Further to this I messed with the vpn client config to force an incorrect connection (authenticates but trys to get an incorrect ip) and even this incorrect vpn connection attempt causes the isa server to start refusing lan connections -----Original Message----- From: Paul Noble Sent: Thursday, January 06, 2005 9:47 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA 2004 VPN connections causing ISA2004 to refuse conn ections. http://www.ISAserver.org Hi There again, As a continuation of the stuff we're doing here I've been trying to get our ISA2004 server to be a vpn gateway. Internet | Netgear 834 adsl router (nat'd) | ISA2004 | Lan That's the basic setup for the incoming connections. Initially we were connected via a leased line and cisco router rather than a NAT adsl router The router has pptp port open on it I followed through the steps on the isa vpn page to enable the vpn, I created a windows user group for the vpn users, I put an incoming pptp server protocol filter in place and created a subsequent outgoing vpn user filter. The vpn was set to provide an ip from the dhcp server on the internal network (192.168.blah) of which the isa servers internal nic was linked to. The client setup was wizard followed with ip set to dhcp. A custom lmhost file was created to mirror mail servers etc and imported on the vpn connection. We have approx 100 lan users and are wanting to support up to 5 vpn users at any one time. What I originally found on the leased line was that when the clients connected they would get a good connection about 2 out of 3 times, the connection would successfully be assigned an ip, it'd allow pinging of ips and all resources would be accessible, internal email server, sharepoint server etc. When the conection was no good althought it'd be assigned an ip all connectivity to the lan would not happen, no pings or nowt. Once we moved our isp from the leased line to the adsl router and having to add a periphery network element for the new nat network (realip - netgear - 10.15 network - 192.168 internal network), when the vpn client systems reconnected they'd authenticate fine, log onto the network, get an ip but no resources were accessible. The isa was responding slowly to pings on the vpn's ip and after 5 minutes of any client being connected to the vpn all lan users gradually began experiencing 'Error Code: 403 Forbidden.' messages when attempting to browse the web. The performance graphs show that the server isnt actually cutting connections, as a lot of users can still use the net for a period of time but if left alone it does eventually effect every user who trys to connect. Once this has happened all the isa services need to be restarted to allow the server to perform normally. No errors are reported in the log files There as been at least 1 successful vpn connection on the adsl line but this also resulted in the 5 minute limitation. Im at a loss as to why it seemingly worked fine on the leased line but seems to actually effect the lan use on the adsl line. Any help you can supply would be much appreciated Paul Noble ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: pnoble@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx