RE: RES: RE: VPN router-to-router drop every ~3 minutes

Hi Tiago,

Hmmm. It would be hard to blame the DSL lines if you don't see the same 
phenomenum between Win2k RRAS servers (without ISA Server on either end). I 
don't think it's the fragment filtering, as that shouldn't be an issue with 
PPTP links. The L2TP/IPSec won't work if the ISA Server external interface is 
behind a NAT. The passive/active is exactly what Steve was referring to.

If you have both of the sites connected via NAT routers, how about creating VPN 
gateways between the NAT routers and then create a VPN gateway link between the 
ISA Servers inside the tunnel created between the routers.

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp 


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Thursday, February 20, 2003 7:08 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RES: RE: VPN router-to-router drop every ~3 minutes


http://www.ISAserver.org


Thomas,

Well, "dirty" DSL lines are a possibility around here. However, this only 
happens between ISA Servers. For an instance: if I establish a VPN with two 
RRAS servers without ISA server on one end, it stays up indefinitely. Could it 
be those IP fragment/options filters enabled? 

About L2TP: would it work over these NAT that my DSL routers are doing?

The Passive/Active router is that thing that Steve Moffat explained on his 
e-mail?

Thanks for the help!

Tiago de Aviz
-----------------------
tiago@xxxxxxxxxxxxxxx
www.softsell.com.br
-----------------------


-----Mensagem original-----
De: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Enviada em: quarta-feira, 19 de fevereiro de 2003 22:16
Para: [ISAserver.org Discussion List]
Assunto: [isalist] RE: VPN router-to-router drop every ~3 minutes

http://www.ISAserver.org


Hi Tiago,

I've heard about this sort of thing from many people. Some possibilities:

1. Your DSL lines are "dirty" so that PPTP control channel somehow gets 
"corrupted" (not very scientific, but this is an hypothesis)

2. There's a problem with PPTP with gateway to gateway connections. The fix is 
to use L2TP/IPSec

3. When one of the routers loosing its DSL link, both of them try to call each 
other at the same time. Fix is to create a passive and an active router

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp 


-----Original Message-----
From: Tiago de Aviz [mailto:Tiago@xxxxxxxxxxxxxxx] 
Sent: Wednesday, February 19, 2003 9:14 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] VPN router-to-router drop every ~3 minutes


http://www.ISAserver.org


Hi folks!

I have two ISA servers that are connected this way:

Internal Network--ISA---DSL router----Internet----DSL router---ISA-Internal 
Network

Both DSL routers are set to forward all inbound traffic to the ISA Server´s 
public NIC. BTW, they are both Alcatel Speed Touch Pro modems.

Well, here's what happens when I establish a router-to-router PPTP VPN between 
these two ISA's: I created the connections on RRAS, created credentials on both 
sides and I also created the static routes from one network to another. 
Everything works fine, traffic is routed, it's really fast, but.... it drops 
for no reason every 3 minutes or less.

Here's the event that RRAS generates:

The user SOFTSELL\itatiaia connected on port VPN3-126 on 02/17/2003 at 05:30pm 
and disconnected on 02/17/2003 at 05:31pm.  The user was active for 1 minutes 
36 seconds.  0 bytes were sent and 0 bytes were received. The port speed was 
10000000.  The reason for disconnecting was user request.

Note that this happens even if I have traffic on the tunnel. 

Both servers have SP3 and ISA SP1 applied. I couldn't find any remote access 
policy that disconnects someone for any reason... everything is unset. Could it 
be inheriting these policies from somewhere else? I tried to use that wizard 
from ISA server to create VPN´s, but the public address is not bound to my 
public NIC, so it won´t work If I import the settings on the other edge. 

Any ideas?

Tiago de Aviz
---------------------
www.softsell.com.br
tiago@xxxxxxxxxxxxxxx
------------------------


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tiago@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: