Networking
--
Questions
--
Followers
Top Experts
Why do some XP VPN clients connect to an IAS server, while others can not?
Greetings, experts!
OK, hang in there with me for this one......
Environment:
- Internal network of servers and hosts, all addressed in the 10.1.20.x block on a mask of 255.255.0.0.
- One server is a Microsoft ISA 2004 server, SP1, with two NIC's - one internal, one external to DSL modem
- Clients are all student laptops running XP Pro, SP2 with the Microsoft VPN client configured via CMAK utility
- All client laptops are identical (imaged via Ghost, SID has been changed)
- All laptops work fine wirelessly on campus
- All laptops are joined to the domain (Active Directory)
- Group Policy forces all students to use ISA as the proxy server for content filtering/logging
Problem:
- Some (not all) of the clients can not connect the VPN client when they go home, can not connect at all
- Some (again, not all) of the students can connect the VPN client, but can not access any internal servers (thus browsers can not connect with the web proxy engine)
- Some work just fine
I have looked at this for 3 weeks, and can see no rhyme nor reason why some work, and some can't. Â I have created a "public" wireless router internal here for testing (connected to a seperate internet circuit), and they all work fine from the test network.
I think I have it narrowed down to a DNS issue, but can't seem to pinpoint the
So, the million point question is thus: Â What could possibly be missing here?
Thank you in advance for your help!
Scott Sandstrom
IT Director
Guerin Catholic High School
OK, hang in there with me for this one......
Environment:
- Internal network of servers and hosts, all addressed in the 10.1.20.x block on a mask of 255.255.0.0.
- One server is a Microsoft ISA 2004 server, SP1, with two NIC's - one internal, one external to DSL modem
- Clients are all student laptops running XP Pro, SP2 with the Microsoft VPN client configured via CMAK utility
- All client laptops are identical (imaged via Ghost, SID has been changed)
- All laptops work fine wirelessly on campus
- All laptops are joined to the domain (Active Directory)
- Group Policy forces all students to use ISA as the proxy server for content filtering/logging
Problem:
- Some (not all) of the clients can not connect the VPN client when they go home, can not connect at all
- Some (again, not all) of the students can connect the VPN client, but can not access any internal servers (thus browsers can not connect with the web proxy engine)
- Some work just fine
I have looked at this for 3 weeks, and can see no rhyme nor reason why some work, and some can't. Â I have created a "public" wireless router internal here for testing (connected to a seperate internet circuit), and they all work fine from the test network.
I think I have it narrowed down to a DNS issue, but can't seem to pinpoint the
So, the million point question is thus: Â What could possibly be missing here?
Thank you in advance for your help!
Scott Sandstrom
IT Director
Guerin Catholic High School
Zero AI Policy
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
My guess is that some of the users have cable/dsl routers that do not support VPN passthru (or misconfigured).
Hey Scott,
Need some more information, budd...:).
1. Cannot connect at all.
What error do they get? "Access Denied" or may be "Remote computer did not respond in a time fashion" etc. I think they are getting the second one....
2. The clients which are not working. Can they connect to the RRAS Server when they are inside the campus? (As a test).
For the clients which CAN connect. Make sure that their internal Network at home is not same as your Campus's internal Networks i.e. your Campus Network is 10.0.x.x/16. Their internal Network at home must be different that ur Internal Network. Although, this fact does not apply if they are using a public IP directly on the machine when they are at home.
Also, once they are connected...are they able to Telnet to ISA Server's internal IP Port. 8080 (Web Proxy).
And last but not least. You are using ISA 2004, then why don't you use the amazing feature of Monitoring...:) Something which we really missed in ISA 2000.
Need some more information, budd...:).
1. Cannot connect at all.
What error do they get? "Access Denied" or may be "Remote computer did not respond in a time fashion" etc. I think they are getting the second one....
2. The clients which are not working. Can they connect to the RRAS Server when they are inside the campus? (As a test).
For the clients which CAN connect. Make sure that their internal Network at home is not same as your Campus's internal Networks i.e. your Campus Network is 10.0.x.x/16. Their internal Network at home must be different that ur Internal Network. Although, this fact does not apply if they are using a public IP directly on the machine when they are at home.
Also, once they are connected...are they able to Telnet to ISA Server's internal IP Port. 8080 (Web Proxy).
And last but not least. You are using ISA 2004, then why don't you use the amazing feature of Monitoring...:) Something which we really missed in ISA 2000.
Thanks for the reply.... here is some additional info:
1. Â Most get timeout errors (you were correct). Â
2. Â Yes, all of them can connect from on-network. Â I am assuming that most of these students' wireless networks at home are left at defaulted LAN addressing of 192.168.x.x. Â I have assigned via ISA Manager, the addr range of 10.9.100.1-10.9.101.199 for VPN clients just in case someone is using a 10. network at home.
3. Â Telnet to proxy port! Â Hadn't thought of that one! Â I'll have some kids try it tonight. Â
4. Â Monitoring - Yes, it's a great feature of ISA 2004! Â That's how I knew some of them were working fine!
Here's some more interesting news: Â Last night, there were 47 alerts generated on the ISA manager. Â Without exception, every one of them had the same error: Â "The VPN connection attempt by user DOMAIN\userid from VPN client IP address xx.xx.xx.xx could not be established. Â The failure is due to error: Â 0xc0040021". Â Of course, MS has no help on the error!
For those students who can successfully connect, but can not browse, get Exchange to connect, etc. Â I think I had it narrowed down to a DNS issue.... they do not appear to have the internal DNS server when you do a IPCONFIG /ALL, thus why they can't connect by name to internal resources.
1. Â Most get timeout errors (you were correct). Â
2. Â Yes, all of them can connect from on-network. Â I am assuming that most of these students' wireless networks at home are left at defaulted LAN addressing of 192.168.x.x. Â I have assigned via ISA Manager, the addr range of 10.9.100.1-10.9.101.199 for VPN clients just in case someone is using a 10. network at home.
3. Â Telnet to proxy port! Â Hadn't thought of that one! Â I'll have some kids try it tonight. Â
4. Â Monitoring - Yes, it's a great feature of ISA 2004! Â That's how I knew some of them were working fine!
Here's some more interesting news: Â Last night, there were 47 alerts generated on the ISA manager. Â Without exception, every one of them had the same error: Â "The VPN connection attempt by user DOMAIN\userid from VPN client IP address xx.xx.xx.xx could not be established. Â The failure is due to error: Â 0xc0040021". Â Of course, MS has no help on the error!
For those students who can successfully connect, but can not browse, get Exchange to connect, etc. Â I think I had it narrowed down to a DNS issue.... they do not appear to have the internal DNS server when you do a IPCONFIG /ALL, thus why they can't connect by name to internal resources.
EARN REWARDS FOR ASKING, ANSWERING, AND MORE.
Earn free swag for participating on the platform.
Time out probably means that GRE is blocked on their site. LCP negotiation is not taking place. In plain words, TCP 1723 is open but IP 47 is not
But one thing is sure interesting for the clients which can connect, it cannot be DNS on the client cause they don;t need no DNS for Web. They are using WEB PROXY...:)...so are you saying it is DNS on ISA?? How is DNS configured on ISA itself? External NIC to ISP and internal to Internal DNS
But one thing is sure interesting for the clients which can connect, it cannot be DNS on the client cause they don;t need no DNS for Web. They are using WEB PROXY...:)...so are you saying it is DNS on ISA?? How is DNS configured on ISA itself? External NIC to ISP and internal to Internal DNS
Hmmmm... GRE.... GRE has to be open on the ISA server, or none of the clients would work...... Â Now, home routers allowing GRE outbound.... that's a good point.... not sure how to check that one out.... perhaps query their parents as to the brand/model/firmware version on their home equipment.???
OK, let me clarify the DNS situation.... I know for a fact the on the clients that can connect but can not browse, if them ping an internal site by name (i.e. they can not ping server1.guerincatholic.org
To answer your question, here's the config on the NIC's:
INTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1A
IP Address: 10.1.20.241
Subnet Mask: 255.255.0.0
Default Gateway:
DNS Server: 10.1.20.242
WINS Server:
EXTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1B
IP Address: 64.132.94.123
Subnet Mask: 255.255.255.240
Default Gateway: 64.132.94.113
DNS Server:
WINS Server:
OK, let me clarify the DNS situation.... I know for a fact the on the clients that can connect but can not browse, if them ping an internal site by name (i.e. they can not ping server1.guerincatholic.org
To answer your question, here's the config on the NIC's:
INTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1A
IP Address: 10.1.20.241
Subnet Mask: 255.255.0.0
Default Gateway:
DNS Server: 10.1.20.242
WINS Server:
EXTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1B
IP Address: 64.132.94.123
Subnet Mask: 255.255.255.240
Default Gateway: 64.132.94.113
DNS Server:
WINS Server:
ASKER CERTIFIED SOLUTION
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Hello Scott,
I know you accepted the answer but did it work..I mean is it what I thought It is...? :)
Amit.
I know you accepted the answer but did it work..I mean is it what I thought It is...? :)
Amit.
Get a FREE t-shirt when you ask your first question.
We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.
Hey, Amit! Â
Yes, you found the root cause... DNS resolution issues combined with the same A record names with different addresses inside vs. outside caused the problems.
I re-ran CMAK and created a new VPN client installer. Â I changed the vpn server host to a completely different name. Â I also set the CMAK options to restore original proxy server settings on disconnect. Â Finally, I Â had all the students install the new one, and... walla! Â Works like it should! Â I normally have 200+ students connected every evening.... pretty cool stuff.... check out our website at http://www.guerincatholic.org.
Thanks again!
Scott
Yes, you found the root cause... DNS resolution issues combined with the same A record names with different addresses inside vs. outside caused the problems.
I re-ran CMAK and created a new VPN client installer. Â I changed the vpn server host to a completely different name. Â I also set the CMAK options to restore original proxy server settings on disconnect. Â Finally, I Â had all the students install the new one, and... walla! Â Works like it should! Â I normally have 200+ students connected every evening.... pretty cool stuff.... check out our website at http://www.guerincatholic.org.
Thanks again!
Scott
Networking
--
Questions
--
Followers
Top Experts
Networking is the process of connecting computing devices, peripherals and terminals together through a system that uses wiring, cabling or radio waves that enable their users to communicate, share information and interact over distances. Often associated are issues regarding operating systems, hardware and equipment, cloud and virtual networking, protocols, architecture, storage and management.