Yiogi
asked on
Outgoing VPN not working with ISA 2006
Hi!
I recently installed a new ISA 2006 server.
The installation was successful and configuration also.
Everything works OK,clients can access the internet and all relevant policy rules are defined and seem to work.
Outgoing VPN is not working.
I mean, I created the policies allowing the internal network to connect through VPN with external servers but the connections still get rejected by the firewall.
When I monitor the logs on the firewall, it says that the connection is rejected using the rule that was supposed to allow the connection and gives an error 0x0 Error_Success.
I tried all combinations I could think of. I even tried to allow my computer an any to any rule, but still cannot connect outside through VPN.
I also tried various solutions I found on the internet,with no success.
I have no idea of what to do next. The policies are verified and are correct but still everything works except VPN.
Any help woul be appreciated.
Thanks in advance
I recently installed a new ISA 2006 server.
The installation was successful and configuration also.
Everything works OK,clients can access the internet and all relevant policy rules are defined and seem to work.
Outgoing VPN is not working.
I mean, I created the policies allowing the internal network to connect through VPN with external servers but the connections still get rejected by the firewall.
When I monitor the logs on the firewall, it says that the connection is rejected using the rule that was supposed to allow the connection and gives an error 0x0 Error_Success.
I tried all combinations I could think of. I even tried to allow my computer an any to any rule, but still cannot connect outside through VPN.
I also tried various solutions I found on the internet,with no success.
I have no idea of what to do next. The policies are verified and are correct but still everything works except VPN.
Any help woul be appreciated.
Thanks in advance
ASKER
Hi
I am using PPTP and the Windows client.
ISA is not patched,no..
I am using the All Users authenticator and also using the ISA firewall client.
Any ideas?
Thanks for the reply.
I am using PPTP and the Windows client.
ISA is not patched,no..
I am using the All Users authenticator and also using the ISA firewall client.
Any ideas?
Thanks for the reply.
ASKER
ISA is fully patched now.
Still it doesn't work.
Any ideas furthermore?
Thanks!!
Still it doesn't work.
Any ideas furthermore?
Thanks!!
Please post the detail of the rule you are using IN FULL
Opemn the ISA gui, select monitoring - logging - click start query - what is seen in the realtime monitor when a connection attempt is made?
Please post the full resuilt of the couple of lines involved
Opemn the ISA gui, select monitoring - logging - click start query - what is seen in the realtime monitor when a connection attempt is made?
Please post the full resuilt of the couple of lines involved
ASKER
Allright.
The rule I am using is the following (by column name):
Order:1
Policy:Array
Name:VPN Connection
Action:Allow
Protocols:IKE Client,IPSec ESP,IPSec NAT-T Client,L2TP Client,PPTP
From:Internal
To:External
Condition:All Users
Attached you can find a spreadsheet containing the log of ISA server when trying to connect through VPN.
Thanks again!!
serverlog.xls
The rule I am using is the following (by column name):
Order:1
Policy:Array
Name:VPN Connection
Action:Allow
Protocols:IKE Client,IPSec ESP,IPSec NAT-T Client,L2TP Client,PPTP
From:Internal
To:External
Condition:All Users
Attached you can find a spreadsheet containing the log of ISA server when trying to connect through VPN.
Thanks again!!
serverlog.xls
ASKER
Keith any ideas? Or any other experts? I need to get this resolved.
ASKER
Another thing I just found out. If I connect to a VPN network with a pre-shared IPSec key VPN works. All other networks that do not use a pre-shared key do not function.
I have also reformatted the machine and reinstalled windows and ISA from scratch. It still does NOT work no matter what rule I enable.
I have also reformatted the machine and reinstalled windows and ISA from scratch. It still does NOT work no matter what rule I enable.
Sorry, been really busy at work and end of financial year so working on reports when I get home. I will look at this again tomorrow - promise - but my own work has to come first.
Keith
Keith
Interesting about the key. I assume this is an ipsec vpn based on your protocols yet the log shows a pptp vpn?
ASKER
Hi Keith and thanks for sticking by with this for so long.
The log is from a non ipsec vpn. However we do use ipsec ones as well. We have plenty of clients that give us VPN access so that we can work remotely on their systems. Only one of them is IPSec based (L2TP) and that one works.
Unfortunately if I cannot get this to work I simply cannot use ISA 2006. All users in the company, including me are still using the old ISA 2002 server where VPN works perfectly with the same rules.
I really do not know what else I can try. I have pretty much search all the internet for any information that could help. I have found plenty of people with the same issue but no solutions yet.
The log is from a non ipsec vpn. However we do use ipsec ones as well. We have plenty of clients that give us VPN access so that we can work remotely on their systems. Only one of them is IPSec based (L2TP) and that one works.
