Solved

Unable to hit web server from VPN

Posted on 2009-03-29
8
788 Views
Last Modified: 2013-12-23
We have a web server running accounting software which suddenly is unable to be reached by VPN users.   We have recently moved over to Active Directory from NT4.0.   I am able to ping the server through the VPN, and nslookup works fine.    For some reason when I try to pull up the server in IE, I just get page not displayed.  I can access it without issue on site.  

VPN Concentrator is a 3000 series Cisco.
0
Comment
Question by:zreisman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24013778
What OS are your clients? Have you tried a win 2000 client?

From NT to  AD is the only change?

What OS is the webserver?

0
 
LVL 1

Author Comment

by:zreisman
ID: 24013804
Clients are XP.    I believe one of the few 2000 clients did complain that she couldnt get on.
NT to AD, there have been a lot of changes.  In the middle of major migration.
Web Server is 2003 R2.

I check the directory security tab on the IIS server to see if it was only accepting from the local subnet or something but it seems fine.  
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014068
The following errors show up in the Event log on the client when connected to VPN.
NT5B is the webserver.


Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server DNS/tempex.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server DNS/tempex.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server HTTP/nt5b.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server HTTP/nt5b.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11194
Date:            3/29/2009
Time:            3:54:53 PM
User:            N/A
Computer:      DB1595
Description:
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {B0CFC05B-07AF-4F67-9C4A-82FB1E0EEBCA}
   Host Name : db1595
   Primary Domain Suffix : DOMAIN.local
   DNS server list :
           192.168.3.1
   Sent update to server : 192.1.1.1
   IP Address(es) :
     192.168.5.10

 The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these A RRs does not currently accept DNS dynamic updates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ´...    
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:zreisman
ID: 24014742
Apparently it is not just the web services.   I cannot connect to network shares via VPN either.
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014747
Comes up with the same Kerberos / No logon server available errors when trying to hit a share.
0
 
LVL 2

Assisted Solution

by:icsi_wiz
icsi_wiz earned 100 total points
ID: 24014761
That error message is pretty specific. You're having an issue communicating with your authentication servers, however that's a pretty vague answer.....

I would look at the following discussion, it reads like it could be relevant, and an easy thing to check:
http://x220.win2ktest.com/forum/post.asp?method=TopicQuote&TOPIC_ID=4417&FORUM_ID=8
0
 
LVL 1

Accepted Solution

by:
zreisman earned 0 total points
ID: 24014952
Resolved on own.    Remote sites could not authenticate properly due to fragmentation of Kerberos UDP packets.   Tested registry setting to force Kerberos over TCP on laptop.  

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
      Note If the Parameters key does not exist, create it now.
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type MaxPacketSize, and then press ENTER.
   5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
   6. Quit Registry Editor.
   7. Restart your computer.


 That worked out so I imported the ADM and added a group policy for remote computers.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
0
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24062374
sweet answer. I can't wait till I need to use it!
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question