The issue I have is that we have 4 ISA Server computers all configured the same way, using the Internal DHCP to provide IP addresses, and they were all working fine in this setup. Now we have one ISA Server that is causing the issues described but the other 3 continue to work. If it was a specific requirement then it shouldn't have ever worked on our ISA server setups. Andy Andy Haigh HW Systems Pty Ltd Suite 4, Level 2, 64 Talavera Road Macquarie Park NSW 2113 Tel: 9882-5050 Fax: 9882-5055 Mob: 0409-885-866 Email: Andy.Haigh@xxxxxxxxxxxxxxxx<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> [cid:imagebb0065.jpg@ca98d654.818b4494] Disclaimer: This message is intended only for the use of the person or entity to whom it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient, you are hereby notified that any use, review, disclosure, dissemination, retransmission or copying of this information is prohibited. If you have received this message in error, please contact the sender and delete this message from your system immediately. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Epsilon Sent: Saturday, 12 February 2011 7:27 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange VPN Behaviour if keeping the same iprange, ISA would think those are Internal Clients "spoofed" so they'd be blocked...Just use another range, and chk the rule from internal+vpn_clients to external allows all outgoing... ----- Original Message ----- From: Andy Haigh<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Sent: Saturday, February 12, 2011 01:19 Subject: [isalist] Re: Strange VPN Behaviour By the way this is an ISA 2006 SP1 installation. Yes, the VPN clients get the IP addresses from the internal DHCP server. This is the way we have all our ISA servers configured and they all work fine. This server worked fine until about a month ago. If you are saying I have to have a separate IP range for the VPN, I will try that on this server as I need to get it working. But it doesn't make sense that all the others are working with the same setup. Also it's strange that a few of the IP's work and others don't. Andy Andy Haigh HW Systems Pty Ltd Suite 4, Level 2, 64 Talavera Road Macquarie Park NSW 2113 Tel: 9882-5050 Fax: 9882-5055 Mob: 0409-885-866 Email: Andy.Haigh@xxxxxxxxxxxxxxxx<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> [cid:image001.jpg@01CBCCFB.D495B630] Disclaimer: This message is intended only for the use of the person or entity to whom it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient, you are hereby notified that any use, review, disclosure, dissemination, retransmission or copying of this information is prohibited. If you have received this message in error, please contact the sender and delete this message from your system immediately. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Saturday, 12 February 2011 1:53 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange VPN Behaviour Don't do that - in fact; remove it. Disabling spoof detection is a global setting. Q - is the VPN client getting an address from the same subnet as internal users? If so, this is essentially non-functional because the internal hosts will NOT use ISA as a router to respond to the VPN clients. Also, this will be the cause of the spoof detection because ISA requires that the VPN network be different from any other network (otherwise, it's not a separate "network"). From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andy Haigh Sent: Thursday, February 10, 2011 4:34 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange VPN Behaviour The event log is showing the IP address as being spoofed and it's dropping the packets. I have tried turning off spoof detection by adding the key HKLM\SYSTEM\CurrentControlSet\Services\Fweng\Parameters\DisableSpoofDetection and setting the value to (1) but didn't make a difference. There is a single IP that works, which makes it very confusing. Andy Andy Haigh HW Systems Pty Ltd Suite 4, Level 2, 64 Talavera Road Macquarie Park NSW 2113 Tel: 9882-5050 Fax: 9882-5055 Mob: 0409-885-866 Email: Andy.Haigh@xxxxxxxxxxxxxxxx<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> [cid:image001.jpg@01CBCCFB.D495B630] Disclaimer: This message is intended only for the use of the person or entity to whom it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient, you are hereby notified that any use, review, disclosure, dissemination, retransmission or copying of this information is prohibited. If you have received this message in error, please contact the sender and delete this message from your system immediately. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andy Haigh Sent: Friday, 11 February 2011 10:16 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange VPN Behaviour The tracert show the IP address of the Internal Network on the ISA and then nothing else. It seems to be that the firewall is not allowing the VPN traffic through for all but one of the DHCP allocated IP's. If we get this one IP allocated upon connection all works fine. Andy Andy Haigh HW Systems Pty Ltd Suite 4, Level 2, 64 Talavera Road Macquarie Park NSW 2113 Tel: 9882-5050 Fax: 9882-5055 Mob: 0409-885-866 Email: Andy.Haigh@xxxxxxxxxxxxxxxx<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> [cid:image001.jpg@01CBCCFB.D495B630] Disclaimer: This message is intended only for the use of the person or entity to whom it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient, you are hereby notified that any use, review, disclosure, dissemination, retransmission or copying of this information is prohibited. If you have received this message in error, please contact the sender and delete this message from your system immediately. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Steven Comeau Sent: Friday, 11 February 2011 8:58 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Strange VPN Behaviour Just a thought, did you try a tracert or monitoring the remote IP(s) on the ISA in question? Steve Comeau Associate Director of IT Rutgers Athletics 83 Rockafeller Road Piscataway, NJ 08854 732-445-7802 732-445-4623 (fax) www.scarletknights.com<http://www.scarletknights.com> [cid:image002.png@01CBCCFB.D495B630] [cid:image003.jpg@01CBCCFB.D495B630] From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Andy Haigh Sent: Thursday, February 10, 2011 4:40 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Strange VPN Behaviour We have a client that has had ISA Server running happily at their site for many years and all of a sudden we are having issues with people VPN'ing in. The actual connection VPN connection is working fine, the issue is they can't see anything beyond the ISA Server. So we connect via VPN and are allocated an IP address from the internal DHCP pool all this looks fine. I can now ping the ISA Server's internal IP address but I can't ping any devices beyond this. At present the VPN works perfectly for one of the IP's in the range allocated. I have checked this against other ISA Servers we have installed and everything looks fine. I have removed VPN and recreated it but still the same problem. Anyone able to shed any light on what might be the issue. Thanks Andy Andy Haigh HW Systems Pty Ltd Suite 4, Level 2, 64 Talavera Road Macquarie Park NSW 2113 Tel: 9882-5050 Fax: 9882-5055 Mob: 0409-885-866 Email: Andy.Haigh@xxxxxxxxxxxxxxxx<mailto:Andy.Haigh@xxxxxxxxxxxxxxxx> [cid:image001.jpg@01CBCCFB.D495B630] Disclaimer: This message is intended only for the use of the person or entity to whom it is addressed and may contain information that is confidential and/or privileged. If you are not the intended recipient, you are hereby notified that any use, review, disclosure, dissemination, retransmission or copying of this information is prohibited. If you have received this message in error, please contact the sender and delete this message from your system immediately. *** This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. Rutgers University - DIA 83 Rockafeller Road Piscataway, NJ 08854 www.scarletknights.com<http://www.scarletknights.com> ***