?
Solved

Unable to hit web server from VPN

Posted on 2009-03-29
8
Medium Priority
?
795 Views
Last Modified: 2013-12-23
We have a web server running accounting software which suddenly is unable to be reached by VPN users.   We have recently moved over to Active Directory from NT4.0.   I am able to ping the server through the VPN, and nslookup works fine.    For some reason when I try to pull up the server in IE, I just get page not displayed.  I can access it without issue on site.  

VPN Concentrator is a 3000 series Cisco.
0
Comment
Question by:zreisman
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24013778
What OS are your clients? Have you tried a win 2000 client?

From NT to  AD is the only change?

What OS is the webserver?

0
 
LVL 1

Author Comment

by:zreisman
ID: 24013804
Clients are XP.    I believe one of the few 2000 clients did complain that she couldnt get on.
NT to AD, there have been a lot of changes.  In the middle of major migration.
Web Server is 2003 R2.

I check the directory security tab on the IIS server to see if it was only accepting from the local subnet or something but it seems fine.  
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014068
The following errors show up in the Event log on the client when connected to VPN.
NT5B is the webserver.


Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server DNS/tempex.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server DNS/tempex.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server HTTP/nt5b.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server HTTP/nt5b.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11194
Date:            3/29/2009
Time:            3:54:53 PM
User:            N/A
Computer:      DB1595
Description:
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {B0CFC05B-07AF-4F67-9C4A-82FB1E0EEBCA}
   Host Name : db1595
   Primary Domain Suffix : DOMAIN.local
   DNS server list :
           192.168.3.1
   Sent update to server : 192.1.1.1
   IP Address(es) :
     192.168.5.10

 The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these A RRs does not currently accept DNS dynamic updates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ´...    
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
LVL 1

Author Comment

by:zreisman
ID: 24014742
Apparently it is not just the web services.   I cannot connect to network shares via VPN either.
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014747
Comes up with the same Kerberos / No logon server available errors when trying to hit a share.
0
 
LVL 2

Assisted Solution

by:icsi_wiz
icsi_wiz earned 400 total points
ID: 24014761
That error message is pretty specific. You're having an issue communicating with your authentication servers, however that's a pretty vague answer.....

I would look at the following discussion, it reads like it could be relevant, and an easy thing to check:
http://x220.win2ktest.com/forum/post.asp?method=TopicQuote&TOPIC_ID=4417&FORUM_ID=8
0
 
LVL 1

Accepted Solution

by:
zreisman earned 0 total points
ID: 24014952
Resolved on own.    Remote sites could not authenticate properly due to fragmentation of Kerberos UDP packets.   Tested registry setting to force Kerberos over TCP on laptop.  

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
      Note If the Parameters key does not exist, create it now.
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type MaxPacketSize, and then press ENTER.
   5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
   6. Quit Registry Editor.
   7. Restart your computer.


 That worked out so I imported the ADM and added a group policy for remote computers.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
0
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24062374
sweet answer. I can't wait till I need to use it!
0

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
In a Cross Forest, the steps to migrate users are quite complicated and even in the official articles of Technet there is no clear recommendation on which approach to take .. From an experience, I mention and simplify which way to go and how to use …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question