Re: Outgoing VPN Error 619


Thats weird, I sent it to jim at isatools.org and I did not get a bounce
back at all.

"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:D05A0189-42BF-4878-8F15-2E61854F2338@xxxxxxxxxxxxxxxx
99.44% of the time, the additional NAT device is buggering the PPTP call
IDs
established between the ISA and the remote.
The PPTP filter recognizes that this has changed, and shuts down the
connection.

I haven't seen anything from you yet?
Have you seen a bounce mail?

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:%23Mo11DvpIHA.2256@xxxxxxxxxxxxxxxxxxxxxxx
Hey Jim,

Thanks for your help with this I have gotten outbound VPN's working. It
turns out the problem was not with ISA at all but a problem with the
Linksys
even through I can PPTP out fine when behind the Linksys. I'm still
interested though to hear what you discovered from the net monitor
analysis.

Here is the full story of what happened and how we resolved it:

We picked up a new customer recently where we had to VPN to their site
where
they had a Microsoft ISA 2004 gateway. We found however that when ever we
connected to this VPN gateway from behind our ISA 2000 firewall our PPTP
VPN's would drop out after about 3 minutes for a minute.

We decided that the problem must be ISA 2000 so we upgraded to ISA 2006.
We
then found that we could not connect at all to this customer site or any
customers that had ISA VPN gateways (non ISA PPTP sites work fine apart
from
the random drop outs) and we always got a 619 error from the Windows VPN
client. We can connect fine when directly behind the Linksys AG241 but not
when behind the linksys AG241 and ISA 2006.

I did a bit of reading online and found lots of other people have the
exact
same problem with ISA 2004, 2006 and Linksys gear so I went out and bought
a
new Linksys WAG54G Version 3 and a D-Link DSL-504T.

I put in the D-LINK DSL-504T and the PPTP VPN's started working perfectly
to
ISA sites when behind ISA and our normal VPN's to non ISA sites work
flawlessly with no random drop outs at all.

Though this made us happy we really didn't want to use the D-LINK (the web
gui's suck on them and we really like Linksys) so we stuck the WAG54G in
with the standard firmware. We found the exact problem as with the AG241.
We
can PPTP out when behind it, but when behind ISA we can't PPTP to ISA
sites
(619 error again). We then updated the WAG54G to the latest firmware but
found that we still can't connect out and we still get the 619 error.

I also found the internet is littered with people that seem to be having
this problem with ISA to ISA VPN's and Linksys routers. Here are a bunch
of
links to these post (most people don't work out what is going on).

http://forums.isaserver.org/m_300128700/mpage_1/key_619%2clinksys/tm.htm#300128700

http://forums.isaserver.org/m_300117300/mpage_1/key_619%2clinksys/tm.htm#300117300

http://forums.isaserver.org/m_300092500/mpage_1/key_619%2clinksys/tm.htm#300092500

http://forums.isaserver.org/m_300012100/mpage_1/key_619%2clinksys/tm.htm#300012100

http://forums.isaserver.org/m_300000600/mpage_1/key_619%2clinksys/tm.htm#300000615

http://forums.isaserver.org/m_300000900/mpage_1/key_619%2clinksys/tm.htm#300000913

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_22749714.html

http://www.eggheadcafe.com/forumarchives/isavpn/Oct2005/post23899476.asp

http://forums.linksys.com/linksys/board/message?board.id=Wired_Routers&message.id=1494

http://www.tech-archive.net/Archive/ISA/microsoft.public.isa.vpn/2005-06/msg00091.html

Cheers

Damon

"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:D3AF548D-E94B-49C4-9187-77CB4A93E86E@xxxxxxxxxxxxxxxx
This won't help.
Please send me the whole capture to jim at isatools dot org.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:eHfjcqYpIHA.2636@xxxxxxxxxxxxxxxxxxxxxxx

Hi Jim,

I belive I have grabbed the right part of the Netmon log, have a look at
this and let me know what you think:

