http://www.ISAserver.org ------------------------------------------------------- OK. Tomorrow... -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thor (Hammer of God) Sent: Tuesday, January 15, 2008 1:13 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: VPN Client Connection Problem http://www.ISAserver.org ------------------------------------------------------- run netmon or equivalent on both sides during the transaction and save them individually... t > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore > Sent: Tuesday, January 15, 2008 10:03 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > How do I get a dual-ended capture? > > Thanks, > Rob > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, January 15, 2008 11:38 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > No, you're not - you're getting "0x80074e24 FWX_E_CONNECTION_KILLED", > which is a clear indicator of PPTP protocol violation by one or both > ends of the VPN tunnel. The "" code literally means "closed by > application filter action". > Get a dual-ended capture of this (best done at the ISA itself and I'll > bet you I can find the packet where the problem occurred. > > Jim > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Rob Moore > Sent: Tuesday, January 15, 2008 7:55 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > Now I can't get the same behavior as yesterday. Yesterday, as I > mentioned in my original post, I'd get an "Initiated" log entry, > followed immediately by a "Closed" log entry, and then immediately by a > "Denied" entry. Today I'm getting only two entries, "Initiated" and, > about 30 seconds later, a "Closed" entry. > > The logs for those two are: > Original Client IP Client Agent Authenticated Client Service > Server Name Referring Server Destination Host Name > Transport MIME Type Object Source Source Proxy > Destination Proxy Bidirectional Client Host Name Filter > Information Network Interface Raw IP Header Raw Payload > GMT Log Time Source Port Processing Time Bytes Sent Bytes > Received Result Code HTTP Status Code Cache > Information Log Record Type Authentication Server Log Time > Destination IP Destination Port Protocol Action Rule > Client IP Client Username Source Network Destination Network > HTTP Method URL Error Information > 216.204.20.170 PHL-ISA3 - > TCP - - > 1/15/2008 3:41:35 PM 64093 31031 188 348 0x80074e24 > FWX_E_CONNECTION_KILLED 0x0 Firewall - > 1/15/2008 10:41:35 AM 172.17.200.20 1723 PPTP Server Closed > Connection PPTP to PHL-UTILITY 216.204.20.170 > External > Internal - - 0x0 > 216.204.20.170 PHL-ISA3 - > TCP - - > 1/15/2008 3:41:04 PM 64093 0 0 0 0x0 > ERROR_SUCCESS 0x0 Firewall - 1/15/2008 > 10:41:04 AM 172.17.200.20 1723 PPTP Server Initiated > Connection PPTP to PHL-UTILITY 216.204.20.170 > External > Internal - - 0x0 > > > I'm guessing that since this is only happening to this one person, it's > something to do with his computer. But if we can figure out what it is > by using the firewall, that's OK with me. > > Thanks for your help, > Rob > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Tuesday, January 15, 2008 9:20 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > Yano - you did. > I guess I'm just getting to the point where I overlook "PPTP" > > Still; a look at the relevant log entries (start from "initiate") would > help a lot. > Even better would be network captures from both sides of ISA (NetMon 3 > can do this). > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Rob Moore > Sent: Tuesday, January 15, 2008 6:02 AM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > I did mention in my original post that it was PPTP. > > Rob > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Thomas W Shinder > Sent: Monday, January 14, 2008 10:39 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > I'll bet a dollar it's a PPTP VPN :) > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Jim Harrison > Sent: Monday, January 14, 2008 8:07 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] Re: VPN Client Connection Problem > > http://www.ISAserver.org > ------------------------------------------------------- > > Can you include a couple of the log entries that indicate this traffic? > "VPN" is too vague; is this IPSec, PPTP, SSL-VPN..? > > -----Original Message----- > From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist- > bounce@xxxxxxxxxxxxx] > On Behalf Of Rob Moore > Sent: Monday, January 14, 2008 1:33 PM > To: isalist@xxxxxxxxxxxxx > Subject: [isalist] VPN Client Connection Problem > > Hello all- > > ISA 2006 Standard > > Windows Server 2003 > > I've got an odd problem. I have a guy using a Mac trying to connect to > my VPN server. (The VPN server is a Windows server running behind the > ISA server. It's a PPTP VPN.) When he tries to connect, he gets this > error message: "The connection was terminated by the communication > device. Please verify your settings and try again". We've tried > recreating his VPN connector. We've tried connecting wired and wireless > and from several different locations. I've also successfully connected > to the VPN server using his account but from different computers, both > Mac and PC. > > When I monitor my own successful connection attempt on the firewall, I > get a single message that says the connection was initiated. When I > monitor his unsuccessful connection attempt, I get three entries. First > it says the connection was initiated. Then it says the connection was > closed. Then I get a "Denied" entry in which it appears the ISA server > is trying to send the request to the public IP address of the VPN > server. The error is "0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED." > > I've tried Googling it and gotten a lot of stuff, some of it ISA > related, some of it not. I also looked some in the archives of this > list. > > Can anyone point me in the right direction? > > Thanks, > > Rob > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Rob Moore > > Network Manager > > 215-241-7870 > > Help Desk: 800-500-AFSC > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ > List Archives: //www.freelists.org/archives/isalist/ > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server Articles and Tutorials: > http://www.isaserver.org/articles_tutorials/ > ISA Server Blogs: http://blogs.isaserver.org/ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > To unsubscribe visit http://www.isaserver.org/pages/isalist.asp > Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx