[isalist] Re: VPN Client Connection Problem

From: "Rob Moore" <RMoore@xxxxxxxx>
To: <isalist@xxxxxxxxxxxxx>
Date: Tue, 15 Jan 2008 13:02:58 -0500
http://www.ISAserver.org
-------------------------------------------------------

How do I get a dual-ended capture?

Thanks,
Rob

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 15, 2008 11:38 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------
  
No, you're not - you're getting "0x80074e24 FWX_E_CONNECTION_KILLED",
which is a clear indicator of PPTP protocol violation by one or both
ends of the VPN tunnel.  The "" code literally means "closed by
application filter action".
Get a dual-ended capture of this (best done at the ISA itself and I'll
bet you I can find the packet where the problem occurred.

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rob Moore
Sent: Tuesday, January 15, 2008 7:55 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------

Now I can't get the same behavior as yesterday. Yesterday, as I
mentioned in my original post, I'd get an "Initiated" log entry,
followed immediately by a "Closed" log entry, and then immediately by a
"Denied" entry. Today I'm getting only two entries, "Initiated" and,
about 30 seconds later, a "Closed" entry.

The logs for those two are:
Original Client IP      Client Agent    Authenticated Client    Service
Server Name     Referring Server        Destination Host Name
Transport       MIME Type       Object Source   Source Proxy
Destination Proxy       Bidirectional   Client Host Name        Filter
Information     Network Interface       Raw IP Header   Raw Payload
GMT Log Time    Source Port     Processing Time Bytes Sent      Bytes
Received        Result Code     HTTP Status Code        Cache
Information     Log Record Type Authentication Server   Log Time
Destination IP  Destination Port        Protocol        Action  Rule
Client IP       Client Username Source Network  Destination Network
HTTP Method     URL     Error Information
216.204.20.170                          PHL-ISA3        -
TCP     -                                               -
1/15/2008 3:41:35 PM    64093   31031   188     348     0x80074e24
FWX_E_CONNECTION_KILLED         0x0     Firewall        -
1/15/2008 10:41:35 AM   172.17.200.20   1723    PPTP Server     Closed
Connection      PPTP to PHL-UTILITY     216.204.20.170          External
Internal        -       -       0x0
216.204.20.170                          PHL-ISA3        -
TCP     -                                               -
1/15/2008 3:41:04 PM    64093   0       0       0       0x0
ERROR_SUCCESS           0x0     Firewall        -       1/15/2008
10:41:04 AM     172.17.200.20   1723    PPTP Server     Initiated
Connection      PPTP to PHL-UTILITY     216.204.20.170          External
Internal        -       -       0x0


I'm guessing that since this is only happening to this one person, it's
something to do with his computer. But if we can figure out what it is
by using the firewall, that's OK with me.

Thanks for your help,
Rob

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, January 15, 2008 9:20 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------

Yano - you did.
I guess I'm just getting to the point where I overlook "PPTP"

Still; a look at the relevant log entries (start from "initiate") would
help a lot.
Even better would be network captures from both sides of ISA (NetMon 3
can do this).

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rob Moore
Sent: Tuesday, January 15, 2008 6:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------

I did mention in my original post that it was PPTP.

Rob

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Monday, January 14, 2008 10:39 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------

I'll bet a dollar it's a PPTP VPN :)

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Monday, January 14, 2008 8:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Client Connection Problem

http://www.ISAserver.org
-------------------------------------------------------

Can you include a couple of the log entries that indicate this traffic?
"VPN" is too vague; is this IPSec, PPTP, SSL-VPN..?

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Rob Moore
Sent: Monday, January 14, 2008 1:33 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Client Connection Problem

Hello all-

ISA 2006 Standard

Windows Server 2003

I've got an odd problem. I have a guy using a Mac trying to connect to
my VPN server. (The VPN server is a Windows server running behind the
ISA server. It's a PPTP VPN.) When he tries to connect, he gets this
error message: "The connection was terminated by the communication
device. Please verify your settings and try again". We've tried
recreating his VPN connector. We've tried connecting wired and wireless
and from several different locations. I've also successfully connected
to the VPN server using his account but from different computers, both
Mac and PC.

When I monitor my own successful connection attempt on the firewall, I
get a single message that says the connection was initiated. When I
monitor his unsuccessful connection attempt, I get three entries. First
it says the connection was initiated. Then it says the connection was
closed. Then I get a "Denied" entry in which it appears the ISA server
is trying to send the request to the public IP address of the VPN
server. The error is "0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED."

I've tried Googling it and gotten a lot of stuff, some of it ISA
related, some of it not. I also looked some in the archives of this
list.

Can anyone point me in the right direction?

Thanks,

Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Rob Moore

Network Manager

215-241-7870

Help Desk: 800-500-AFSC

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/  
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp 
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/ 
ISA Server Blogs: http://blogs.isaserver.org/ 
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp 
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Follow-Ups:
- [isalist] Re: VPN Client Connection Problem
  - From: Thor (Hammer of God)
- [isalist] Re: VPN Client Connection Problem
  - From: Jim Harrison
References:
- [isalist] Re: VPN Client Connection Problem
  - From: Thomas W Shinder
- [isalist] Re: VPN Client Connection Problem
  - From: Rob Moore
- [isalist] Re: VPN Client Connection Problem
  - From: Jim Harrison
- [isalist] Re: VPN Client Connection Problem
  - From: Rob Moore
- [isalist] Re: VPN Client Connection Problem
  - From: Jim Harrison
[isalist] Re: VPN Client Connection Problem

Other related posts:
