CISCO VPN client 4.0.2A with novell client 4.83 SP2 problem "Tree or server Not found"
Hi,
I have novell 4.11 with netware/IP, Internet connection with cisco PIX wirewall (I installed VPN to access remotely via internet our servers) .
The nwip worked fine without the VPN connection (firewall).
The VPN connection working fine with microsoft and linux server but when i tried to connect to novell i couldn't browse the tree or server and i got "Tree or server not found".
I used internet dialup connection without VPN after that i can login to novell server but with VPN i couldn't access novell server only but the entire network is accessable.
Any suggestions
Thanks
I have novell 4.11 with netware/IP, Internet connection with cisco PIX wirewall (I installed VPN to access remotely via internet our servers) .
The nwip worked fine without the VPN connection (firewall).
The VPN connection working fine with microsoft and linux server but when i tried to connect to novell i couldn't browse the tree or server and i got "Tree or server not found".
I used internet dialup connection without VPN after that i can login to novell server but with VPN i couldn't access novell server only but the entire network is accessable.
Any suggestions
Thanks
NetWare/IP (NWIP) on v4.11 is garbage. Sorry, I love most of Novell's products, but NWIP was moronic. It is NOT a pure IP transport (that is, its not NCP over IP). What it does is take NCP over IPX and encapsulate it in IP. Tons of overhead and a nightmare to troubleshoot.
Have you considered moving to NetWare v5? The advantage is that v5 uses IP natively - no more NWIP (which isn't even a Novell-supported product any more - neither is NetWare v4.11 for that matter). It would make your life a lot easier and, in general, the same hardware that handles NetWare v4 can handle v5 (i.e. this would probably not be a "forklift" upgrade).
If you're determined to stick with v4.11/NWIP, can you be more specific about your environment. Support Packs? Client versions? Client configurations? My guess is that the NWIP client is not routing through the VPN tunnel.
Have you considered moving to NetWare v5? The advantage is that v5 uses IP natively - no more NWIP (which isn't even a Novell-supported product any more - neither is NetWare v4.11 for that matter). It would make your life a lot easier and, in general, the same hardware that handles NetWare v4 can handle v5 (i.e. this would probably not be a "forklift" upgrade).
If you're determined to stick with v4.11/NWIP, can you be more specific about your environment. Support Packs? Client versions? Client configurations? My guess is that the NWIP client is not routing through the VPN tunnel.
Ooops. Wait, you said you can ping but can't login.
Does your VPN setup do any port filtering. I can't remember what they are, but NWIP does use ports between 1024 and 2048. Make sure they're not blocked.
Does your VPN setup do any port filtering. I can't remember what they are, but NWIP does use ports between 1024 and 2048. Make sure they're not blocked.
A true VPN shouldn't block any ports within the tunnel, IMO.
Anyway, since NWIP isn't pure IP, I'm wondering if you're using the Novell client on the client side of the tunnel, and if so does the client have NWIP installed and configured?
Anyway, since NWIP isn't pure IP, I'm wondering if you're using the Novell client on the client side of the tunnel, and if so does the client have NWIP installed and configured?
You could also consider NetWare 6, which gives you nifty standards-based web-enabled things like iFolder, or 6.5, which has even more web-enabled accessibility. In addition, you should, conceivably, be able to access your server through the VPN with NFAP, which allows you to connect without using the Novell client, just native Windows protocols.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oh, when you do move to a newer version of NetWare (I suggest 6) then you will need this:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10071836.htm
TCP/UDP Ports used by NetWare
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10071836.htm
TCP/UDP Ports used by NetWare
ASKER
Hi,
First i used nwip in the pure ip network (private ip network), It's working fine ,Used dialup connection to ISP (PPP connection) and it's working fine just when i install PIX and VPN connection i couldn't get in to a server.
You know if i want to upgrade i will need license which mean extra fee.
Regarding my installation :
Novell 4.11 spack 7
novell client ver 4.83 SP2
windows 2000 SP4
cisco VPN client 4.0.2(A) (No filters, Group Auth, Transport IpSec/UDP)
PIX ver 6.2
I can ping novell server, access linux services, access windows domain but can't login to novell server.
First i used nwip in the pure ip network (private ip network), It's working fine ,Used dialup connection to ISP (PPP connection) and it's working fine just when i install PIX and VPN connection i couldn't get in to a server.
You know if i want to upgrade i will need license which mean extra fee.
Regarding my installation :
Novell 4.11 spack 7
novell client ver 4.83 SP2
windows 2000 SP4
cisco VPN client 4.0.2(A) (No filters, Group Auth, Transport IpSec/UDP)
PIX ver 6.2
I can ping novell server, access linux services, access windows domain but can't login to novell server.
ASKER
I forgot to add info for nwip, It's ver nwip4 2.2C
"cisco VPN client 4.0.2(A) (No filters, Group Auth, Transport IpSec/UDP)"
HGave you tried adding TCP to the transport?
HGave you tried adding TCP to the transport?
Reread the comment from DSPoole about NWIP over VPN compatibility, then plan for the upgrade.
If you can afford Win2K you should be able to afford NW6. NW6 licensing structure has changed; it's no longer tied to a server.
Once you upgrade your licenses to NW6/eDirectory, you can set up as many servers as you want without paying a cent more. All you pay for is the initial server license upgrade and the initial eDirectory user-object license upgrade, and any additional eDirectory seats as your environment grows.
Then, think about using BorderManager VPN instead of PIX - Novell has solved the NAT-ted client problem that IPSec VPNs can't handle.
If you can afford Win2K you should be able to afford NW6. NW6 licensing structure has changed; it's no longer tied to a server.
Once you upgrade your licenses to NW6/eDirectory, you can set up as many servers as you want without paying a cent more. All you pay for is the initial server license upgrade and the initial eDirectory user-object license upgrade, and any additional eDirectory seats as your environment grows.
Then, think about using BorderManager VPN instead of PIX - Novell has solved the NAT-ted client problem that IPSec VPNs can't handle.
waweiwi,
Again, Novell doesn't support NetWare/IP for use over a VPN -
NW/IP encapsulates the IPX information for TRANSPORT across TCP/IP - then breaks it out to achieve IPX-based authentication.
VPN's typically encapsulate or encrypt the TCP/UDP packets across IP networks, thus breaking NW/IP.
As such, and according to Novell, you *CANNOT* use NetWare/IP for use over a VPN.
The only solution is to upgrade your NetWare 4.x server to a NetWare 5.x/6.x environment, which uses Pure IP for authentication/NCP - at that point, you can VPN into your NetWare environment to your hearts content.
However, I once had a Bay Networks VPN box and a mixed NetWare 4.x/5.x environment running on IPX. I believe (it's been awhile) that I was able to use the BorderManager box for RADIUS authentication via a dialup from my house and connect to the Bay Networks VPN box, and then authenticate via IPX to the servers. I may be wrong (again, it's been awhile) but why don't you try to encapsulate your IPX protocols via the VPN client on your workstation and see if you can authenticate that way from home. Might work, might not. Won't cost you anything but time to try.
Again, Novell doesn't support NetWare/IP for use over a VPN -
NW/IP encapsulates the IPX information for TRANSPORT across TCP/IP - then breaks it out to achieve IPX-based authentication.
VPN's typically encapsulate or encrypt the TCP/UDP packets across IP networks, thus breaking NW/IP.
As such, and according to Novell, you *CANNOT* use NetWare/IP for use over a VPN.
The only solution is to upgrade your NetWare 4.x server to a NetWare 5.x/6.x environment, which uses Pure IP for authentication/NCP - at that point, you can VPN into your NetWare environment to your hearts content.
However, I once had a Bay Networks VPN box and a mixed NetWare 4.x/5.x environment running on IPX. I believe (it's been awhile) that I was able to use the BorderManager box for RADIUS authentication via a dialup from my house and connect to the Bay Networks VPN box, and then authenticate via IPX to the servers. I may be wrong (again, it's been awhile) but why don't you try to encapsulate your IPX protocols via the VPN client on your workstation and see if you can authenticate that way from home. Might work, might not. Won't cost you anything but time to try.
ASKER
Hi,
I believe it's a time to upgrade.
My plan to install novell 5.x/6.x in my NDS tree but my questions are.
I can access 4.x and SFT (I have 4.x,SFT servers) from the VPN connection when i will connect to novell 5.x/6.x ?
I can add novell 6 server to existing NDS, I tried but i got login error (I installed nw4sp9 in my master NDS replica) ?
Thanks
I believe it's a time to upgrade.
My plan to install novell 5.x/6.x in my NDS tree but my questions are.
I can access 4.x and SFT (I have 4.x,SFT servers) from the VPN connection when i will connect to novell 5.x/6.x ?
I can add novell 6 server to existing NDS, I tried but i got login error (I installed nw4sp9 in my master NDS replica) ?
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
PsiCop -
Is it possible that access to the 4.x system would be enabled by use of SCMD on the 5x/6x box?
Is it possible that access to the 4.x system would be enabled by use of SCMD on the 5x/6x box?
PsiCop/Waweiwi,
You CAN have NetWare 4.11/4.2 and NetWare 6 in the same tree, I do it.
However, DS on the NetWare 4.11/4.2 boxes must be at the latest level and ONLY the NetWare 6 box can have replica's on it - do NOT put any replicas on the NetWare 4.11/4.2 boxes.
also, if you deploy NetWare 6, you can install NetStorage and NetWare WebAccess - you can get to your files on your servers (or NetWare 5.1 servers) with a web browser. Install iPrint and you can print to your printers in the office from home as well.
who needs a VPN?
Also, NetWare 6 comes with a "SFT" replacement called clustering - free. You get a two-node cluster out of the box.
You CAN have NetWare 4.11/4.2 and NetWare 6 in the same tree, I do it.
However, DS on the NetWare 4.11/4.2 boxes must be at the latest level and ONLY the NetWare 6 box can have replica's on it - do NOT put any replicas on the NetWare 4.11/4.2 boxes.
also, if you deploy NetWare 6, you can install NetStorage and NetWare WebAccess - you can get to your files on your servers (or NetWare 5.1 servers) with a web browser. Install iPrint and you can print to your printers in the office from home as well.
who needs a VPN?
Also, NetWare 6 comes with a "SFT" replacement called clustering - free. You get a two-node cluster out of the box.
DSPoole - re: 4.x & 6 in same tree:
Yep, that's how I can have an AXIS CDROM server running an old version of NDS as part of my NetWare 6 tree - 'cause it doesn't have a replica...
Yep, that's how I can have an AXIS CDROM server running an old version of NDS as part of my NetWare 6 tree - 'cause it doesn't have a replica...
DSPoole,
I'm sure YOU can. Should every Tom, Dick and Harry managing a network try to do it? Probably not. Unless there's a specific reason for waweiei to run v4 and v6 together, its a configuration best avoided.
I'm approaching this from the perspective of giving advice on what's BEST to do. Just because something CAN be done doesn't mean it ought to be done in a given environment.
I'm sure YOU can. Should every Tom, Dick and Harry managing a network try to do it? Probably not. Unless there's a specific reason for waweiei to run v4 and v6 together, its a configuration best avoided.
I'm approaching this from the perspective of giving advice on what's BEST to do. Just because something CAN be done doesn't mean it ought to be done in a given environment.
What about every Tom, Dick and Waweiwi? ;-}
Bad, Shineon, Bad bad.
PsiCop - there are no issues with a mixed NetWare 4.11/4.2 and NetWare 5.1 and NetWare 6.0 environment - as long as you are running the latest DS.NLM on 4.11/4.2...
for NetWare 4.11/4.2 - you want to be running DS.NLM 6.17 (Aug 21, 2002)
Do not attempt to put a NetWare 4.10 or 4.0x server into the tree.
Also, as long as the NetWare 4.11/4.2 server has NO replica's of ANY sort - it's fine to run.
I got my info from Novell before I did it to my network.
Also, the Master Replica's should be running on the NetWare 6.0 box and Read/Writes on the NetWare 6.0 or NetWare 5.1 boxes.
I'm also running NDS 6 (NetWare 4.2), NDS 7 (NetWare 5.1) and eDirectory 8.6 (NetWare 6) in my environment in the same tree. I figure if *I* can do it, anyone can, including Tom, Dick, Harry and Waweiwi... ;)
for NetWare 4.11/4.2 - you want to be running DS.NLM 6.17 (Aug 21, 2002)
Do not attempt to put a NetWare 4.10 or 4.0x server into the tree.
Also, as long as the NetWare 4.11/4.2 server has NO replica's of ANY sort - it's fine to run.
I got my info from Novell before I did it to my network.
Also, the Master Replica's should be running on the NetWare 6.0 box and Read/Writes on the NetWare 6.0 or NetWare 5.1 boxes.
I'm also running NDS 6 (NetWare 4.2), NDS 7 (NetWare 5.1) and eDirectory 8.6 (NetWare 6) in my environment in the same tree. I figure if *I* can do it, anyone can, including Tom, Dick, Harry and Waweiwi... ;)
Meesa sorreee.
I'm sure the Experts Exchange rules permit execution of people imitating Jar-Jar. :-)
If youssa put dee master replica on daa nw6/5 box. and youssa keep aneee new stuffs off da NW4 box, is it not hokay to get files offa da nw4 box for long time still?
EE no like Gungan?
<Ahem.>
Sorry about that. Psychotic break. Oh, the humanity!
Sorry about that. Psychotic break. Oh, the humanity!
ShineOn,
In ENGLISH, please...
In ENGLISH, please...
OK. Sorry.
If you keep your DS master and RW replicas off of the NW4.x platform, you should continue to be able to access the data residing on the NW4.x platform within the tree, as long as you do not attempt to add any services to the NW4.x server.
Better?
If you keep your DS master and RW replicas off of the NW4.x platform, you should continue to be able to access the data residing on the NW4.x platform within the tree, as long as you do not attempt to add any services to the NW4.x server.
Better?
Granted, that's not the ideal situation, but if Waweiwi is planning to migrate over time to NW6, there shouldn't be a long-term issue having nw4.x in the mix, as long as the DS is as current as possible and there is no replica stored on the 4.x.
correct - you can still access any data from the NetWare 4.x server (although not from NetWare WebAccess/NetStorage). Also, you can still add services to that server. It's like any other NetWare server in your tree without a replica (you don't put replica's on ALL your servers, do you?)
However, without a replica you will lose Bindery Emulation (and access to the server from any service that requires Bindery - including the Microsoft-supplied Client for NetWare Networks).
However, without a replica you will lose Bindery Emulation (and access to the server from any service that requires Bindery - including the Microsoft-supplied Client for NetWare Networks).
That should, as I alluded to, allow Waweiwi to use SCMD in the short term to access the data on the 4.x server(s) over the 'web.
I still advocate looking into BorderManager VPN as a better alternative to PIX VPN. It's also a better overall firewall/proxy/nat...
I still advocate looking into BorderManager VPN as a better alternative to PIX VPN. It's also a better overall firewall/proxy/nat...
The reference to adding services is in light of differences in schema. You don't want to add services that extend the 4.x RECMAN schema if your master is an 8x eDirectory on NW6x...
Aaack aack aaack -
that was me choking on the idea of anyone using the Microsquish-supplied "client for NetWare networks."
that was me choking on the idea of anyone using the Microsquish-supplied "client for NetWare networks."
You also don't want to add services to NW4.x that extend or rely on DS 8.x FLAIM extensions... (of course...)
At this juncture, I would strongly recommend migration to NetWare 6. If any NetWare 4.x is to remain, it must be relegated to file services only. All other processes should be upgraded to current NW and DS support levels, or you're just asking for trouble. Probably what PsiCop was alluding to...
ShineOn - any service that extends the schema is going to contact the Master Replica to do so.
To Waweiwi:
Anyway, although the original question *was* essentially answered, (see PsiCop's comment 7/17 6:48am pdt) here is the upshot on the subsequent questions and answers, IMO (opposing or clarifying opinions are welcome):
>> My plan to install novell 5.x/6.x in my NDS tree but my questions are.
>> I can access 4.x and SFT (I have 4.x,SFT servers) from the VPN connection when i will connect to novell 5.x/6.x ?
Yes, via SCMD, but you should migrate to NW6x ASAP regardless.
