Re: Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site VPN
- From: "Johan Engdahl" <johan@xxxxxxxxxxxx>
- Date: Mon, 12 Mar 2007 22:53:04 +0100
Just a clarification: Phase 1 = IKE phase and Phase 2 = IPSec phase
--
----------------------------------------------------------------------------------------------------------------------------
Johan Engdahl
CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu | http://www.firewall1.nu
"Stellence" <Stellence@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E2D86DBD-ACB0-42A4-9D4F-45F4757B4582@xxxxxxxxxxxxxxxx
ISA Experts,
My configuration:
192.168.2.0 (Corporate Office) <-> ISA 2004 <-> Internet <-> Actiontec DSL
Router (Transparent Bridging) <-> DLink HI-804HV <-> 192.168.1.0 (Branch
Office)
The Dlink has the latest firmware (v1.44) and I have established a
connection per the instructions in the following article
http://www.isaserver.org/articles/2004isadlink.html
However, the connection drops repeatedly and is basically unacceptable.
These are the errors I am receiving in the event log at the ISA Server:
On the ISA server the events in the security log are:
12:04:23 547 Failure Quick Mode
12:04:23 543 Main Mode Ended
12:04:23 541 Main Mode Established
12:04:52 542 Quick Mode Ended
12:05:00 541 Quick Mode Established
12:05:26 547 Failure Quick Mode
12:05:26 543 Main Mode Ended
12:05:26 541 Main Mode Established
12:06:29 547 Failure Quick Mode
12:08:23 547 Failure Quick Mode
12:08:23 543 Main Mode Ended
12:08:23 541 Main Mode Established
12:09:26 547 Failure Quick Mode
And on and on.. re negotiating the SA every couple minutes rather than
hours.
The actual error is:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 9/7/2006
Time: 12:04:23 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: XXXX
Description:
IKE security association negotiation failed.
Mode:
Data Protection Mode (Quick Mode)
Filter:
Source IP Address xxx.xxx.xxx.40
Source IP Address Mask 255.255.255.255
Destination IP Address 192.168.17.0
Destination IP Address Mask 255.255.255.0
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr xxx.xxx.xxx.40
IKE Peer Addr xx.x.xx.130
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Peer Identity:
Preshared key ID.
Peer IP Address: xx.x.xx.130
Failure Point:
Me
Failure Reason:
IKE SA deleted before establishment completed
Extra Status:
Processed third (ID) payload
Initiator. Delta Time 63
0x0 0x0
I would like to know if there are tweaks I can make or if this device is
not
sufficient to support a solid site-to-site VPN deployment? I have tried
switching from SHA to MD5 and had the same problem. The connection stays
in
the Establishing state for several minutes then connects for a few minutes
then drops and repeats the same process. I have modified the SAIdleTime
to
3600 and have installed hotfix 281966 but still have the same errors.
Thanks in advance for the help!
.
- References:
- Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site VPN
- From: Stellence
- Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site VPN
- Prev by Date: Re: Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site VPN
- Next by Date: Re: Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site V
- Previous by thread: Re: Problem with ISA 2004 SP2 and Dlink HI-804HV in Site to Site V
- Next by thread: Re: SQL through VPN
- Index(es):
Relevant Pages
|
Loading
