Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Unable to hit web server from VPN

Posted on 2009-03-29
8
Medium Priority
?
792 Views
Last Modified: 2013-12-23
We have a web server running accounting software which suddenly is unable to be reached by VPN users.   We have recently moved over to Active Directory from NT4.0.   I am able to ping the server through the VPN, and nslookup works fine.    For some reason when I try to pull up the server in IE, I just get page not displayed.  I can access it without issue on site.  

VPN Concentrator is a 3000 series Cisco.
0
Comment
Question by:zreisman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24013778
What OS are your clients? Have you tried a win 2000 client?

From NT to  AD is the only change?

What OS is the webserver?

0
 
LVL 1

Author Comment

by:zreisman
ID: 24013804
Clients are XP.    I believe one of the few 2000 clients did complain that she couldnt get on.
NT to AD, there have been a lot of changes.  In the middle of major migration.
Web Server is 2003 R2.

I check the directory security tab on the IIS server to see if it was only accepting from the local subnet or something but it seems fine.  
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014068
The following errors show up in the Event log on the client when connected to VPN.
NT5B is the webserver.


Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server DNS/tempex.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server DNS/tempex.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server HTTP/nt5b.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server HTTP/nt5b.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11194
Date:            3/29/2009
Time:            3:54:53 PM
User:            N/A
Computer:      DB1595
Description:
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {B0CFC05B-07AF-4F67-9C4A-82FB1E0EEBCA}
   Host Name : db1595
   Primary Domain Suffix : DOMAIN.local
   DNS server list :
           192.168.3.1
   Sent update to server : 192.1.1.1
   IP Address(es) :
     192.168.5.10

 The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these A RRs does not currently accept DNS dynamic updates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ´...    
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 1

Author Comment

by:zreisman
ID: 24014742
Apparently it is not just the web services.   I cannot connect to network shares via VPN either.
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014747
Comes up with the same Kerberos / No logon server available errors when trying to hit a share.
0
 
LVL 2

Assisted Solution

by:icsi_wiz
icsi_wiz earned 400 total points
ID: 24014761
That error message is pretty specific. You're having an issue communicating with your authentication servers, however that's a pretty vague answer.....

I would look at the following discussion, it reads like it could be relevant, and an easy thing to check:
http://x220.win2ktest.com/forum/post.asp?method=TopicQuote&TOPIC_ID=4417&FORUM_ID=8
0
 
LVL 1

Accepted Solution

by:
zreisman earned 0 total points
ID: 24014952
Resolved on own.    Remote sites could not authenticate properly due to fragmentation of Kerberos UDP packets.   Tested registry setting to force Kerberos over TCP on laptop.  

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
      Note If the Parameters key does not exist, create it now.
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type MaxPacketSize, and then press ENTER.
   5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
   6. Quit Registry Editor.
   7. Restart your computer.


 That worked out so I imported the ADM and added a group policy for remote computers.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
0
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24062374
sweet answer. I can't wait till I need to use it!
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question