Re: VPN not working when i connect through SBS 2003 server running ISA 2004

Do me a favor and post back your results when you get it figured out. It's
going to bug me not knowing what caused this.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:OUCJpmFBHHA.4592@xxxxxxxxxxxxxxxxxxxxxxx
I've raised a support incident with Microsoft to try and get this sorted.

Thanks for the help though.

Roger Cook

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%233asmOCBHHA.1012@xxxxxxxxxxxxxxxxxxxxxxx
Any help here?

Client computers cannot access external resources, and event ID 14147
appears in the Application log in ISA Server 2006 or in ISA Server 2004
http://support.microsoft.com/default.aspx?scid=kb;en-us;884496

"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:%23Gnz5s%23AHHA.4864@xxxxxxxxxxxxxxxxxxxxxxx
Have just noticed this entry (Event ID: 14147; Source:Microsoft
Firewall) in the system log on the local server -

ISA Server detected routes through adapter External Area Connection that
do not correlate with the network element to which this adapter belongs.
For best practice, the address range of an ISA Server network should
match the address ranges routable through the associated network adapter
as defined in the routing table. Otherwise valid packets may be dropped
as spoofed. (This alert may occur momentarily when you create a remote
site network. You may safely ignore this message if it does not
reoccur.) The address ranges in conflict are:
192.168.26.12-192.168.26.12;192.168.26.255-192.168.26.255;.

The local ISA is set up with an internal subnet of 192.168.16,xx and an
external of 192.168.20.xx. The external NIC connects to a router which
is in turn connected to the internet. the remote network uses the
192.168.26.xx subnet.



"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:uOxZ6R5AHHA.4844@xxxxxxxxxxxxxxxxxxxxxxx
A frustrating problem for sure. Anything helpful in the ISA logs at
either end, or the Security logs? I wonder if this is because you're
authenticated to your ISA as yourdomain\you, and you're trying to
connect to theirdomain\you. Absent that IP issue, it seems like
authentication is the only thing left, but I'm having a tough time
coming up with something specific to look at or change.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:%23WPWxI3AHHA.3540@xxxxxxxxxxxxxxxxxxxxxxx
I've tried playing around with the security settings to no avail. The
problem PCs (we have tested several within the network behind ISA)
will VPN (through ISA) to another network where there is a Draytek
router as the PPTP VPN endpoint.

The references to CHAP are presumably because it is the RASCHAP log !
I have looked in the other logs but I thought this one might be
particularly relevant as it was noticeably different between the two
connections. I too am starting to wonder if it is an authentication
problem - yet "vpning" from XP PCs elsewhere with the same credentials
and no fiddling with settings works OK.





"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:u4RvDm2AHHA.4472@xxxxxxxxxxxxxxxxxxxxxxx
Is there any way you can try two connections from the same client PC?
It would be interesting to verify if the client PC that fails to
connect to the remote SBS through ISA can then connect when bypassing
ISA or not.

I'm not familiar with that log enough to make sense out of it, but it
appears that the remote SBS is not responding to the authentication
request. That would be consistent with the 619 error
http://www.chicagotech.net/vpnerrors.htm. I wonder if you could have
an issue with settings, which is why I'd like to see if the same PC
can connect directly but not through ISA. But, it seems like the
default settings on an XP desktop would work. I'm just thinking
security settings because of all the references to CHAP.



"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in message
news:OQk4wL2AHHA.4428@xxxxxxxxxxxxxxxxxxxxxxx
No - they are on different subnets -I was looking at the log files
in the tracing directory on the remote server and notice that there
seems to be communication but that RASCHAP.log for instance shows
quite different entries




==================
RASCHAP.LOG on remote SBS VPN server

when connecting from problem PC on local network through ISA- VPN
gives error 619


[4280] 11-08 16:30:23:336: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:30:23:336: ChapBegin done.
[4280] 11-08 16:30:23:336: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:30:23:336: CS_Initial...
[4280] 11-08 16:30:23:336: MakeChallengeMessage...
01 00 00 1E 10 05 0E 2D D3 64 EF 97 E4 4B 9D F7 |.......-.d...K..|
21 C3 D5 0D 7D 53 42 53 53 45 52 56 45 52 00 00 |!...}SBSSERVER..|
[4280] 11-08 16:30:23:398: ChapEnd


when connecting from PC connected outside ISA direct to router - VPN
works

[4280] 11-08 16:36:48:552: ChapBegin(fS=1,bA=0x81)
[4280] 11-08 16:36:48:552: ChapBegin done.
[4280] 11-08 16:36:48:552: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:552: CS_Initial...
[4280] 11-08 16:36:48:552: MakeChallengeMessage...
01 00 00 1E 10 BA DB 17 70 EB 95 CB 3A AB E3 BA |........p...:...|
B6 C9 15 D6 A5 53 42 53 53 45 52 56 45 52 00 00 |.....SBSSERVER..|
[4280] 11-08 16:36:48:614: ChapMakeMessage,RBuf=00FD1ECA
[4280] 11-08 16:36:48:614: CS_ChallengeSent...
[4280] 11-08 16:36:48:630: ChapMakeMessage,RBuf=00000000
[4280] 11-08 16:36:48:630: Result=0,Tries=2
[4280] 11-08 16:36:48:630: CS_Done...
03 00 00 2E 53 3D 37 45 33 30 36 39 33 35 41 35 |....S=7E306935A5|
41 42 38 30 44 37 42 34 36 34 44 30 42 41 39 32 |AB80D7B464D0BA92|
31 42 39 31 35 33 38 46 45 43 43 33 32 44 00 00 |1B91538FECC32D..|


====================


"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:euxxR31AHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Are both SBS networks using 192.168.16.x addressing? If so,
changing one of them to a different subnet should resolve this.

And thanks to SBS MVP Steven Teiger for this info.


"Roger Cook" <roger-nospam-or-junk-at-redpuma.co.uk> wrote in
message news:evBfCuyAHHA.3380@xxxxxxxxxxxxxxxxxxxxxxx
Right

All this relates to PPTP VPNs and the XP PC is using the SecureNAT
client, which I believe is the apprpriate client for VPN usage.

I can VPN to the desired network (call it network 1) from another
machine (XP) that is connected directly to the router ie bypassing
ISA 2004.

I can also VPN to another (not the desired) network (call it
network 2 - a test network) through ISA where the VPN endpoint is
a Draytek router. This would seem to confirm that there is no
problem with communication on 1723 and with GRE.

Telnetting to port 1723 on network 1 seems to elicit a connection.
HOWEVER PPTP Ping does NOT confirm a GRE connection as the test
data is not passed.

So - I cannot VPN through ISA to the desired network 1 where the
endpoint is another SBS 2003 server (behind its own ISA 2004
firewall). I can however VPN to this network 1 from another
external PC and indeed by bypaasing ISA as mentioned above.

The errors I get are 619 except when testing from the server
itself which results in a 628 error.

I am assuming that the PPTP Ping failure is key to this but cannot
understand why GRE would be a problem if I can make a PPTP
connection to the other test network. You might conclude from this
that there is a problem with GRE at the remote end but as I can
connect to it when bypassing ISA at this end so that does not seem
logical either.

Does anyone have any ideas ?

(There is an active outbound rule for PPTP in ISA)
























.

Relevant Pages

  • Re: OT By a mile in parts comments on Viet Nam
    ... check bank accouts etc etc whilst away but is safe to do so over wireless and using the hotel network.. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: OT By a mile in parts comments on Viet Nam
    ... compared with the risks already inherent in the average hotel network. ... you should regard your connection as insecure and use some ... form of encryption to protect your passwords and privacy. ... My recommendation would be to set up a VPN endpoint in the UK that you ...
    (uk.comp.sys.mac)
  • Re: Remote Client Configuration
    ... > remote computer to SBS 2003 domain via VPN connection after the remote ... > connection when user logon to the remote computer. ... I dont think that the Network Configuration website would work to connect to ... "The Small Business Server Network Configuration Wizard ...
    (microsoft.public.windows.server.sbs)
  • Re: VPN not working when i connect through SBS 2003 server running ISA 2004
    ... RASCHAP.LOG on remote SBS VPN server ... I can VPN to the desired network from another machine ... that is connected directly to the router ie bypassing ISA 2004. ... Telnetting to port 1723 on network 1 seems to elicit a connection. ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... Outbound VPN problem: ... Q1 - is the test client configured as SecureNET? ... Q2 - what do you find in the ISA logs for your tests? ... I've checked in local network rules and I do have a rule called VPN clients ...
    (microsoft.public.isa.vpn)
Loading