RE: RES: RE: ISA Server and Outbound VPN

I had a similar problem with my dial up connection which went up and
down, but only when a secure nat client made a request. No event log
entries at all, only connection/disconnection messages. I was not able
to figure out why this happened. No connection problems with firewall
clients.

A fresh install did the job. Btw no VPN involved.

Mark

> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Sent: Friday, June 13, 2003 3:07 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RES: RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Greg,
> 
> It sounds like the ISA firewall is a VPN client to a VPN 
> server at the ISP. The public address the ISA firewall uses 
> is assigned to the VPN connection. So, you created a DUN 
> connectoid and then used this DUN connectoid to create the 
> dial-up entry in the ISA Management console. The DUN 
> connectoid dials up automatically when a LAT host makes an 
> outbound request. Right?
> 
> Is is this link that goes up and down? I wonder if it could 
> be an MTU issue? Also, I recall SP1 having an effect on this 
> type of setup, although I don't recall what the issue was 
> because I've never personally been abused with this type of link :)
> 
> HTH,
> Tom
> 
> Thomas W Shinder 
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1 
> Configuring ISA Server: http://tinyurl.com/1llp 
> 
> 
> 
> -----Original Message-----
> From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
> Sent: Thursday, June 12, 2003 7:56 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RES: RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Just to clarify the totality of the situation for others:
> 
> They have a wireless (ethernet) connection via private IP 
> range to the ISP. The ISP terminates VPN (and PPPoE) tunnels 
> at a gateway.
> 
> The customer will make a VPN connection to the gateway VPN 
> server at the ISP and be provided with an external (internet) address.
> 
> This dialup process is managed by ISA Server. This operates 
> fine while RRAS is down.
> 
> RRAS has 2 outgoing VPN configurations that create a private 
> tunnel between this office and 2 other sites across the 
> world. One, I understand, is a central office. All sites use 
> ISA Server, and most sites have the capability to terminate 
> incoming VPN's. The cetral office at least, accepts incoming 
> connections.
> 
> So, while I don't know much of the VPN Gateways that your 
> discussing, since I have focussed on the RRAS/VPN Dialup 
> conflict at this point, it does now sound like the 
> configuration situation applies to them.
> 
> If I cant resolve the PPPoE installation, I will have to 
> learn about VPN Gateways, and I expect I will be reading your 
> site a whole bunch more than I already do now Tom!
> 
> Thanks again,
> Greg
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Sent: Friday, 13 June 2003 1:18 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: RES: RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Tiago,
> 
> I don't think his situation is the same as yours. You were 
> creating (or trying to create) a demand dial interface to 
> create a VPN gateway to gateway link to join office networks 
> over the Internet. You need to make one side active (the 
> 'calling' side) and one side passive (the 'call recipient' 
> side). The interface name must the same as the credentials 
> presented by the remote router because this is how RRAS 
> determines that it should handle the call as a VPN gateway 
> connection, rather than a VPN client connection! If the 
> credentials do not match the name of the interface answering 
> the call, then the connection attempt is treated as a simple 
> VPN client call. 
> 
> The static router is required so that the demand dial 
> interface is used to route packets to the remote network. 
> Also, make sure that all networks that are joined by the VPN 
> gateways are on the LAT, or else the Firewall client will try 
> to send packets to the remote network to the Internet! That 
> wouldn't work very well :)  Actually, all these cool secrets 
> and non-secrets are in my VPN gateway to gateway articles 
> over at www.isaserver.org/shinder 
> 
> Thanks!
> Tom
> 
> Thomas W Shinder
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1
> Configuring ISA Server: http://tinyurl.com/1llp
> 
>  
> 
> 
> -----Original Message-----
> From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
> Sent: Thursday, June 12, 2003 8:29 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RES: RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hey Tom,
> 
> Remember that I had the same problem? 
> 
> -In RRAS, you have to set only one of the VPN interfaces as 
> persistent, and other as  demand-dial. 
> 
> -The VPN interface must have the same name that the user 
> being used to connect to the remote server
> 
> -In the static routes in RRAS, the option "use this route to 
> initiate demand-dial connections" on the route that reaches 
> the remote network can only be marked on the same side that 
> has persistent connection marked.
> 
> This took care of the problem here.
> 
> Tiago de Aviz
> IT Consultant
> MCP-CNA-AIX-CCNA-CCDA
> --------------------------------
> www.softsell.com.br
> tiago@xxxxxxxxxxxxxxx
> --------------------------------
> 
> -----Mensagem original-----
> De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Enviada em: quinta-feira, 12 de junho de 2003 00:07
> Para: [ISAserver.org Discussion List]
> Assunto: [isalist] RE: ISA Server and Outbound VPN
> 
> http://www.ISAserver.org
> 
> 
> Hi Greg,
> 
> Is the ISA firewall creating a VPN client connection to the 
> ISP? Or are you just passing PPTP through the ISA firewall?
> 
> Thanks!
> Tom
> 
> Thomas W Shinder 
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1 
> Configuring ISA Server: http://tinyurl.com/1llp 
> 
> 
> 
> -----Original Message-----
> From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
> Sent: Wednesday, June 11, 2003 9:40 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Tom,
> 
> Its my wireless network (well, I run the thing anyway) and I 
> was at the site checking the radio quality. Sub 10ms pings 
> for 25 minutes yesterday.
> 
> The lower layers are fine. While the ping was running, the 
> vpn connection was reconnecting constantly, which indicated 
> to me that it was a VPN/ISA related problem. I also tested 
> VPN connections from my laptop over the same connection with no issue.
> 
> The VPN Server (as the ISP we hand off to) has not reported 
> problems with their end so I have to presume at this point 
> its client side. 
> 
> Thanks for the other idea's, I can and will try these. If 
> these fail, im going ot PPPoE!
> 
> Regards,
> Greg
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
> Sent: Thursday, 12 June 2003 12:16 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi Greg,
> 
> First suspect is always layer 1: routers, cables, ISPs issues 
> -- too many people, including me, have VPN links stay up for 
> hours or days without problems. So, as long as your server is 
> up to date, I have to put ISA firewall related problems low 
> on the list.
> 
> Try using L2TP/IPSec -- there are rumors, and nothing more 
> than rumors, that there's an issue with the control channel 
> getting "stale", for want of a better term. I don't know if 
> it's a TCP protocol issue, or something in the PPTP control 
> command set. But sometimes changing to L2TP helps.
> 
> Try switching from your high dollar Intel card with custom 
> Intel drivers to a cheapo Realtek or Linksys that has built 
> in Win2k drivers. A number of people have suggested that this 
> has helped them too.
> 
> Make sure that there are no Remote Access Policies involved 
> that direct the servers or clients to drop the connection 
> after "x" minutes of inactivity.
> 
> Run a NetMon trace and catch the packets and see if anything 
> interesting happens right before the disconnect. Since the 
> disconnect happens so frequently, you won't have to wait long 
> to get multiple examples.
> 
> HTH,
> Tom
> 
> Thomas W Shinder 
> www.isaserver.org/shinder 
> ISA Server and Beyond: http://tinyurl.com/1jq1 
> Configuring ISA Server: http://tinyurl.com/1llp 
> 
> 
> 
> -----Original Message-----
> From: Greg Wright [mailto:greg@xxxxxxxxxxxx] 
> Sent: Wednesday, June 11, 2003 9:09 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA Server and Outbound VPN
> 
> 
> http://www.ISAserver.org
> 
> 
> Hi all,
> 
> I havent been able to keep an eye on the mailing list for 
> quite some time, and I know that in the past there has been 
> some ISA VPN related posts. The reason I am posting this, is 
> I have a customer that has a highly configured ISA system, 
> with configuration for an outbounf VPN connection to their 
> ISP for internet access, and then a couple more oubound vpn's 
> connecting the office to a central office in the US.
> 
> The internet VPN connection is constantly dropping and 
> redialling its connection. While I was onsite, the VPN never 
> stayed up longer than 5 minutes.
> 
> Has anyone got any clues, recommendations or suggestions 
> about issues relating to VPN calls, ISA quirks etc?
> 
> I expect it will be just a matter of troubleshooting it, but 
> I wondered if anyone could give me a heads up before I get onsite.
> 
> Thanks,
> Greg
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: greg@xxxxxxxxxxxx To unsubscribe send a blank email 
> to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tiago@xxxxxxxxxxxxxxx To unsubscribe send a blank 
> email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: greg@xxxxxxxxxxxx To unsubscribe send a blank email 
> to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> Leading Network Software Directory: 
> http://www.serverfiles.com No.1 Exchange > Server Resource 
> Site: http://www.msexchange.org Windows Security Resource 
> Site: http://www.windowsecurity.com/ Network Security 
> Library: http://www.secinf.net/ Windows 2000/NT Fax 
> Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: m.hippenstiel@xxxxxxxxxxxx To unsubscribe send a 
> blank email to $subst('Email.Unsub')
> 


Other related posts: