Site To Site - Spoofing Packet Dropped??

Hello ISA Gurus!

Here is the environment ;
1. My Side
ISA Server 2006
2. Remote Site
Cisco VPN 3000 Concentrator

I am trying to create a Site to Site VPN using ISA. We have created
the tunnell on both sides and here is the config on my end ;

Local Tunnel Endpoint: 999.222.122.67
Remote Tunnel Endpoint: 999.209.156.136

IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (test)
Security Association Lifetime: 28800 seconds

IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 3600 seconds
Kbyte Rekeying: OFF
Remote Network 'OtherSite' IP Subnets:
Subnet: 999.109.157.55/255.255.255.255
Subnet: 999.209.156.136/255.255.255.255

I have also set up access rules permitting all traffic in both
directions between both protected networks.

If the remote site tries to ping a protected host on our side I see
the following on the ISA Server ;

1 ) I see VPN session appear on the Sessions tab of the Monitoring
Section of the ISA Management Console
2 ) I see an IKE packet from the other site between peers
3 ) I see a log entry which shows the PING packet has been denied,
however it is not being denied by any firewall rule, instead there is
the following error code in the log;
0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

A cisco suypport guy has looked at the logs on the other side and he
says that the negotiation for Phase 2 is not completing and the ISA is
not responding and thus the tunnel is not up. However on my side it
looks like the tunnell is up because I can see the ping packet arrive,
but it is blocked by ISA for some reason.

Can anyone advise on the following ;
1. Is there somewhere in ISA that I can see the log entries for the
tunnell negotiation with the other peer and perhaps get an idea as to
why the tunnell is failing ---

OR

2. Does anyone know why I get the FWX_E_FWE_SPOOFING_PACKET_DROPPED
error in the firewall logs.

The thoughts / ideas of the members of this knowedgeable forum would
be valued
Many Thanks
TPD

.

Relevant Pages

  • Re: ISA 2004 Gurus please! - repost
    ... I understand that you have created site to site VPN ... between remote site and SBS and you have a shared printer on remote site. ... Now you can not access the shared printer if you install it on SBS, ... Are you creating site to site VPN between NetGear VPN router and ISA? ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA, SBS and VPN
    ... Jim Harrison (ISA SE) ... I need to set up a site-to-site IPSec VPN tunnel with a remote site ... But...it makes perfect sense that the SBS server would have access to ...
    (microsoft.public.isa)
  • ISA 2006 site to site VPN with branch RAS Win2003 server
    ... ISA is firewall, proxy, reverse proxy and VPN dial-in server. ... PC's on the remote site use the Win2003 Server as gateway, and they can reach the Main Site network servers. ...
    (microsoft.public.isa.vpn)
  • Re: Connecting to TS Server
    ... it really sounds like an ISA configuration issue. ... telnet connections to the TS server. ... connected via VPN routers. ... one remote site with vpn tunnel has 2 thin clients, ...
    (microsoft.public.windows.terminal_services)
  • RE: ISA 2004 Gurus please! - repost
    ... between remote site and SBS and you have a shared printer on remote site. ... Now you can not access the shared printer if you install it on SBS, ... All Protected Networks + remote VPN site ... please double click the IPSec VPN connection in the ISA ...
    (microsoft.public.windows.server.sbs)
Loading