Solved

PPTP won't pass through ISA2004 + Firebox X Edge

Posted on 2007-03-29
2
1,203 Views
Last Modified: 2013-11-16
I'm having trouble getting PPTP traffic to pass through a Watchguard Firebox X Edge (on the remote side) and ISA 2004 (on my side) to a Windows 2003 RRAS box.

I can connect fine if I bypass the ISA server on my side, and similarly I can connect successfully through the ISA to many other PPTP VPN servers (including ones that are behind other Watchguards...).

It seems this particular combination of Watchguard and ISA 2004 doesn't pass PPTP through. I get error 691 on the VPN client and the Watchguard logs "deny in eth0 40 tcp 20 237 <ISA 2004 IP> <VPN internal IP> 40392 1723 ack rst (Non-est TCP)"

An extensive search of the web has shown a number of people with this issue on various combinations of firewalls...only changing the firewall at one end appears to help but I'd rather avoid that.

Any ideas?
0
Comment
Question by:nigelmh
2 Comments
 
LVL 22

Accepted Solution

by:
rickhobbs earned 250 total points
ID: 18827331
Your only option is to see if there is updated software for the Watchguard.  Some combinations just do not work and if you work out the number of hours you spend trying to fix it by your hourly rate you will probably find it is a lot cheaper to replace it than continue to fight it.   I would still check the software update first.  Sometimes it is a known problem that is addressed in an update.  You could also call Watchguard as they may know about the problem and have a non-public fix for it.
0
 

Author Comment

by:nigelmh
ID: 18828062
You're right Rick. It wouldn't be so bad if the Watchguard didn't insist on using Watchguard's own VPN client to connect to it, but 'no client software deployment' is an absolute requirement in this case, so I can't go to the Watchguard and now I can't go through it!

I'm thinking of replacing it with a Checkpoint Safe@Office. I'm just hoping that won't break the two s2s vpn tunnels connecting it to their other offices...
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now