239 9.843750 203.97.2.34 10.2.1.10 TCP TCP: Flags=.S..A...,
SrcPort=1723,
DstPort=3524, Len=0, Seq=3740007268, Ack=1485119410, Win=16384 (scale
factor
not found)
240 9.843750 10.2.1.10 203.97.2.34 PPTP PPTP: Control Message , Start
Control Connection Request
241 9.859375 203.97.2.34 10.2.1.10 PPTP PPTP: Control Message , Start
Control Connection Reply
242 9.859375 10.2.1.10 203.97.2.34 PPTP PPTP: Control Message , Outgoing
Call Request
243 9.875000 10.2.1.10 10.2.0.253 TCP TCP: Flags=....A..., SrcPort=2153,
DstPort=MS WBT Server(3389), Len=0, Seq=1694684887, Ack=2251219804,
Win=64592 (scale factor not found)
244 9.890625 203.97.2.34 10.2.1.10 PPTP PPTP: Control Message , Outgoing
Call Reply
245 9.890625 10.2.1.10 203.97.2.34 PPTP PPTP: Control Message , Set Link
Info
246 9.890625 10.2.1.10 203.97.2.34 LCP LCP: Configure-Request, ID = 0,
Length = 21
247 9.906250 203.97.2.34 10.2.1.10 LCP LCP: Configure-Request, ID = 0,
Length = 57
248 9.906250 203.97.2.34 10.2.1.10 LCP LCP: Configure-Ack, ID = 0,
Length
=
21
249 9.906250 10.2.1.10 203.97.2.34 LCP LCP: Configure-Reject, ID = 0,
Length = 35
250 9.921875 203.97.2.34 10.2.1.10 LCP LCP: Configure-Request, ID = 1,
Length = 26
251 9.921875 10.2.1.10 203.97.2.34 LCP LCP: Configure-Ack, ID = 1,
Length
=
26
252 9.921875 10.2.1.10 203.97.2.34 LCP LCP: Identification, ID = 1,
Length
= 18
253 9.921875 10.2.1.10 203.97.2.34 LCP LCP: Identification, ID = 2,
Length
= 22
254 9.937500 203.97.2.34 10.2.1.10 TCP TCP: Flags=..R.A...,
SrcPort=1723,
DstPort=3524, Len=0, Seq=3740007457, Ack=1485119758, Win=0 (scale factor
not
found)
255 9.937500 203.97.2.34 10.2.1.10 CHAP CHAP: Challenge, ID = 0, Length
=
25 , Name = 'ISA1'

Cheers

Damon

"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:%23dB2uaYpIHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
Just to make sure I hvae got this right, I should do the install of
Netmon
3 on the ISA server and set it to capture both ISA interfaces while I
try
and connect to the PPTP from a workstation on the network?

Cheers

Damon

"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:0FF8ACBE-AA6D-4ED5-B1E8-3CC40E7749CF@xxxxxxxxxxxxxxxx
1. there is no gain in duplicating DNS server in multiple NICs. Remove
them
from the External NIC
2. you can capture with Wireshark or (my personal fav) Netmon 3; it
doesn't
matter. What does matter is that you capture at both ISA interfaces
*at
the
same time* while performing your tests.

Result Code: 0x80074e24 FWX_E_CONNECTION_KILLED is very useful. This
means
that the PPTP filter saw something in the PPTP protocol that it didn't
like
and killed the session.

A network capture will be very revealing.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:uQfbgeSpIHA.5096@xxxxxxxxxxxxxxxxxxxxxxx

Ok Inbound VPN access is now working, just the Outbound VPN problem to
go
now!

Thanks for your help so far.

Have a read of the Outbound questions I tried to answer below and let
me
know what you think. There are also a bunch of settings in my Inbound
VPN
that you might want to check out.

Cheers

Damon

"Damon" <enlighten@xxxxxxxxxxxxxxxxx> wrote in message
news:ezfelhPpIHA.3428@xxxxxxxxxxxxxxxxxxxxxxx

On Inbound VPN
-----------------------------------

Ok these are the settings for my lan.

I have it set-up as the following:

Its is 10.2.*.*
I.E. the subnet is 255.255.0.0
The gatway on all machine on the network is 10.2.0.253
I have the servers on 10.2.0.*
I have the workstations on 10.2.1.* (DHCP assigned)

The ISA server has two network cards:

One named Internal Network which is configured as follows:

IP address: 10.2.0.253
Subnet: 255.255.0.0
Default gateway: blank
Pre DNS 10.2.0.3
Alt DNS 10.2.0.4

One named External Network which is configured as follows:

IP address: 192.168.1.1
Subnet: 255.255.255.0
Default gateway:192.168.1.254
Pre DNS 10.2.0.3
Alt DNS 10.2.0.4

I have a linksys AG241 DSL router which is running on 192.168.1.254
and
has all of the VPN passthroughs configured

In ISA I have the lat table confured as follows:

Start: 10.2.0.0 End: 10.2.255.255
Start: 10.255.255.255 End: 10.255.255.255

I have now changed to a static address pool with the following
settings:

Start: 10.1.0.0 End: 10.1.0.255
Use the following network to obtain DHCP.. : Internal

If I connect remotely I get assigned the following:

IP: 10.1.0.1
Subnet: 255.255.255.255

If I try and ping a server on the network like 10.2.0.1 I get request
timed out.

Any ideas what I have done wrong?


On Outbound VPN
-----------------------------------

Q1: Yes it is a hop onthe path to the Internet. It is configured as
the
gateway I.E. 10.2.0.253
Q2: If I do the following Query:

Log Record Type - Equals - Firewall or Web Publish
Log Time - LIve
Action - Not Equal - Connection Status
Protocal - Equals - PPTP

I get the following:

Destination IP: the vpn server
Destination Port: 1723
Action: Initiated Connection
Rule: Allow All
Result Code: 0x0 ERROR_SUCCESS

Destination IP: the vpn server
Destination Port: 0
Action: Initiated Connection
Rule: Allow All
Result Code: 0x0 ERROR_SUCCESS

Destination IP: the vpn server
Destination Port: 1723
Action: Closed Connection
Rule: Allow All
Result Code: 0x80074e24 FWX_E_CONNECTION_KILLED

Q3: Would I do this with wireshark on the computer I'm initialing the
connection from? If so what would I filter on?

Cheers

Damon


"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:2AC3EEB0-F2E5-4CEB-8AB4-A5750DEFA088@xxxxxxxxxxxxxxxx
No; ISA doesn't dynamically move anything between the VPN network and
the
internal network address ranges.
This network address range is based on the setting you apply when you
run
the VPN wizard.
As long as the VPN client is assigned an address from this predefined
range,
all will be well.

The "dynamic motion" you allude to is the movement of the VPN client
between
Quarantine and VPN networks; nothing else.

--
Jim Harrison (ISA SE)

This posting implies no warranty and confers no rights.
http://catb.org/~esr/faqs/smart-questions.html



"Phillip Windell" <philwindell@xxxxxxxxxxx> wrote in message
news:%23Pr2SxJpIHA.548@xxxxxxxxxxxxxxxxxxxxxxx
"Jim Harrison (ISA SE)" <jmharr@xxxxxxxxxxxxxxxxxxxx> wrote in
message
news:8D2EF7C2-BDCE-43CF-B29F-5BE8D75945DB@xxxxxxxxxxxxxxxx
I only beat you when you ask me to; it's part of our "special
relationship"... :-p

Fair enough :-)

"stealing" from the LAT for the VPN network
without actually changing the LAT network (includes actually
changing
that
network ) creates an overlap

That's what I was thinking of and is what I do with my VPN Clients.
I'm
not
having any trouble in the sense that it "works." I had expected to
get
the
spooing alerts although there is none listed at the moment related to
VPN
Clients. So yes,..I just treated the alerts as "safe to ignore".

Ok, to make sure I understand the process...

So if I understand Tom's description of the VPN Clients Network near
the
beginning of the article
(http://www.isaserver.org/tutorials/Enabling-Remote-Access-VPN-Clients-Access-Branch-Office-Site-to-Site-VPN.html)
correctly, ISA will dynamically move an IP# from the Internal into
the
VPN
Clients Network when a connection is made,..but during that brief
amount
of
time, before it completes, a spoofing alert is triggered. When the
VPN
Client is done and disconnects the process is dynamically reversed.

Coupling that with what you are saying, if an admin makes sure that
the
IP#
a VPN Client receives is already not in the Internal Network
definition
(or
any other network def) then the ISA dynamically adds it to the VPN
Clients
Network when needed and there is no spoofing alert generated.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or
Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------














.

Relevant Pages

  • Re: Unable to make VPN connection to ISA 2006 Standard
    ... Router and the isa server this nat enabled, then the pptp tunnel will fail? ... If i initialize an vpn connection with a windows client, ...
    (microsoft.public.isa.vpn)
  • Re: Outgoing VPN Error 619
    ... Jim Harrison (ISA SE) ... A network capture will be very revealing. ... Ok Inbound VPN access is now working, just the Outbound VPN problem to go ... As long as the VPN client is assigned an address from this predefined ...
    (microsoft.public.isa.vpn)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... I've tried playing around with the security settings to no avail. ... problem PCs (we have tested several within the network behind ISA) will VPN ... VPN endpoint. ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN from workstation behind ISA 2006
    ... The ISA is acting at the LAN Router. ... used for a VPN Server? ... What are the IP Ranges listed in the properties of the Internal Network ...
    (microsoft.public.isa.vpn)
  • RE: VPN Access to External Site
    ... made my ISA 2004 server my default gateway ... A socket operation was attempted to an unreachable network. ... internal users to connect to an external VPN server through Microsoft ... firewall client application and then sent to the ISA server. ...
    (microsoft.public.windows.server.sbs)
Loading