Re: Unable to make VPN connection to ISA 2006 Standard

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Many thanks for your reply. I understand about GRE. I don't believe the
routers in question are blocking this. In fact I know with the end that works
fine that they can't be blocking it. The configs are trully identical at each
end, even down to the IOS configs in the routers apart from the IP addresses
being used of course and at the failing end I have even tried another router!

This weekend I am going to remove ISA and see if I can make a PPTP
connection direct to RRAS. This will eliminate my only outstanding suspicion
- that the ADSL provision is blocking GRE somewhere. I am lead to believe by
the client that this can't be the case however because the existing system
being replaced used to provide VPN access to clients terminating at the
router at this site.
What I'm really trying to do here is a site to site VPN. If I can't get this
end working then another option open to me is to form an IPSEC tunnel router
to router, and thats another thing I'll do this weekend but I had my heart
set on ISA-to-ISA. I've used it before for several clients
Thanks for your pointer about the AUtomatic client setting trying LT2P - I
thought I had set the dial up connection at the clients I have used for
testing to be PPTP specifically but perhaps in one instance I didn't
I'd really appreciate some assistance with where to go next on
troubleshooting this. I've looked through the many RRAS logs to try and
understand where things are breaking down - but there are so many with so
much in them. If it were a GRE problem, for example, where would I see this
or do I have to get NETMON running to crunch the packets?

Mike Iles

"Jim Harrison (ISA SE)" wrote:

PPTP is not just "port 1723"; it's also IP:47 (NOT "port 47"), also known as
GRE.
If the routers in question don't allow IP:47, then PPTP can never succeed.
If the VPN clients are configured for "automatic" VPN protocol, they'll try
IPSec when PPTP fails and that's probably why you see IKE.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Mike Iles" <MikeIles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6EBB2558-67BE-4F9A-8867-CC27D7A28A5A@xxxxxxxxxxxxxxxx
I'm tearing my hair out trying to get VPN client access to work on a
particular system. Its Server 2003 R2 with ISA 2006 Standard and I have
followed all the guidelines for providing VPN access (and I have done this
many times before).
The symptom is that the client times out trying to connect with the error
indicating the VPN server didn't respond. Monitoring at the ISA server you
see the PPTP connection established and a subsequent disconnection.
VPN is set to use DHCP and RRAS has successfully acquired a block of
addresses on starting. When the connection is initiated however, it doesn't
get as far as assigning an IP address to the internal interface. No events
logged and no other problems with ISA.

This is one of a pair of identical systems at two different sites and the
other works fine (using the same client pc too). They have the same routers,
identifically configured to ensure that port 1723 is passed.

Sometimes, but not always, between the PPTP connect and disconnect the ISA
log shows a failed access from External to Local host with the IKE client
(port 500). The source IP address is similar, but not the same as the client
PC. Adding a rule to pass this traffic still doesn't get a connection.

Any further troubleshooting tips welcome

.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
  • RE: VPN timeouts
    ... I do not use ISA & was wondering if there is a configurable option on the ... You remote clients VPN connection will timeout while trying to connect SBS ... between remote client and SBS server which caused by lack of network ...
    (microsoft.public.windows.server.sbs)
  • RE: ISA2004 kills VPN outbound
    ... I understand that after you upgraded ISA 2000 to ISA ... 825763 How to configure Internet access in Windows Small Business Server ... Then, establish the VPN connection again, does it work this time? ... FW client and configure the client as a SecureNAT client. ...
    (microsoft.public.windows.server.sbs)
  • Re: Branch Office MVBASE network access
    ... We use Watchguard routers for VPN between sites, ... Accuterm or the bundled thin client ...
    (comp.databases.pick)
  • RE: Configuring ISA 2004 for outbound MS VPN access
    ... > internal users to connect to an external VPN server through Microsoft ... > firewall client application and then sent to the ISA server. ... > remote VPN network is not in the local ISA server's LAT (for ISA 2004, ...
    (microsoft.public.windows.server.sbs)