Solved

Unable to hit web server from VPN

Posted on 2009-03-29
8
776 Views
Last Modified: 2013-12-23
We have a web server running accounting software which suddenly is unable to be reached by VPN users.   We have recently moved over to Active Directory from NT4.0.   I am able to ping the server through the VPN, and nslookup works fine.    For some reason when I try to pull up the server in IE, I just get page not displayed.  I can access it without issue on site.  

VPN Concentrator is a 3000 series Cisco.
0
Comment
Question by:zreisman
  • 5
  • 3
8 Comments
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24013778
What OS are your clients? Have you tried a win 2000 client?

From NT to  AD is the only change?

What OS is the webserver?

0
 
LVL 1

Author Comment

by:zreisman
ID: 24013804
Clients are XP.    I believe one of the few 2000 clients did complain that she couldnt get on.
NT to AD, there have been a lot of changes.  In the middle of major migration.
Web Server is 2003 R2.

I check the directory security tab on the IIS server to see if it was only accepting from the local subnet or something but it seems fine.  
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014068
The following errors show up in the Event log on the client when connected to VPN.
NT5B is the webserver.


Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server DNS/tempex.domain.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            4:04:07 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server DNS/tempex.domain.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System could not establish a secured connection with the server HTTP/nt5b.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            3/29/2009
Time:            3:57:26 PM
User:            N/A
Computer:      DB1595
Description:
The Security System detected an attempted downgrade attack for server HTTP/nt5b.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Warning
Event Source:      DnsApi
Event Category:      None
Event ID:      11194
Date:            3/29/2009
Time:            3:54:53 PM
User:            N/A
Computer:      DB1595
Description:
The system failed to update and remove host (A) resource records (RRs) for network adapter
with settings:

   Adapter Name : {B0CFC05B-07AF-4F67-9C4A-82FB1E0EEBCA}
   Host Name : db1595
   Primary Domain Suffix : DOMAIN.local
   DNS server list :
           192.168.3.1
   Sent update to server : 192.1.1.1
   IP Address(es) :
     192.168.5.10

 The reason for this failure is because the DNS server sent the update either (a) does not support the DNS dynamic update protocol, or (b) the authoritative zone for the DNS domain name specified in these A RRs does not currently accept DNS dynamic updates.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Data:
0000: b4 05 00 00               ´...    
0
 
LVL 1

Author Comment

by:zreisman
ID: 24014742
Apparently it is not just the web services.   I cannot connect to network shares via VPN either.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 1

Author Comment

by:zreisman
ID: 24014747
Comes up with the same Kerberos / No logon server available errors when trying to hit a share.
0
 
LVL 2

Assisted Solution

by:icsi_wiz
icsi_wiz earned 100 total points
ID: 24014761
That error message is pretty specific. You're having an issue communicating with your authentication servers, however that's a pretty vague answer.....

I would look at the following discussion, it reads like it could be relevant, and an easy thing to check:
http://x220.win2ktest.com/forum/post.asp?method=TopicQuote&TOPIC_ID=4417&FORUM_ID=8
0
 
LVL 1

Accepted Solution

by:
zreisman earned 0 total points
ID: 24014952
Resolved on own.    Remote sites could not authenticate properly due to fragmentation of Kerberos UDP packets.   Tested registry setting to force Kerberos over TCP on laptop.  

You can change MaxPacketSize to 1 to force the clients to use Kerberos traffic over TCP. To do this, follow these steps:

   1. Start Registry Editor.
   2. Locate and then click the following registry subkey:
      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ Kerberos\Parameters
      Note If the Parameters key does not exist, create it now.
   3. On the Edit menu, point to New, and then click DWORD Value.
   4. Type MaxPacketSize, and then press ENTER.
   5. Double-click MaxPacketSize, type 1 in the Value data box, click to select the Decimal option, and then click OK.
   6. Quit Registry Editor.
   7. Restart your computer.


 That worked out so I imported the ADM and added a group policy for remote computers.  

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474
0
 
LVL 2

Expert Comment

by:icsi_wiz
ID: 24062374
sweet answer. I can't wait till I need to use it!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now