>> I can add novell 6 server to existing NDS, I tried but i got login error (I installed nw4sp9 in my master NDS replica) ?
You need to prep NW4.x DS prior to installing NW6. The DS versions are radically different in engine and schema and need to be migrated properly. You must have missed something when you tried to install a NW6 server in your tree. The biggest thing I can think of is that NW6 cannot use RECMAN and you MUST migrate your DS to FLAIM as part of adding NW6. The first NW6 server then has to become the holder of your Master DS replica, because the new DS schema must be in control.
How to do that M*U*S*T be another question!!!!!
Anyway, although the original question *was* essentially answered, (see PsiCop's comment 7/17 6:48am pdt) here is the upshot on the subsequent questions and answers, IMO (opposing or clarifying opinions are welcome):
>> My plan to install novell 5.x/6.x in my NDS tree but my questions are.
>> I can access 4.x and SFT (I have 4.x,SFT servers) from the VPN connection when i will connect to novell 5.x/6.x ?
Yes, via SCMD, but you should migrate to NW6x ASAP regardless.
>> I can add novell 6 server to existing NDS, I tried but i got login error (I installed nw4sp9 in my master NDS replica) ?
You need to prep NW4.x DS prior to installing NW6. The DS versions are radically different in engine and schema and need to be migrated properly. You must have missed something when you tried to install a NW6 server in your tree. The biggest thing I can think of is that NW6 cannot use RECMAN and you MUST migrate your DS to FLAIM as part of adding NW6. The first NW6 server then has to become the holder of your Master DS replica, because the new DS schema must be in control.
How to do that M*U*S*T be another question!!!!!
DSPoole -
Yes, but the DS Engine and local schema may still be unable to handle the extension(s) that weren't designed for that version. Even though you don't have a local replica, you still have a local DS Schema based on the DS version your server is running, in order to manage local resources.
If I am wrong in that assessment, I'd like to know where I erred.
Yes, but the DS Engine and local schema may still be unable to handle the extension(s) that weren't designed for that version. Even though you don't have a local replica, you still have a local DS Schema based on the DS version your server is running, in order to manage local resources.
If I am wrong in that assessment, I'd like to know where I erred.
Now I don't feel so invisible.
Meesa know how to spek. ;D
somebody beam "Jar-Jar" into a bulkhead...
How woode.
energize, Mr. Scott.
I was thinking of using him for reaction-mass in a matter/anti-matter drive - oops, wait, wrong SF universe.....
I'll just have to use some Bene-Gesserit Prahna-Bindu on you... Oops, not that universe either...
we could drop Jar-Jar into a quantum singularity and be done with it! (That's Star Trek for 'blackhole')
That's not just Star Trek for black hole... That's what a quantum singularity is. Period. Ask any quantum physicist.
Which has nothing whatever to do with Waweiwi's questionS.
Which has nothing whatever to do with Waweiwi's questionS.
Nor does how close we can get to the event horizon before time appears to stand still...
touuuuuuuuchy!
Is that Touch-Eee or Tooo-Shay?
touch-eeeeeeeeeeeeeeeeeeee
tooo-shay would have been:
touche'!
;)
tooo-shay would have been:
touche'!
;)
Touche'
This question has been classified as abandoned. I will make a recommendation to the moderators on its resolution in approximately one week. I would appreciate any comments by the experts that would help me in making a recommendation.
It is assumed that any participant not responding to this request is no longer interested in its final disposition.
If the asker does not know how to close the question, the options are here:
https://www.experts-exchange.com/help.jsp#hs5
ShineOn
EE Cleanup Volunteer
It is assumed that any participant not responding to this request is no longer interested in its final disposition.
If the asker does not know how to close the question, the options are here:
https://www.experts-exchange.com/help.jsp#hs5
ShineOn
EE Cleanup Volunteer
I will leave the following recommendation for this question in the Cleanup topic area:
Split: DSPoole {http:#8929744} & PsiCop {http:#8942582}
Please leave any comments here within the next four days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
ShineOn
EE Cleanup Volunteer
Split: DSPoole {http:#8929744} & PsiCop {http:#8942582}
Please leave any comments here within the next four days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
ShineOn
EE Cleanup Volunteer
ASKER