[isalist] Re: Strange VPN Behaviour
- From: "Epsilon" <epsilon@xxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 12 Feb 2011 10:27:03 +0200
if keeping the same iprange, ISA would think those are Internal Clients
"spoofed" so they'd be blocked...Just use another range, and chk the rule from
internal+vpn_clients to external allows all outgoing...
----- Original Message -----
From: Andy Haigh
To: isalist@xxxxxxxxxxxxx
Sent: Saturday, February 12, 2011 01:19
Subject: [isalist] Re: Strange VPN Behaviour
By the way this is an ISA 2006 SP1 installation.
Yes, the VPN clients get the IP addresses from the internal DHCP server. This
is the way we have all our ISA servers configured and they all work fine. This
server worked fine until about a month ago.
If you are saying I have to have a separate IP range for the VPN, I will try
that on this server as I need to get it working. But it doesn't make sense that
all the others are working with the same setup.
Also it's strange that a few of the IP's work and others don't.
Andy
Andy Haigh
HW Systems Pty Ltd
Suite 4, Level 2,
64 Talavera Road
Macquarie Park NSW 2113
Tel: 9882-5050
Fax: 9882-5055
Mob: 0409-885-866
Email: Andy.Haigh@xxxxxxxxxxxxxxxx
Disclaimer: This message is intended only for the use of the person or entity
to whom it is addressed and may contain information that is confidential and/or
privileged. If you are not the intended recipient, you are hereby notified that
any use, review, disclosure, dissemination, retransmission or copying of this
information is prohibited. If you have received this message in error, please
contact the sender and delete this message from your system immediately.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Saturday, 12 February 2011 1:53 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange VPN Behaviour
Don't do that - in fact; remove it. Disabling spoof detection is a global
setting.
Q - is the VPN client getting an address from the same subnet as internal
users?
If so, this is essentially non-functional because the internal hosts will NOT
use ISA as a router to respond to the VPN clients. Also, this will be the
cause of the spoof detection because ISA requires that the VPN network be
different from any other network (otherwise, it's not a separate "network").
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andy Haigh
Sent: Thursday, February 10, 2011 4:34 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange VPN Behaviour
The event log is showing the IP address as being spoofed and it's dropping
the packets.
I have tried turning off spoof detection by adding the key
HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters\DisableSpoofDetection
and setting the value to (1) but didn't make a difference.
There is a single IP that works, which makes it very confusing.
Andy
Andy Haigh
HW Systems Pty Ltd
Suite 4, Level 2,
64 Talavera Road
Macquarie Park NSW 2113
Tel: 9882-5050
Fax: 9882-5055
Mob: 0409-885-866
Email: Andy.Haigh@xxxxxxxxxxxxxxxx
Disclaimer: This message is intended only for the use of the person or entity
to whom it is addressed and may contain information that is confidential and/or
privileged. If you are not the intended recipient, you are hereby notified that
any use, review, disclosure, dissemination, retransmission or copying of this
information is prohibited. If you have received this message in error, please
contact the sender and delete this message from your system immediately.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andy Haigh
Sent: Friday, 11 February 2011 10:16 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange VPN Behaviour
The tracert show the IP address of the Internal Network on the ISA and then
nothing else. It seems to be that the firewall is not allowing the VPN traffic
through for all but one of the DHCP allocated IP's.
If we get this one IP allocated upon connection all works fine.
Andy
Andy Haigh
HW Systems Pty Ltd
Suite 4, Level 2,
64 Talavera Road
Macquarie Park NSW 2113
Tel: 9882-5050
Fax: 9882-5055
Mob: 0409-885-866
Email: Andy.Haigh@xxxxxxxxxxxxxxxx
Disclaimer: This message is intended only for the use of the person or entity
to whom it is addressed and may contain information that is confidential and/or
privileged. If you are not the intended recipient, you are hereby notified that
any use, review, disclosure, dissemination, retransmission or copying of this
information is prohibited. If you have received this message in error, please
contact the sender and delete this message from your system immediately.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Steven Comeau
Sent: Friday, 11 February 2011 8:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange VPN Behaviour
Just a thought, did you try a tracert or monitoring the remote IP(s) on the
ISA in question?
Steve Comeau
Associate Director of IT Rutgers Athletics
83 Rockafeller Road
Piscataway, NJ 08854
732-445-7802
732-445-4623 (fax)
www.scarletknights.com
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Andy Haigh
Sent: Thursday, February 10, 2011 4:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Strange VPN Behaviour
We have a client that has had ISA Server running happily at their site for
many years and all of a sudden we are having issues with people VPN'ing in.
The actual connection VPN connection is working fine, the issue is they can't
see anything beyond the ISA Server.
So we connect via VPN and are allocated an IP address from the internal DHCP
pool all this looks fine. I can now ping the ISA Server's internal IP address
but I can't ping any devices beyond this.
At present the VPN works perfectly for one of the IP's in the range allocated.
I have checked this against other ISA Servers we have installed and
everything looks fine. I have removed VPN and recreated it but still the same
problem.
Anyone able to shed any light on what might be the issue.
Thanks
Andy
Andy Haigh
HW Systems Pty Ltd
Suite 4, Level 2,
64 Talavera Road
Macquarie Park NSW 2113
Tel: 9882-5050
Fax: 9882-5055
Mob: 0409-885-866
Email: Andy.Haigh@xxxxxxxxxxxxxxxx
Disclaimer: This message is intended only for the use of the person or entity
to whom it is addressed and may contain information that is confidential and/or
privileged. If you are not the intended recipient, you are hereby notified that
any use, review, disclosure, dissemination, retransmission or copying of this
information is prohibited. If you have received this message in error, please
contact the sender and delete this message from your system immediately.
*** This message contains confidential information and isintended only for the
individual named. If you are not thenamed addressee, you should not
disseminate, distribute orcopy this e-mail. Please notify the sender
immediately bye-mail if you have received this e-mail by mistake and deletethis
e-mail from your system. E-mail transmission cannot beguaranteed to be secure
or error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late orincomplete, or contain viruses. The sender therefore does
notaccept liability for any errors or omissions in the contents ofthis message,
which arise as a result of e-mail transmission.If verification is required
please request a hard-copy version.Rutgers University - DIA83 Rockafeller
RoadPiscataway, NJ 08854www.scarletknights.com ***
Other related posts: