Forefront TMG/ISA ISPEC help needed

Not sure how that would work so watching with interest :)

I'm having to make assumptions about the setup of course.

If the Back-to-Back DMZ has to stay for a reason then the Tunnel will terminate at the DLink boxes on each end,..which dumps the VPN users into the DMZ instead of the LAN.  Then the routing relationship between Internal and External needs to be changed to "routed" so the user dumped into the DMZ can access the LAN.

But I'm hoping that the Back-to-Back DMZ can be eliminated,...hence eliminating the DLink boxes,...and no one will have to worry about why they keep droping the connection.  I'd rather eliminate the DLink boxes instead of troubleshooting them which I can not really do anyway.

Now maybe the DLinks can do VPN Passthrough and let the tunnel terminate at the ISA (maybe he's doing that, maybe he isn't,...it isn't clear),..but the DLinks would still be involved and I don't trust them.

Argh, i knew i would fail to explain correctly. I have attached a speedily crafted network diagram from an online diagram thingy, don't have visio loaded.

As you can see, i should have explained better!

On One end, forefront has a public IP address via a half-bridged modem. On the other end(2 remote offices), are Dlink modems connected via full bridged modems. Each Dlink, and Forefront has a Public IP.

The VPN's do terminate correctly, and stay online rock solid - UNTIL someone puts load on the connection.

As for the Dlinks, they maintained rock solid VPN connections to our office while we had a Cisco 857W at the helm, only since swapping to Forefront have we had this problem. If you could advise how i can configure a logging filter so as to actually see the errors/flow when the vpn is going down, that would be great. Based on a bunch of testing it appears to me that the connection fails on the forefront, and this is NOT communicated to the remote end - the remote end seems to just  attempt to re-initiate an existing tunnel, whereas forefront is waiting for Phase 1 IKE to be initiated again - rebooting the DLinks fixes this immediately as they start the VPN process from Phase 1 agian.

In the URL's i linked, they talked about Forefront not transmitting data about packets larger than the MTU being split, or something - i honestly have no understanding at all, i've implemented a firewall policy that is supposed to allow PMTU data packets to flow, it seems to have had no effect. The one thing of note is that i can ping from computers behind the Dlinks (remote ends) with packets of any size, and data flow completes successfuly, i cannot ping with a packet any larger than the functional MTU of the Forefront end, if trying from The local end, to a pc in the remote end.

I understand my usage of terminology is potentailly way off the mark, just doing the best i can to progress on this.

Based on the fact that the vpn comes online, allows bi-directional data flow, and will maintain this until placed under heavy load, i'd say the actual vpn configurations on both ends are fine. It seems that forefront is doing something nasty under heavy load.... Thats what i figure anyway, and i have no solution - which is why i'm here:)

Many thanks, Charles

Thanks for the clarification. And I think you did a fine job of explaining that.  I'd like to know what the online drawing program was :-)

Anyway, Keith,..this sound like a job just for you :-)

Download and install Wireshark please on the ISA box. Run two captures - (one against each nic) and lets see exactly what is going on when the connection craps out. Don't put any filters on the capture. yes, it is going to be horribly big but you can select AFTER the capture the relevant info to post up.

I have not used FTMG on EBS but assume it is a somewhat cut-down version of the proper FTMG product.
If you are uncomfortable about installing Wireshark then use the ISA repro function to capture a trace directly.

have you been using the FTMG monitors (start - programs - ftmg - performance etc to view the actions and identify at what level the drop-out takes place at? is it consistent? variable?

Hi Guys,

The program was called... lovelycharts.com, signup is inline during loading the flash interface - quite cool.

Keith, I'll download and install wireshark and start it running now. Hopefully the logs dont get too large before there is a dropout, but i'll try to cause heavy load and dropouts. I am not sure how cut down the EBS forefront is, it is NOT enterprise version, but may well be the standard version.

I'll be totally honest, i have no idea how to interpret the performance monitor. I was atempting to configure the live logging in the FTMG manager to report on ipsec and IKE data flow, but it never showed a single thing...

I'll get wireshark running and try to remove anything too far before the dropout to keep sizes down, thanks for the tips - back soon!

Charles

Hi,

I ran the logs on both NiC's, one file is drastically bigger than the other, and i wasn't game to crop them incase i took out things you need. I dont know which card is which! both showed up with the same name in wireshark, different MAC's though which i guess i could have used to trace them.

Keith, can you give me an email where i can provide you with the important IP's, and links to donwload the log files? Might be best not to put that up on here?

Charles

Look in my profile Charles.

www.lovelycharts.com

Thanks you sir...

This is flagged as abandoned, so update:

Keith is helping via email, once conclusion is reached, it will be posted here:)