Windows 2003 AD + Exchange 2003 over Cisco VPN Concentrator - Email don't work


We have recently migrated some remote users to our 2003 AD domain however we are now experiencing problems where the users cannot connect to Outlook 2003 via VPN.

We are using Cisco VPN client 3.6 and 4.05 - Its probably a 50-50 mixture.

Users used to be able to connect fine when we were using out Windows NT domain, Exchange 5.5 and Outlook 2003.

Users dial in via the Cisco VPN client and go into our Cisco VPN Concentrator, then they are authenticated against the concentrator and routed through out Cisco PIX depending on their user permissions. At this point they are inside our network. When they try and load up Outlook 2003 and do a send/receive it tries for ages and just sits at 50%. Never goes further.

When we route the users via the German VPN they can connect to email fine. The only difference is the Germany network is not yet on AD and they are using BIND DNS servers not Microsoft ones.

Any ideas, has anyone experienced this before is there a change we need to make to the PIX or to the Exchange server?

I did some packet sniffing via ethereal and it seems that our clients are trying to access our domain controller via kerboros using port 88 however the SYNs are sent but no ACKs are recevied. Could this be a problem?

Look forward to solutions ;-)

Who is Participating?
Jandakel2Connect With a Mentor Commented:
I think a good place to start would be to check the Checkpoint firewall settings vs. the PIX settings.  Then I would turn ethereal on and isolate a conversation for an attempted VPN session, and do the same for one of the successful VPN connections and compare the two.  The DNS ports and maybe LDAP may be something to look at also (I believe they are listed in that link)

Hmmmm this is quite a weird problem.....  The DNS definitely sounds like it could be an issue, as DNS and AD go hand in hand.  Are you using Exchange Client on the machines, or are they pop'ing mail?


Firewall wise, these are the ports that Exchange uses.  Do the clients going through the German VPN filter through the PIX also?

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Sorry for the multiple posts....I keep thinking of things.....Something else you can do is to turn on all the logging for dropped and received packets on the 2003 server, as this will give you a pretty good indication of the traffic being dropped, what port etc.  Windows firewall settings>advanced>security Logging
georgecooldudeAuthor Commented:
Hi Janakel2,

Were using Exchange client on the machines with Outlook 2003. Have checked all the ports on the link and they all look good. Most are added.

The german VPN is the same Cisco VPN Concentrator (slightly older IOS) however they are routed through a Checkpoint firewall. The servers dont have windows firewall turned on so we cant enable logging that way.
georgecooldudeAuthor Commented:
solved the problem using ethereal. looks like ad dns is going to the wrong places. changed some things on the firewall and all working ok
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.