Why do some XP VPN clients connect to an IAS server, while others can not?

Greetings, experts!

OK, hang in there with me for this one......

Environment:
- Internal network of servers and hosts, all addressed in the 10.1.20.x block on a mask of 255.255.0.0.
- One server is a Microsoft ISA 2004 server, SP1, with two NIC's - one internal, one external to DSL modem
- Clients are all student laptops running XP Pro, SP2 with the Microsoft VPN client configured via CMAK utility
- All client laptops are identical (imaged via Ghost, SID has been changed)
- All laptops work fine wirelessly on campus
- All laptops are joined to the domain (Active Directory)
- Group Policy forces all students to use ISA as the proxy server for content filtering/logging

Problem:
- Some (not all) of the clients can not connect the VPN client when they go home, can not connect at all
- Some (again, not all) of the students can connect the VPN client, but can not access any internal servers (thus browsers can not connect with the web proxy engine)
- Some work just fine

I have looked at this for 3 weeks, and can see no rhyme nor reason why some work, and some can't.  I have created a "public" wireless router internal here for testing (connected to a seperate internet circuit), and they all work fine from the test network.

I think I have it narrowed down to a DNS issue, but can't seem to pinpoint the

So, the million point question is thus:  What could possibly be missing here?

Thank you in advance for your help!

Scott Sandstrom
IT Director
Guerin Catholic High School
scsandstromAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rseitzzCommented:
My guess is that some of the users have cable/dsl routers that do not support VPN passthru (or misconfigured).

0
Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
Hey Scott,

Need some more information, budd...:).
1. Cannot connect at all.
What error do they get? "Access Denied" or may be "Remote computer did not respond in a time fashion" etc. I think they are getting the second one....
2. The clients which are not working. Can they connect to the RRAS Server when they are inside the campus? (As a test).

For the clients which CAN connect. Make sure that their internal Network at home is not same as your Campus's internal Networks i.e. your Campus Network is 10.0.x.x/16. Their internal Network at home must be different that ur Internal Network. Although, this fact does not apply if they are using a public IP directly on the machine when they are at home.

Also, once they are connected...are they able to Telnet to ISA Server's internal IP Port. 8080 (Web Proxy).

And last but not least. You are using ISA 2004, then why don't you use the amazing feature of Monitoring...:) Something which we really missed in ISA 2000.
0
scsandstromAuthor Commented:
Thanks for the reply.... here is some additional info:

1.  Most get timeout errors (you were correct).  

2.  Yes, all of them can connect from on-network.  I am assuming that most of these students' wireless networks at home are left at defaulted LAN addressing of 192.168.x.x.  I have assigned via ISA Manager, the addr range of 10.9.100.1-10.9.101.199 for VPN clients just in case someone is using a 10. network at home.

3.  Telnet to proxy port!  Hadn't thought of that one!  I'll have some kids try it tonight.  

4.  Monitoring - Yes, it's a great feature of ISA 2004!  That's how I knew some of them were working fine!

Here's some more interesting news:  Last night, there were 47 alerts generated on the ISA manager.  Without exception, every one of them had the same error:  "The VPN connection attempt by user DOMAIN\userid from VPN client IP address xx.xx.xx.xx could not be established.  The failure is due to error:  0xc0040021".  Of course, MS has no help on the error!

For those students who can successfully connect, but can not browse, get Exchange to connect, etc.  I think I had it narrowed down to a DNS issue.... they do not appear to have the internal DNS server when you do a IPCONFIG /ALL, thus why they can't connect by name to internal resources.
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
Time out probably means that GRE is blocked on their site. LCP negotiation is not taking place. In plain words, TCP 1723 is open but IP 47 is not

But one thing is sure interesting for the clients which can connect, it cannot be DNS on the client cause they don;t need no DNS for Web. They are using WEB PROXY...:)...so are you saying it is DNS on ISA?? How is DNS configured on ISA itself? External NIC to ISP and internal to Internal DNS
0
scsandstromAuthor Commented:
Hmmmm... GRE.... GRE has to be open on the ISA server, or none of the clients would work......  Now, home routers allowing GRE outbound.... that's a good point.... not sure how to check that one out.... perhaps query their parents as to the brand/model/firmware version on their home equipment.???

OK, let me clarify the DNS situation.... I know for a fact the on the clients that can connect but can not browse, if them ping an internal site by name (i.e. they can not ping server1.guerincatholic.org).  Here's another interesting thing that MAY be hosing things up... the web proxy is set to ghssrv006.guerincatholic.org.  I have defined an A record for that host with one address on the internal DNS server (10.1.20.x) and a different one on the internet (64.132.94.123).  For the clients that can connect but can not browse, if they ping ghssrv006.guerincatholic.org once connected, the external address is returned.

To answer your question, here's the config on the NIC's:
INTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1A
IP Address: 10.1.20.241
Subnet Mask: 255.255.0.0
Default Gateway:
DNS Server: 10.1.20.242
WINS Server:



EXTERNAL INTERFACE
Physical Address: 00-04-23-BA-1D-1B
IP Address: 64.132.94.123
Subnet Mask: 255.255.255.240
Default Gateway: 64.132.94.113
DNS Server:
WINS Server:
0
Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
I think you just gave me the answer...:) For those clients who resolve ghssrv006.guerincatholic.org. to the private IP can go to the Internet. The clients which are resolving ghssrv006.guerincatholic.org. to the external IP of ISA2004 CANNOT go to the Internet obviously because ISA is listening on the internal interface for Web Proxy Requests.

Have you tried changing the Group Policy so that it provides 10.1.20.241 port 8080 as Web Proxy rather than Host Name. Also, clients ping your external NIC from their place cause when they connect to the VPN they get two DNS Servers, one is your which is internal and the second which is Default's NIC DNS which is probably their Router. Router will forward that request directly to ISP and wallah...U get Public IP just like I did...:) from INDIA....:-D
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit BhatnagarSystems Development Principal - Security and InfrastructureCommented:
Hello Scott,
I know you accepted the answer but did it work..I mean is it what I thought It is...? :)

Amit.
0
scsandstromAuthor Commented:
Hey, Amit!  

Yes, you found the root cause... DNS resolution issues combined with the same A record names with different addresses inside vs. outside caused the problems.

I re-ran CMAK and created a new VPN client installer.  I changed the vpn server host to a completely different name.  I also set the CMAK options to restore original proxy server settings on disconnect.  Finally, I  had all the students install the new one, and... walla!  Works like it should!  I normally have 200+ students connected every evening.... pretty cool stuff.... check out our website at http://www.guerincatholic.org.

Thanks again!
Scott
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.