RE: TERRIBLY frustrated with Remote Site Networks...

  • From: "Mike Anderson" <mike@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 18 Nov 2004 21:11:55 -0600

Hey Thomas (and List),

I am using strictly PPTP for pure simplicity reasons.

After playing around more this evening, here is what I came up with (and
Thomas, can you verify this for me?)  I deleted the entire config on the
Receiving ISA Server.  I created a new Remote Profile, along with the
corresponding Username - changed the Username on the calling machine,
and it came up immediately.

Just to play around, I rebooted both machines, at different intervals,
many times - and it seemed to come back up consistently.  This leads me
to believe, that as long as you keep your darn hands directly off the
RRAS settings (outside of ISA 2004 doing it's own stuff to the config),
you should be okay?  After tweaking the RRAS Adapter on the calling
machine, and setting it to "Persistent Connection" versus "Demand Dial"
(with Demand Dial being the default setting), all hell broke loose once
again, and then it wouldn't want to connect back up again.  However,
after going back into the ISA 2004 console, reestablishing the
credentials, and finally rebooting, it connected just fine upon the ISA
Server coming back up again.

Is RRAS THAT closely coupled with ISA 2004 - that if you change ANYTHING
outside of using ISA Wizards, everything goes to hell??  I recall,
another user on this list, telling me recently that he learned the hard
way too, to not mess with RRAS directly - but to allow ISA 2004 to
perform the changes whenever you wanted to change something?  Well, what
if I want to make a chance on the Routing Adapter contained in RRAS,
that is automatically created by ISA Server?  Stuff like making it into
a Persistent Connection, or some other advanced option?  It seems to
break the config, and you have to start all over again.

Could you please verify that for me Thomas?

My last question is, what if the Calling server, simply drops off, and
then the connection resets?  If the calling machine tries to reconnect,
is the receiving machine 100% reliable in actually accepting that call
once again?  I am finding, that if for some reason, the receiving server
loses the calling servers connection, the only thing that cleans things
up, is a total reboot.  I could be wrong, but this is what I seem to be
finding.

Thanks for your help everybody,

Mike 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Thursday, November 18, 2004 8:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: TERRIBLY frustrated with Remote Site Networks...

http://www.ISAserver.org

Hi Mike,

What VPN protocol are you using?

Thanks! 


Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Mike Anderson [mailto:mike@xxxxxxxxxxxx]
Sent: Thursday, November 18, 2004 6:53 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] TERRIBLY frustrated with Remote Site Networks...
Importance: High

http://www.ISAserver.org

Hey Everyone,

After I finally goy my Firewall policies working, in which I can ping
both sides of the network, etc., after a reboot of the server, I can no
longer get reconnected again.  Under RRAS on the calling computer, the
Demand Dial Interface just says that the Remote end is "unreachable".

Jeeze!  If it's not one thing, it's another thing, with ISA 2004 coupled
with RRAS.  I am serious - I really thought ISA 2004 on both ends, could
be able to at least handle a permanent connection.  I've never seen such
a simple setup, be so riddled with problems.  What really gets me, is
after getting it to work, and thinking I had that project all finished,
now I have this open can of worms once again - and have to drop
everything I am doing, to revisit this client site.

You can assume the following:  Windows 2003 OS (in a domain environment)
and ISA 2004 on the calling side - with a 20-node 192.168.10.x network
that it services.  Windows 2003 OS (standalone) and ISA 2004 on the
receiving end of the connection - with a 10-node 192.168.0.x network
that it services.  Like Thomas suggested, only one side initiates the
connection, while the other end simply accepts the connection.  I
created Remote Sites via the ISA 2004 console, at each site, etc.  On
the receiving side, I have a local user created (which is called
VPN_Home) with Dial-in access granted, and it's the same name as the
Remote Site inside of ISA 2004 (because they of course have to match,
according to the docs).  Remember, this thing WORKED for a while - and
now it does not, so you can assume that I have most everything else
configured correctly.

What am I missing???  Here is what I get in the Event Logs:

     On the CALLING ISA Server, I get the following message:

     "A Demand Dial connection to the remote interface TechniSource
     on port VPN4-19 was successfully initiated but failed to
     complete successfully because of the  following error: The
     modem (or other connecting device) has reported an error."

     On the RECEIVING ISA Server, I get the following message:

     "A Demand Dial connection to the remote interface VPN_Home
     failed to be imitated successfully. The following error
     occurred: The interface credentials have not been set."

Please keep in mind, this thing was up for a WEEK.  I didn't screw
around with anything - and now after a simple reboot of one of the
servers, I can no longer establish a Remote Connection.  I verified,
that the credentials were correct a million times - and re-entered the
information in many times - and it did nothing for me.

Can somebody help me?  Extremely frustrated....

Mike

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
mike@xxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: