RE: ISA 2004 VPN connections causing ISA2004 to refuse conn ections.
- From: pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx
- To: isalist@xxxxxxxxxxxxx
- Date: Thu, 6 Jan 2005 10:13:59 -0000
Further to this I messed with the vpn client config to force an incorrect
connection (authenticates but trys to get an incorrect ip) and even this
incorrect vpn connection attempt causes the isa server to start refusing lan
connections
-----Original Message-----
From: Paul Noble
Sent: Thursday, January 06, 2005 9:47 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA 2004 VPN connections causing ISA2004 to refuse conn
ections.
http://www.ISAserver.org
Hi There again,
As a continuation of the stuff we're doing here I've been trying to get our
ISA2004 server to be a vpn gateway.
Internet
|
Netgear 834 adsl router (nat'd)
|
ISA2004
|
Lan
That's the basic setup for the incoming connections.
Initially we were connected via a leased line and cisco router rather than a
NAT adsl router
The router has pptp port open on it
I followed through the steps on the isa vpn page to enable the vpn, I
created a windows user group for the vpn users, I put an incoming pptp
server protocol filter in place and created a subsequent outgoing vpn user
filter. The vpn was set to provide an ip from the dhcp server on the
internal network (192.168.blah) of which the isa servers internal nic was
linked to.
The client setup was wizard followed with ip set to dhcp.
A custom lmhost file was created to mirror mail servers etc and imported on
the vpn connection.
We have approx 100 lan users and are wanting to support up to 5 vpn users at
any one time.
What I originally found on the leased line was that when the clients
connected they would get a good connection about 2 out of 3 times, the
connection would successfully be assigned an ip, it'd allow pinging of ips
and all resources would be accessible, internal email server, sharepoint
server etc. When the conection was no good althought it'd be assigned an ip
all connectivity to the lan would not happen, no pings or nowt.
Once we moved our isp from the leased line to the adsl router and having to
add a periphery network element for the new nat network (realip - netgear -
10.15 network - 192.168 internal network), when the vpn client systems
reconnected they'd authenticate fine, log onto the network, get an ip but no
resources were accessible. The isa was responding slowly to pings on the
vpn's ip and after 5 minutes of any client being connected to the vpn all
lan users gradually began experiencing 'Error Code: 403 Forbidden.' messages
when attempting to browse the web.
The performance graphs show that the server isnt actually cutting
connections, as a lot of users can still use the net for a period of time
but if left alone it does eventually effect every user who trys to connect.
Once this has happened all the isa services need to be restarted to allow
the server to perform normally.
No errors are reported in the log files
There as been at least 1 successful vpn connection on the adsl line but this
also resulted in the 5 minute limitation.
Im at a loss as to why it seemingly worked fine on the leased line but seems
to actually effect the lan use on the adsl line.
Any help you can supply would be much appreciated
Paul Noble
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
