Re: Site to Site IPSec VPN unstable (long post)
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Mon, 11 Sep 2006 04:33:28 GMT
Hi Buddy,
Thanks for your update.
I will look forward to your test result.
Thanks for your time.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Reply-To: "Buddy Greenshield" <gcsbend-at-bendcable-dot-com>
| From: "Buddy Greenshield" <gcsbend-at-bendcable-dot-com>
| References: <Of5Mpiq0GHA.4956@xxxxxxxxxxxxxxxxxxxx>
<edYMfpx0GHA.4220@xxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Site to Site IPSec VPN unstable (long post)
| Date: Sat, 9 Sep 2006 21:12:02 -0700
| Lines: 282
| Organization: GCS
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
| X-RFC2646: Format=Flowed; Original
| Message-ID: <uNaxG9I1GHA.5048@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: bc183227.bendcable.com 216.228.183.227
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:296456
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Crina, Thank you for your help.
|
| The situation exists no matter which machine you RDP into. If it's across
| the vpn, you will experience delays and soon be bumped off. The remote
| office users can connect in using RWW which skates around the VPN and
they
| have a stable connection. The RWW option is not where we want to go,
| because typically they are in a certian line of business application
based
| on FoxPro all day. The RWW option times out on them even though the
option
| of using a public or shared computer is not checked.
|
| From my network, I have VPNs to nearly all of my client's networks. I can
| get on an RDP session to a remote site and leave it up for days at a time
| with no problems. But this network is the first I have done where
ISA2004
| is the VPN endpoint (other than my VMWare test environment) Even my own
| network is still running SBS2000 single NIC with a Linksys BEFVP41
router.
| (I've been meaning to swing it to SBS2003 for almost two years now.... my
| bad!)
|
| Anyway, back to the problem. I created a new REG_DWORD value SAIdleTime
in
| the IPSec key. You didn't mention, but I set the value 3600 decimal (not
| Hex) I rebooted the entire server after making that registry tweak. As
far
| as I can tell, the Security Log is still chock full of 547, 543, 541, 542
| events every few seconds.
| Closer inspection:
| The VPN to my network (without errors) has changed from renegotiating
about
| every 6 min to every hour. So the Registry tweak did work.
| Every hour I get the following events:
| 541 - Main mode Established
| 543 - Main mode Ended
| 541 - Quick mode Established
| 542 - Quick mode Ended
|
| On the VPN to the remote site, still getting the 547 error, it is
generating
| events every 20 seconds or so, but I have seen that 542 events are only
| happening every hour, following the registry policy.
|
| I wiped the remote vpn network, rules, etc from ISA and from the
SonicWall
| and then rebuilt them. Still had same problem. The settings I used are
| essentially the defaults - and when I had this system in my office before
| deployment, with the exact settings, the VPN was not generating these
| errors.
|
| UPDATE!!!
|
| After playing with the Settings, I found that using 3DES / MD5 for phase
1 &
| 2, rather than 3DES / SHA1 for both has stopped the errors. Now I will
have
| to wait until Monday to see if the stability has improved for the users.
|
| Buddy G.
|
|
| ""Crina Li"" <v-crinal@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:edYMfpx0GHA.4220@xxxxxxxxxxxxxxxxxxxxxxxx
| > Hi Buddy,
| >
| > Thank you for posting in SBS newsgroup.
| >
| > From the description, I understand that you have setup an IPSec
| > site-to-site VPN tunnel between an ISA 2004 server and a SonicWall
device.
| > Now the VPN tunnel is unstable. If I'm off base, please do let me know.
| >
| > To narrow down the problem, would you please help me confirm if the
| > situation only occur when you access the Windows 2000 terminal server
from
| > remote office client or it occurs when you access other resource on main
| > office?
| >
| > Here, I suggest you change the registry SAIdleTime. Please open regedit
| > program, navigate to the following registry:
| >
| > HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec
| >
| > Modify the settings of SAIdleTime. If there is no such value, please
| > create
| > a REG_DWORD value with this name and input 3600 as the value data.
Restart
| > the ISA server to see if the problem will be resolved.
| >
| > Due to the Security Association lifetime was 3600 seconds on ISA, please
| > also change the SonicWall SA Life to 3600.
| >
| > Please also refer to the following information:
| >
| > 888711 Site-to-site VPN in ISA Server 2004
| > http://support.microsoft.com/?id=888711
| >
| > Configuring IPSec Site-to-Site Connections Between ISA Server 2004 and
| > Third-Party Gateways
| >
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositeipsec.m
| > spx
| >
| > Establishing an IPSec site-to-site tunnel between an ISA 2004 Firewall
and
| > a D-Link DI-804HV IPSec VPN Router
| > http://www.isaserver.org/articles/2004isadlink.html
| >
| > KB 257225 IPSec troubleshooting in Microsoft Windows 2000 Server
| > http://support.microsoft.com/default.aspx?scid=kb;EN-US;257225
| >
| > I appreciate your time and look forward to hearing from you.
| >
| > Best regards,
| >
| > Crina Li (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| > --------------------
| > | Reply-To: "Buddy Greenshield" <gcsbend-at-bendcable-dot-com>
| > | From: "Buddy Greenshield" <gcsbend-at-bendcable-dot-com>
| > | Subject: Site to Site IPSec VPN unstable (long post)
| > | Date: Thu, 7 Sep 2006 11:08:43 -0700
| > | Lines: 110
| > | Organization: GCS
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2869
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <Of5Mpiq0GHA.4956@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: bc183227.bendcable.com 216.228.183.227
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:295921
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hello All,
| > | Does anyone have any experience with unstable VPNs using ISA2004 Sp2?
| > |
| > | Setup:
| > |
| > | Main Office LAN
| > | ||
| > | SBS2003 SP1 with ISA2004 Sp2
| > | ||
| > | Internet
| > | ||
| > | SonicWall ProVX
| > | ||
| > | Remote Office LAN
| > |
| > | Both sides have static WAN IP
| > | VPN tunnel comes up right away.
| > | Computers on both LAN segments can ping one another, RDP, etc.
| > | Problem: Remote computers connect to a Win2000 server configured as
App
| > | Sharing Terminal server in the main office. The vpn is unstable and
they
| > get
| > | kicked off of their TS session several times a day. Often the
| > applications
| > | tend to freeze when the TS sessions remain connected. I can start a
| > | continuous ping between two devices across the vpn and the ping times
| > are
| > | erratic and I see frequent lost packets.
| > |
| > | On the ISA server (SBS) the events in the security log are:
| > | 12:04:23 547 Failure Quick Mode
| > | 12:04:23 543 Main Mode Ended
| > | 12:04:23 541 Main Mode Established
| > | 12:04:52 542 Quick Mode Ended
| > | 12:05:00 541 Quick Mode Established
| > | 12:05:26 547 Failure Quick Mode
| > | 12:05:26 543 Main Mode Ended
| > | 12:05:26 541 Main Mode Established
| > | 12:06:29 547 Failure Quick Mode
| > | 12:08:23 547 Failure Quick Mode
| > | 12:08:23 543 Main Mode Ended
| > | 12:08:23 541 Main Mode Established
| > | 12:09:26 547 Failure Quick Mode
| > |
| > | And on and on.. re negotiating the SA every few seconds rather than
| > hours.
| > | The actual error is:
| > |
| > | Event Type: Failure Audit
| > | Event Source: Security
| > | Event Category: Logon/Logoff
| > | Event ID: 547
| > | Date: 9/7/2006
| > | Time: 12:04:23 AM
| > | User: NT AUTHORITY\NETWORK SERVICE
| > | Computer: SGT-SBS
| > | Description:
| > | IKE security association negotiation failed.
| > | Mode:
| > | Data Protection Mode (Quick Mode)
| > |
| > | Filter:
| > | Source IP Address xxx.xxx.xxx.40
| > | Source IP Address Mask 255.255.255.255
| > | Destination IP Address 192.168.17.0
| > | Destination IP Address Mask 255.255.255.0
| > | Protocol 0
| > | Source Port 0
| > | Destination Port 0
| > | IKE Local Addr xxx.xxx.xxx.40
| > | IKE Peer Addr xx.x.xx.130
| > | IKE Source Port 500
| > | IKE Destination Port 500
| > | Peer Private Addr
| > |
| > | Peer Identity:
| > | Preshared key ID.
| > | Peer IP Address: xx.x.xx.130
| > |
| > | Failure Point:
| > | Me
| > |
| > | Failure Reason:
| > | IKE SA deleted before establishment completed
| > |
| > | Extra Status:
| > | Processed third (ID) payload
| > | Initiator. Delta Time 63
| > | 0x0 0x0
| > | For more information, see Help and Support Center at
| > | http://go.microsoft.com/fwlink/events.asp.
| > |
| > | The SonicWall error:
| > | 09/07/2006 10:53:31.528 IKE Responder: IPSec proposal does not
| > match
| > | (Phase 2) xxx.xxx.xxx.40 xx.x.xx.130 xxx.xxx.xxx.40/32 ->
| > 192.168.17.0/24
| > | 09/07/2006 10:53:31.528 IKE Responder: No match for proposed
| > remote
| > | network address xxx.xxx.xxx.40 xx.x.xx.130 xxx.xxx.xxx.40/32
| > |
| > |
| > | The thing is, I know the proposal settings are correct. And I had this
| > exact
| > | same firewall and Server setup in my test environment before live
| > deployment
| > | and I did not get any such errors (though I also did not extensively
| > test
| > | the stability of the VPN)
| > |
| > | To make sure that it was not caused by some ISP issue, I moved them
from
| > | their T1 provider (same provider at both locations) to business cable
| > ISP
| > | (same provider). While the cable access is faster, the stability
problem
| > | remains unchanged.
| > |
| > | Please, does anyone have any experience with unstable VPNs using ISA
| > server?
| > |
| > | Thanks,
| > | Buddy G
| > |
| > |
| > |
| > |
| >
| >
|
|
|
|
.
- References:
- Site to Site IPSec VPN unstable (long post)
- From: Buddy Greenshield
- RE: Site to Site IPSec VPN unstable (long post)
- From: "Crina Li"
- Re: Site to Site IPSec VPN unstable (long post)
- From: Buddy Greenshield
- Site to Site IPSec VPN unstable (long post)
- Prev by Date: RE: RE: RE: Connect overwrote user’s my documents?
- Next by Date: SBS 2003 Fax stops intermittently
- Previous by thread: Re: Site to Site IPSec VPN unstable (long post)
- Next by thread: Adding PC to SBS 2000 domain
- Index(es):
Relevant Pages
|
Loading
