think I found the problem... ISA bug?
From: Z D (NOSPAM_at_NOSPAM.com)
Date: 04/16/04
- Next message: Mark Maddox: "Proxy 2.0 Migration"
- Previous message: Z D: "Re: found a workaround = more confusion"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 16 Apr 2004 12:31:05 -0400
Hi Guys
I started doing more analysis and I think I may know what is causing the
problem. Here is what I think:
- When the vpn client initiates a connection to the www01 server, it gets
routed directly to www01 from the vpn server (sbs01). When this happens,
the ISA server (fw01) doesn't know about this communication.
- Now, when the www01 wishes to respond, it goes through ISA server (it's
default gateway) because it is trying to contact the vpn client which is on
a different subnet (10.2.3.x).
- Since ISA doesn't know about the inital communication from vpn client to
the www server, it may think that www01 is responding to a request that was
never asked and thus blocks/denies the connection.
-When I look at the ISA logs, right after the vpn client makes an http
request to the www01 server, I see the following in the log:
Destination: 10.2.3.5 (vpn client IP address)
Destination port: 3426
Protocol: Unidentified Network Traffic
Action: Denied Connection
Rule: (BLANK!!)
Client: 10.2.1.2 (www01 server IP address)
Source network: Internal
Destination Network: internal
- SO, ISA seems to be blocking the response from www01. To test this out, I
changed the DG on www01 from the ISA server to the VPN server. When I do
this, everything works fine!!!
-Also, I guess PING works fine because ISA only cares about TCP protocols?
-Also: As mentioned in my previous email, when I set the route on the VPN
server to go through the ISA server then it works fine because then ISA
knows about the inital request so thus it allows the response.
Anyways - this is just my thoughts on what the problem is. Does this mean
it's a bug in ISA?
Why doesn't it show the specific rule that it used to deny the request?
Under the rule heading in the log, it is just blank!! It does not specify a
rule that was used to block the communication!!
How do I go about telling ISA to enable this communication? I even tried
ALLOW ALL protocols / all networks access rule but that doesn't help, it
still denies the connection and doesnt tell me what rule it used to deny
it!!
PS: NOte: ISA2004 beta2 is used.
Regards,
-ZD
"Z D" <NOSPAM@NOSPAM.com> wrote in message
news:eZcz%23iyIEHA.3224@TK2MSFTNGP09.phx.gbl...
> Hello,
>
> OK. This is a very strange problem.
>
> The setup:
> ============
> 3 servers:
> 1) multihomed ISA server connected to the internet and internal LAN (LAN
IP
> range=10.2.1.x)
> 2) WWW server on the internal LAN
> 3) VPN (RRAS, PPTP) server on the internal LAN (static pool of IP
addresses
> assigned=10.2.3.x)
>
> -All servers have ISA set as the DG.
>
> -ISA has a static route entry so that servers on the LAN can reach the VPN
> clients on the 10.2.3.x network (the static route forwards everything to
> the VPN server for the 10.2.3.x range).
>
> -ISA publishes both the WWW and VPN servers to the external world. This
> works perfectly. All servers are windows server 2003.
>
> -I can VPN into the network, obtain an IP on the 10.2.3.x network, and
PING
> all internal servers on the 10.2.1.x network.
>
>
> THE PROBLEM:
> ============
> If I try to HTTP or RDP or make any form of connection from the VPN client
> onto the WWW server then it just times out, nothing happens. EVEN THOUGH
I
> CAN PING THE SERVER!!!!
>
> From the VPN server (and all other servers) I can HTTP,RDP,etc with no
> problems to the www server.
>
> -From the external world I can HTTP to the www server with no problem.
>
> -ONLY from the VPN clients is where I cant HTTP,RDP,etc to the www server
> EVEN THOUGH i can ping it!!
>
>
>
> THE BIZZARE PART:
> ==================
> Now the bizzare part: If I physically go to the www box and then ping the
> connected vpn client address, a "connection" is then open between the two
> machines. While this "connection" is open I can use HTTP,RDP, etc from
the
> VPN client to the www server. However, if I wait for a while and the
> "connection" closes between the two machines then the VPN client again
> cannot access the www server.
>
> Is that strange or what??
>
> Its almost as though the VPN client is somehow blocked from initiating
> connections to the 10.2.1.x network!?!?!? Is there some sort of setting in
> RRAS on the VPN server to fix this?
>
>
> PLEASE some advice/suggestions/explanation because I'm going crazy here!
>
>
> Questions:
> -Why can I ping the www server from the vpn client but not http/rdp/etc
onto
> it?
> -why does it only work when the www server pings the vpn client in order
to
> open a connection and then everything works fine.. temporarily until the
> connection is closed.
>
>
> Also: Once the VPN client is connected, it does NOT go through ISA in
order
> to talk to the www server because it goes direct to the VPN server to the
> www server... ISA is not involved and thus nothing shows up in the ISA
> realtime monitor.
> However, when the www server tries to talk to the vpn client then it goes
> through ISA because ISA is the DG and the VPN client is on a different
> subnet. Thus the www-->vpn client ping shows up in ISA logs.
>
>
> Anyways -sorry for the long post. Many apologies. PLEASE HELP!
>
> thanks
>
> -ZD
>
>
- Next message: Mark Maddox: "Proxy 2.0 Migration"
- Previous message: Z D: "Re: found a workaround = more confusion"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
