hours or days
without problems. So, as long as your server is up to date, I have to
put ISA firewall related problems low on the list.

Try using L2TP/IPSec -- there are rumors, and nothing more than rumors,
that there's an issue with the control channel getting "stale", for want
of a better term. I don't know if it's a TCP protocol issue, or
something in the PPTP control command set. But sometimes changing to
L2TP helps.

Try switching from your high dollar Intel card with custom Intel drivers
to a cheapo Realtek or Linksys that has built in Win2k drivers. A number
of people have suggested that this has helped them too.

Make sure that there are no Remote Access Policies involved that direct
the servers or clients to drop the connection after "x" minutes of
inactivity.

Run a NetMon trace and catch the packets and see if anything interesting
happens right before the disconnect. Since the disconnect happens so
frequently, you won't have to wait long to get multiple examples.

HTH,
Tom

Thomas W Shinder 
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1 
Configuring ISA Server: http://tinyurl.com/1llp 



-----Original Message-----
From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
Sent: Wednesday, June 11, 2003 9:09 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA Server and Outbound VPN


http://www.ISAserver.org


Hi all,

I havent been able to keep an eye on the mailing list for quite some
time, and I know that in the past there has been some ISA VPN related
posts. The reason I am posting this, is I have a customer that has a
highly configured ISA system, with configuration for an outbounf VPN
connection to their ISP for internet access, and then a couple more
oubound vpn's connecting the office to a central office in the US.

The internet VPN connection is constantly dropping and redialling its
connection. While I was onsite, the VPN never stayed up longer than 5
minutes.

Has anyone got any clues, recommendations or suggestions about issues
relating to VPN calls, ISA quirks etc?

I expect it will be just a matter of troubleshooting it, but I wondered
if anyone could give me a heads up before I get onsite.

Thanks,
Greg

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
greg@xxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: