Re: VPN/ISA 2004 issue after SP1 install on sbs2003
- From: Ian <nospam@xxxxxxxxxx>
- Date: Fri, 30 Dec 2005 10:43:36 +0000
That's right. The Draytek is the device that is making the connection
and the SBS is accepting the connection. The router itself is the
source of the VPN tunnel therefore no ports need to be opened on it.
There is GRE communication between the router and the SBS you can see
it at (for example) 29/12/2005 15:23:58 in the logs.
We have contacted Draytek and they are not aware of any specific
problems connecting to ISA2004. This is what they said:
"If you check the call logs from the telnet command (log -ct) it
appears that ISA 2004 is not set to allocate the DNS for VPN and that
is a very likely reason why the routing does not work. Regarding the
encryption please set the server to accept the connection with MPPE
-128 key length connection so that it can accept the proposal it
receives from the Vigor 2900VG."
I am not sure what that means! I am fairly sure ISA will accept MPPE
128bit already as ISA2000 certainly did. I think the DNS for VPN is
not the right thing as the connection is not even able to maintain a
connection at all and we can't even ping using an IP address.
Did you get the NetMon trace I sent? Does it help?
If you are not able to help can you suggest another Microsoft
supported group that might be able to offer more in depth support of
ISA 2004?
Thanks
Ian
On Fri, 30 Dec 2005 10:05:21 GMT, v-crinal@xxxxxxxxxxxxxxxxxxxx
("Crina Li") wrote:
>Hi Lan,
>
>Thanks for your reply.
>
>>From the ISA log, I find no GRE communication between SBS and branch
>office. As I know, TCP 1723 (PPTP VPN connection) and GRE port (protocol
>number 47.This port is used for incoming PPTP VPN connection) are needed to
>open when you create VPN. Please make sure if you have opened port 1723 on
>the router and also make sure IP Protocol 47 is allowed on the router.
>
>You may also need to consult the Draytek router vendor to see if there are
>any limitation or specific configuration when create site to site VPN to
>ISA 2004.
>
>Thanks for your time and I look forward to hearing from you.
>
>Best regards,
>
>Crina Li (MSFT)
>
>Microsoft CSS Online Newsgroup Support
>
>Get Secure! - www.microsoft.com/security
>
>=====================================================
>This newsgroup only focuses on SBS technical issues. If you have issues
>regarding other Microsoft products, you'd better post in the corresponding
>newsgroups so that they can be resolved in an efficient and timely manner.
>You can locate the newsgroup here:
>http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>
>When opening a new thread via the web interface, we recommend you check the
>"Notify me of replies" box to receive e-mail notifications when there are
>any updates in your thread. When responding to posts via your newsreader,
>please "Reply to Group" so that others may learn and benefit from your
>issue.
>
>Microsoft engineers can only focus on one issue per thread. Although we
>provide other information for your reference, we recommend you post
>different incidents in different threads to keep the thread clean. In doing
>so, it will ensure your issues are resolved in a timely manner.
>
>For urgent issues, you may want to contact Microsoft CSS directly. Please
>check http://support.microsoft.com for regional support phone numbers.
>
>Any input or comments in this thread are highly appreciated.
>
>=====================================================
>
>This posting is provided "AS IS" with no warranties, and confers no rights.
>--------------------
>| From: Ian <nospam@xxxxxxxxxx>
>| Newsgroups: microsoft.public.windows.server.sbs
>| Subject: Re: VPN/ISA 2004 issue after SP1 install on sbs2003
>| Date: Thu, 29 Dec 2005 15:16:43 +0000
>| Organization: Posted via Supernews, http://www.supernews.com
>| Message-ID: <c0v7r1ppp23j3asn0ft40hoddqrcr84kgs@xxxxxxx>
>| References: <1135254818.908631.128380@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
><8$hG$YgCGHA.1240@xxxxxxxxxxxxxxxxxxxxx>
>| X-Newsreader: Forte Free Agent 3.0/32.763
>| MIME-Version: 1.0
>| Content-Type: text/plain; charset=us-ascii
>| Content-Transfer-Encoding: 7bit
>| X-Complaints-To: abuse@xxxxxxxxxxxxx
>| Lines: 224
>| Path:
>TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!newsfeed00.sul.t-online.de!t-onli
>ne.de!newsfeed.gamma.ru!Gamma.RU!sn-xt-sjc-02!sn-xt-sjc-06!sn-post-01!supern
>ews.com!corp.supernews.com!not-for-mail
>| Xref: TK2MSFTNGXA02.phx.gbl microsoft.public.windows.server.sbs:232950
>| X-Tomcat-NG: microsoft.public.windows.server.sbs
>|
>| Hi Crina
>|
>| It is Ian, a colleague of Colin, he is on holiday now and I am back
>| from holiday to try and fix this VPN problem!
>|
>| To aid troubleshooting I have replicated the client's network with our
>| own SBS server which is the same as theirs (SBS 2003 Premium SP1 with
>| ISA 2004) and another Draytek router.
>|
>| I have set up the Draytek and ISA 2004 from scratch following the same
>| procedure as used on the client's network with the addition that I
>| have used your method in steps 1-3 to set up the network, network
>| rules and access rules in ISA. I have read the two articles on
>| ISAserver.org and they helped me see how this worked. Unfortuntaly
>| they both seem to be the other way around from our situation where we
>| have the Draytek dialling in to the SBS and the articles seem to have
>| the ISA 2004 dialling *out*.
>|
>| Anyway, it is set up and still does not work. I cannot ping from
>| either end. The Draytek sometimes shows the VPN connection as 'up' but
>| only for a few seconds at most. No packets are transferred.
>|
>| So I will send you the details you ask for to your own email and hope
>| you can help!
>|
>| Many thanks
>| Ian
>|
>| On Mon, 26 Dec 2005 10:22:15 GMT, v-crinal@xxxxxxxxxxxxxxxxxxxx
>| ("Crina Li") wrote:
>|
>| >Hi Colin,
>| >
>| >Thanks for your reply.
>| >
>| >I am sorry for the delayed response due to weekend. Please understand
>that
>| >the newsgroups are staffed weekdays by Microsoft Support professionals
>to
>| >answer your systems and applications questions. Your understanding is
>| >greatly appreciated!
>| >
>| >To narrow down the problem, would you please help me confirm if you have
>| >followed the steps to create the VPN from router to ISA 2004?
>| >
>| >1. Create a new Remote site Network.
>| >2. Create a Network Rule that Defines the Route Relationship Between the
>| >Main and Branch Office.
>| >3. Create Access Rules Allowing Traffic from the Main Office to the
>Branch
>| >Office and from Branch Office to Main Office.
>| >
>| >You can also refer to the steps from "Run the remote site wizard on the
>ISA
>| >firewall" section to the end section listed in the following document:
>| >
>| >Configuring a Site to Site VPN between an 2004 ISA firewall and ISA
>Server
>| >2000 (v1.2)
>| >http://www.isaserver.org/articles/2004s2s2000.html
>| >
>| >More information:
>| >
>| >Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall
>and
>| >a D-Link DI-804HV IPSec VPN Router
>| >http://www.isaserver.org/articles/2004isadlink.html
>| >
>| >If you have done so, would you please help me collect the following
>| >information?
>| >
>| >1. Collect the ISA info:
>| >
>| >1) Download the file from the following URL:
>| >
>| > http://www.isatools.org/isainfo/ISAInfo.zip
>| >
>| >2) Extract all files to a folder on ISA server
>| >3) Double click Isainfo.js. This will generate 2 files
>| >ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-name>.xml in
>the
>| >current folder.
>| >4) Please send these files to me at v-crinal@xxxxxxxxxxxxxx
>| >
>| >2. Please also help to gather the ISA logs:
>| >
>| >1) Schedule a down time.
>| >2) Open ISA 2004 management console.
>| >3) Expand the server node and highlight 'Monitoring'.
>| >4) In the right pane, switch to the 'Logging' tab, make sure the 'Task
>| >Pane' is showed there.
>| >5) In the 'Task Pane', click 'Configure Firewall Logging' under 'Logging
>| >Tasks', and then switch the 'log storage format' from 'MSDE database'
>| >(default) to 'File'.
>| >6) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>| >7) In the 'Task Pane', click 'Configure Web Proxy Logging' under
>'Logging
>| >Tasks', and then switch the 'log storage format' from 'MSDE database'
>| >(default) to 'File'.
>| >8) Switch to the 'Fields' tab, click 'Select All', and then click OK.
>| >9) Click 'Apply' to save changes and update the configuration.
>| >10) Temporarily disable the Firewall service. To do that, please click
>| >Monitoring | Services tab, and then right click 'Microsoft Firewall' to
>| >choose 'Stop'.
>| >11) Clear the current existing W3C logs. To do that, go to the log
>saving
>| >directory and clean any existing .W3C logs. By default, the logs will be
>| >saved to 'C:\Program Files\Microsoft ISA Server\ISALogs'. (Some MDF may
>not
>| >be able to deleted, that's normal.) You may backup them first and then
>| >delete them.
>| >12) Go back to the ISA 2004 management console, and then Start the
>stopped
>| >'Microsoft Firewall' service.
>| >13) Reproduce the problem (initiate an SQL access), stop the service,
>and
>| >then gather the resulting W3C files to me for analysis.
>| >
>| >I am appreciated your time and look forward to hearing from you.
>| >
>| >Best regards,
>| >
>| >Crina Li (MSFT)
>| >
>| >Microsoft CSS Online Newsgroup Support
>| >
>| >Get Secure! - www.microsoft.com/security
>| >
>| >=====================================================
>| >This newsgroup only focuses on SBS technical issues. If you have issues
>| >regarding other Microsoft products, you'd better post in the
>corresponding
>| >newsgroups so that they can be resolved in an efficient and timely
>manner.
>| >You can locate the newsgroup here:
>| >http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
>| >
>| >When opening a new thread via the web interface, we recommend you check
>the
>| >"Notify me of replies" box to receive e-mail notifications when there
>are
>| >any updates in your thread. When responding to posts via your
>newsreader,
>| >please "Reply to Group" so that others may learn and benefit from your
>| >issue.
>| >
>| >Microsoft engineers can only focus on one issue per thread. Although we
>| >provide other information for your reference, we recommend you post
>| >different incidents in different threads to keep the thread clean. In
>doing
>| >so, it will ensure your issues are resolved in a timely manner.
>| >
>| >For urgent issues, you may want to contact Microsoft CSS directly.
>Please
>| >check http://support.microsoft.com for regional support phone numbers.
>| >
>| >Any input or comments in this thread are highly appreciated.
>| >
>| >=====================================================
>| >
>| >This posting is provided "AS IS" with no warranties, and confers no
>rights.
>| >--------------------
>| >| From: "cdlaurie" <CLAURIE@xxxxxxxxxxxxxxxx>
>| >| Newsgroups: microsoft.public.windows.server.sbs
>| >| Subject: VPN/ISA 2004 issue after SP1 install on sbs2003
>| >| Date: 22 Dec 2005 04:33:38 -0800
>| >| Organization: http://groups.google.com
>| >|
>| >|
>| >| I am having issues with 2 remote sites connecting to sbs2003 premium
>| >| after installing sp1 which as you know has upgraded isa.
>| >|
>| >| The sites are connected to head office external nic using Draytek 2600
>| >| routers, using pptp vpn . The head office has sbs2003 with ISA 2004.
>| >| The client pc's in the branch offices seem to have intermittent
>| >| connection and upon looking in event logs on sbs, there are numerous
>| >| events which are appearing every 30 seconds (see below).
>| >|
>| >| The 2 branch offices use the 192.168.1.x & 192.168.2.x subnets and
>| >| these are mentioned in the event logs.
>| >| I have also noticed on the Draytek that the packets transferred between
>| >| branch office and Head office are no longer encrypted (as they are
>| >| normally shown in green). Furthermore the branch office routers are not
>| >| transmitting packets but are not recieving any from SBS at the head
>| >| office.
>| >|
>| >| I have performed various searches for the specific events and have
>| >| found some info but not all apears relevant, the info that has ben
>| >| relevant i have tried but have had no success.
>| >|
>| >| Have any of you encouuntered such a scenario or point me in direction
>| >| of some resources.
>| >|
>| >| Any help greatly appreciated!
>| >|
>| >| Colin
>| >|
>| >|
>| >| The event logs are:
>| >|
>| >| Event Type: Warning
>| >| Event Source: Microsoft Firewall
>| >| Event Category: Packet filter
>| >| Event ID: 15108
>| >| Date: 22/12/2005
>| >| Time: 11:06:13
>| >| User: N/A
>| >| Computer: SBS2003
>| >| Description:
>| >| ISA Server detected a spoof attack from Internet Protocol (IP) address
>| >| 192.168.1.13. A spoof attack occurs when an IP address that is not
>| >| reachable via the interface on which the packet was received. If
>| >| logging for dropped packets is set, you can view details in the packet
>| >| filter log.
>| >|
>| >| For more information, see Help and Support Center at
>| >| http://go.microsoft.com/fwlink/events.asp.
>| >|
>| >| ---------------------------------
>| >|
>| >| Event Type: Error
>| >| Event Source: Microsoft Firewall
>| >| Event Category: None
>| >| Event ID: 14147
>| >| Date: 22/12/2005
>| >| Time: 11:04:33
>| >| User: N/A
>| >| Computer: SBS2003
>| >| Description:
>| >| ISA Server detected routes through adapter Network Connection that do
>| >| not correlate with the network element to which this adapter belongs.
>| >| For best practice, the address range of an ISA Server network should
>| >| match the address ranges routable through the associated network
>| >| adapter as defined in the routing table. Otherwise valid packets may be
>| >| dropped as spoofed. (This alert may occur momentarily when you create a
>| >| remote site network. You may safely ignore this message if it does not
>| >| reoccur.) The address ranges in conflict are:
>| >| 192.168.1.0-192.168.2.255;.
>| >|
>| >| For more information, see Help and Support Center at
>| >| http://go.microsoft.com/fwlink/events.asp.
>| >|
>| >|
>|
.
- References:
- RE: VPN/ISA 2004 issue after SP1 install on sbs2003
- From: "Crina Li"
- Re: VPN/ISA 2004 issue after SP1 install on sbs2003
- From: Ian
- Re: VPN/ISA 2004 issue after SP1 install on sbs2003
- From: "Crina Li"
- RE: VPN/ISA 2004 issue after SP1 install on sbs2003
- Prev by Date: Re: VPN/ISA 2004 issue after SP1 install on sbs2003
- Next by Date: Re: Recycle Bin asking to delete Windows.
- Previous by thread: Re: VPN/ISA 2004 issue after SP1 install on sbs2003
- Next by thread: repost-renaming faxes broke on companyweb after sharepoint update
- Index(es):
Relevant Pages
|
