Denied Connection Errors for NetBios Name and Session (137 and 139
- From: Larry Heimendinger <LarryHeimendinger@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 16 Jul 2005 09:55:02 -0700
I am not certain this is a VPN issue, but it is driving me crazy trying to
get it to work.
Scenario: Customer and Supplier offices. ISA 2004 running as a front end
server at each site. Different 2003 domains at each site (not in same
forrest), plus customer has a NT domain on the same internal network.
Companies want to have bi-directional trusts. Customer site has a dedicated
static IP, supplier has a dynamic IP but running on public DDNS.
Verified all connections work fine, and seeimingly no problems after fine
tuning some protocol access while watching logging on each side. Established
two-way trust between 2003 sites with no problem. But proved unable to
establish trust between 2003 in supplier and NT domains in customer. Error
is that it could not find the domain controller (same causual error on either
side).
Logging on supplier side reveals that the following network attempts are
getting "denied connection" with no rule associated with the log entry:
1. TCP 139 NetBios Session from Local Host to Customer VPN. the IP address
on the local host is the internal network IP as seen by the supplier internal
client machines.
2. TCP 139 NetBios Session from Local Host to Customer VPN. The IP address
on the local host is a DHCP address given out by RAS.
3. UDP 137 NetBios Name Service from Local Host to Internal. The IP
address of the local host is the same DHCP address given out by RAS as in 2.
The IP address of the internal destination is the internal IP address of one
of the domain controllers and is running WINS and DNS for active directory.
Lastly, there is a "denied connection" error associated with the default
rule as follows:
UDP 137 NetBios Name service from External to Local Host. The external
address is the public and dynamic IP address (although it has remained static
for months) of the supplier ISA server and the Local Host IP address is that
same IP address except that it seems to be a broadcast on xxx.xxx.xxx.255.
The Netbios rule being used is: NetBios Datagram, NetBios Name Service and
NetBios Session from Customer VPN/Internal/Local Host to External/Customer
VPN/Internal/Local Host for all users. This is the same rule being used on
the Customer site and none of this traffic gets logged there as denied
connection, but rather we can see the traffic initiate.
Just to add, we have carefully analyzed the WINS records, and they all look
great. The domain and domain controller records for the NT domain are there,
and no junk at all. Network browsing of course works fine. And because the
2003 domains have two-way trust, authorized users can get to whatever
resources they need. To wit, I can run any domain-level admin tool on any
server in either domain from either side.
I can think of only one difference of any consequence between the two sites:
on the supplier site, where the difficulty lies, DNS forwarding has been set
up so that all DNS requests from the two DCs (only ones running DNS) are
forwarded to the ISA front end. And there is a VoiP gateway that has a few
specific protocol rules but no where near any of these ports (I had better
check!).
Help, please. This just makes no sense, and any logging error like this we
have had before we can immediately impact (even if we dont want to) by adding
that protocol to a rule. But it seems like nothing, including allowing all
traffic, affects these errors.
.
- Prev by Date: Re: VPN Server Can Not Access Internet Connection
- Next by Date: Cisco VP Cleint
- Previous by thread: Outlook over VPN
- Next by thread: Cisco VP Cleint
- Index(es):
Relevant Pages
|
