RE: RES: RE: RES: RE: VPN router-to-router drop every ~3 minutes
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Sun, 23 Feb 2003 11:34:48 -0600
Hi Tiago,
One thing about networking, *nothing is easy* :-)
While the fact that one end is PPPoE and other is PPPoA shouldn't be an issue,
the fact that other sides are dial up is an issue, because one side definitley
needs a dedicated address, IIRC. Check out www.microsoft.com/vpn and delve into
the White Paper on gateway to gateway VPNs and also grab all the information
you can get on demand dial connections.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Friday, February 21, 2003 8:44 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: RES: RE: VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Hmmm... Could be an idea! As far as I know, I can do PPTP with these routers,
but they must be configured using VPI, VCI and that stuff. I can't establish
tunnels directly to an IP address. The only problem is that one router acts as
a bridge (must be dialed, PPPoE), and the other is a router (PPPoA). I don't
know if PPTP can be configured on these routers in this scenario.
Anyway, I'll try the Active/Passive VPN configuration before anything else.
Thanks a lot!
Tiago de Aviz
-----------------------
tiago@xxxxxxxxxxxxxxx
www.softsell.com.br
-----------------------
-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Enviada em: quinta-feira, 20 de fevereiro de 2003 22:58
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: RES: RE: VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Hi Tiago,
Hmmm. It would be hard to blame the DSL lines if you don't see the same
phenomenum between Win2k RRAS servers (without ISA Server on either end). I
don't think it's the fragment filtering, as that shouldn't be an issue with
PPTP links. The L2TP/IPSec won't work if the ISA Server external interface is
behind a NAT. The passive/active is exactly what Steve was referring to.
If you have both of the sites connected via NAT routers, how about creating VPN
gateways between the NAT routers and then create a VPN gateway link between the
ISA Servers inside the tunnel created between the routers.
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Thursday, February 20, 2003 7:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Thomas,
Well, "dirty" DSL lines are a possibility around here. However, this only
happens between ISA Servers. For an instance: if I establish a VPN with two
RRAS servers without ISA server on one end, it stays up indefinitely. Could it
be those IP fragment/options filters enabled?
About L2TP: would it work over these NAT that my DSL routers are doing?
The Passive/Active router is that thing that Steve Moffat explained on his
e-mail?
Thanks for the help!
Tiago de Aviz
-----------------------
tiago@xxxxxxxxxxxxxxx
www.softsell.com.br
-----------------------
-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Enviada em: quarta-feira, 19 de fevereiro de 2003 22:16
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Hi Tiago,
I've heard about this sort of thing from many people. Some possibilities:
1. Your DSL lines are "dirty" so that PPTP control channel somehow gets
"corrupted" (not very scientific, but this is an hypothesis)
2. There's a problem with PPTP with gateway to gateway connections. The fix is
to use L2TP/IPSec
3. When one of the routers loosing its DSL link, both of them try to call each
other at the same time. Fix is to create a passive and an active router
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx]
Sent: Wednesday, February 19, 2003 9:14 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN router-to-router drop every ~3 minutes
http://www.ISAserver.org
Hi folks!
I have two ISA servers that are connected this way:
Internal Network--ISA---DSL router----Internet----DSL router---ISA-Internal
Network
Both DSL routers are set to forward all inbound traffic to the ISA Server´s
public NIC. BTW, they are both Alcatel Speed Touch Pro modems.
Well, here's what happens when I establish a router-to-router PPTP VPN between
these two ISA's: I created the connections on RRAS, created credentials on both
sides and I also created the static routes from one network to another.
Everything works fine, traffic is routed, it's really fast, but.... it drops
for no reason every 3 minutes or less.
Here's the event that RRAS generates:
The user SOFTSELL\itatiaia connected on port VPN3-126 on 02/17/2003 at 05:30pm
and disconnected on 02/17/2003 at 05:31pm. The user was active for 1 minutes
36 seconds. 0 bytes were sent and 0 bytes were received. The port speed was
10000000. The reason for disconnecting was user request.
Note that this happens even if I have traffic on the tunnel.
Both servers have SP3 and ISA SP1 applied. I couldn't find any remote access
policy that disconnects someone for any reason... everything is unset. Could it
be inheriting these policies from somewhere else? I tried to use that wizard
from ISA server to create VPN´s, but the public address is not bound to my
public NIC, so it won´t work If I import the settings on the other edge.
Any ideas?
Tiago de Aviz
---------------------
www.softsell.com.br
tiago@xxxxxxxxxxxxxxx
------------------------
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tiago@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