Unfortunately if I cannot get this to work I simply cannot use ISA 2006. All users in the company, including me are still using the old ISA 2002 server where VPN works perfectly with the same rules.
I really do not know what else I can try. I have pretty much search all the internet for any information that could help. I have found plenty of people with the same issue but no solutions yet.
Come on then, 'bring it on' LOL lets see what we can do.
You say it works with pre-shared keys?
What are you changing?
What is providing the authentication when not using pre-shared?
How are you making the changes?
How is the other end set up?
Are you sure its ISA that is the issue?
Does this work OK from your cleints when outside ISA?
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
You say it works with pre-shared keys?
What are you changing?
What is providing the authentication when not using pre-shared?
How are you making the changes?
How is the other end set up?
Are you sure its ISA that is the issue?
Does this work OK from your cleints when outside ISA?
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
ASKER
Ok here are your answers:
You say it works with pre-shared keys?
We only have once client with pre-shared key and that one works
What are you changing?
I'm not changing anything it's just the default windows VPN. I tried changing pretty much all options there but none worked.
What is providing the authentication when not using pre-shared?
Just a username and password.
How are you making the changes?
Not sure what you mean here.
How is the other end set up?
Most clients have UNIX machines that act as firewalls but others have hardware firewalls as well.
Are you sure its ISA that is the issue?
Yup. It works when the same clients connect using the good old ISA 2002 or when not using any ISA and going out directly.
Does this work OK from your cleints when outside ISA?
Yup as above it does.
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
Nope it doesn't. I tried it still no luck.
You say it works with pre-shared keys?
We only have once client with pre-shared key and that one works
What are you changing?
I'm not changing anything it's just the default windows VPN. I tried changing pretty much all options there but none worked.
What is providing the authentication when not using pre-shared?
Just a username and password.
How are you making the changes?
Not sure what you mean here.
How is the other end set up?
Most clients have UNIX machines that act as firewalls but others have hardware firewalls as well.
Are you sure its ISA that is the issue?
Yup. It works when the same clients connect using the good old ISA 2002 or when not using any ISA and going out directly.
Does this work OK from your cleints when outside ISA?
Yup as above it does.
As a test, if you allow ALL protocols rather than just the security specifics on your rule, does it work then?
Nope it doesn't. I tried it still no luck.
Not sure if we are moving forward here.
Lets try it from a different tack. What if I create a VPN Server here? its lunchtime here so i have a few hours to spare. Check out my profile - this will give you an email address to give me your contact address etc as i do not want to publish those details. When we sort it.... we can update this question with the results and method.
Lets try it from a different tack. What if I create a VPN Server here? its lunchtime here so i have a few hours to spare. Check out my profile - this will give you an email address to give me your contact address etc as i do not want to publish those details. When we sort it.... we can update this question with the results and method.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thats kind of you but the whole point of EE is to provide solutions - thats a solution for you and a solution for other askers in the future who may have a similar issue and need help and might be able to use this answer. We don't reward for effort - just completed results.
just to explain that a little, the points are simply for fun and self-importance amongst my peers lol- nothing else. Besides, I already got my 1,000,000-point Genius ticket for ISA. So, as we did not come up with a solution, lets delete the question, refund your points and you can then use them for a different question later. - but thank you for the thought :) The Mods will come and deal with it shortly for you.
Regards
Keith
just to explain that a little, the points are simply for fun and self-importance amongst my peers lol- nothing else. Besides, I already got my 1,000,000-point Genius ticket for ISA. So, as we did not come up with a solution, lets delete the question, refund your points and you can then use them for a different question later. - but thank you for the thought :) The Mods will come and deal with it shortly for you.
Regards
Keith
ASKER
I just believed, and still do to be honest, that after all that effort you went through you deserved the points. I acknowledge the fact that we didn't find a solution yes and that is why I didn't accept a solution by you but simply awarded points.
Anyway I won't argue about giving you the points or not, although I really don't need them for another question as I have the nice unlimited question points feature.
I suppose I'll accept my solution above and award no points this time.
Anyway I won't argue about giving you the points or not, although I really don't need them for another question as I have the nice unlimited question points feature.
I suppose I'll accept my solution above and award no points this time.
Works for me :)
Catch you another time. I work practically all of the networkingf zones so I'll get 500 from you another time, I'm sure. Later :-)
Catch you another time. I work practically all of the networkingf zones so I'll get 500 from you another time, I'm sure. Later :-)
Have you fully patched ISA with the ISA2006 updates?
if the rule you have put in is causing the block then ISA recognises the traffic as meeting the condition you have set ie type and direction of flow but another criteria is failing - have you put authentication on that outbound rule or have you used the All Users authenicator?
Are you using the ISA firewall client?