Solved

netbios-dgm/udp 138 138 PPTP Firebox denied 265 128 (Unhandled External Packet-00)

Posted on 2009-03-31
18
2,209 Views
Last Modified: 2013-11-16
I have a user that is able to connect to our network thru a VPN with out any problem, but as he is logged in I see the following denied messages in the traffic on our Watchguard x1250e firewall.

2009-03-31 04:59:15 Deny 192.168.6.91 255.255.255.255 netbios-dgm/udp 138 138 PPTP Firebox denied 265 128 (Unhandled External Packet-00)  src_user="rarmstrong@Firebox-DB" rc="101"       Traffic

The user is not able to connect to our Exchange server to open Outlook, although he was doing this before we had some Firewall problems. He is using Vista, Office 2007 and is able to see the Network, including our Exchange server. He can see shared folders, but Outlook cannot connect. The client error message is "Exchange server is unavalable".
0
Comment
Question by:Rgoodlett
  • 9
  • 5
  • 4
18 Comments
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24030781
It sounds like the PPTP rule is blocking some traffic.  What version of Fireware are you using?  What are the rules of the PPTP policy?  For us, we allow the policy type "Any", from a group called "PPTP-Users" to "Trusted".  Depending on how secure you need this connection, that may be the easiest thing to change.  Otherwise, you will need to figure out which ports to open up and to where, and go from there.
0
 

Author Comment

by:Rgoodlett
ID: 24031745
We are using Watchguard Service Manager 10.2.7 and Fireware 10.2.7.
Is the PPTP rule that you are refering to, called "Watchguard PPTP"?
In it we are allowing: From - Any =  To - Firebox.
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24031844
That is the rule to allow the authentication to function.  There should be another rule that allows traffic from the PPTP users to the rest of the network.  On ours, we have a rule called "Allow PPTP VPN Users" from "PPTP-Users (Firebox-DB)" to "Any-Trusted".  It uses the "Any" policy type, so once you are authenticated, any and all traffic is allowed from the authenticated user to anywhere on the trusted network.

See if you have a policy like that, and let me know it's specifics.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:Rgoodlett
ID: 24032005
I have a rule called: Watchguard Authentication that uses WG-auth that is Any-Trusted to Firebox.
Another called: HTTPS that uses HTTPS that is From PPTP-Users to Any-External.

Is it one of these? I believe that the HTTPS is for the iPhone users.
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032067
Nope.

If you're willing, you can take a screen shot of Policy Manager and paste it here.  Make sure to go to View > Details, and then shrink down the From and To tabs for security reasons; I shouldn't need any of that info.

There should be some rule in there that is allowing traffic from the PPTP users to the Trusted network, so...
0
 

Author Comment

by:Rgoodlett
ID: 24032139
Here you are. This was working for everyone before we upgraded to WSM 10.2.7 & Fireware 10.2.7.
A Windows XP user logging in with the same credentals as the Vista user was able to connect to the Exchange server.
Policy-Manager.jpg
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032240
The "ANY-Incoming" policy should be the one allowing traffic.  I am assuming you are using the Firebox itself for authentication?  Or are you using Active Directory or RADIUS?  Let me know the specifics of that policy.
0
 

Author Comment

by:Rgoodlett
ID: 24032368
The Any-Incoming policy is: From - PPTP Users to Any-Trusted, Any-External

As far as authentication is concerned, Active Directory nor Radius is enabled. Just Firebox Authentication. Here is another group of snapshots.
Policy-Manager3.jpg
Policy-Manager1.jpg
Policy-Manager2.jpg
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032818
Try removing Any-External as a destination in the Any-Incoming policy, and see if that clears it up.  Unless there are reasons I don't know about, you shouldn't need it in there.  Just have Any-Incoming go from PPTP-Users to Any-Trusted, or just remove all of the entries, which will force it to say Any in the "To" field.
0
 

Author Comment

by:Rgoodlett
ID: 24032968
That did not help. The Vista user still cannot get Outlook to connect from within the VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24033060
Deny message only indicates that NetBIOS traffic was denied by WG; normally for exchange you would not use NetBIOS unless specifically configured.
Also, machines these days do not have NetBIOS enabled by default.

There should be another reason/log for exchange connection problem.

To confirm you said if someone else logs in with same username from different machine no problem is seen; if this is the case the problem is at client level not with firewall configuration.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24033105
You are correct. If i go to my house and VPN as rarmstrong and configure Outlook for his mailbox, it connects when i put in his password.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24033323
Is there any local firewall on the system; try turning if off. Also, keep an eye on traffic monitor when the user actually connect to see any unusual log; this would help identify the problem.

Upload the policy on the client again.

If nothing, try uninstalling and reinstalling the client once.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24033474
the client does have a firewall from Microsoft Live One-Care, but I turned it off and the same result.
However, I did get on his Vista machine, using his VPN and configure my own Exchange mailbox. It is his mailbox. Something is in Exchange or his mailbox that is not allowing connection. Within the office (within the firewall) all is well. Outside the firewall, only his iPhone and Outlook Web Access works for his mailbox.
At least the firewall if off the hook.
Now i need Exchange help. I am going to run cleanup agent and repair on his mailbox.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24036492
At least we are able to narrow the problem; please update about the results.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24039452
I have added the internal DNS server IP Address to the configuration of the TCP/IP ver4 protocol in the VPN. Once I did this, the users Outlook was able to find the Exchange server and connect. I have done this for the two users that use VPN and have Vista. The Windows XP users do not appear to be having this problem.

All is well and this incident can be closed. This was the first time I have used this service and it was positive and helped in solving the problem.

Thank you very much.
Richard C. Goodlett - I.T. Director
Urban Design Group, Inc. - Dallas, Texas
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24040812
Thank you for the update; this would help the community.
0
 

Author Closing Comment

by:Rgoodlett
ID: 31567699
We have a workaround to the original issue of the Vista user, while in a VPN, being unable to connect to Exchange; but not why he is the only one. The adding the DNS I.P. address to the TCP/IP settings within the VNC properties solves this issue. The user is still asking why this happened after upgrading the firewall and I believe that authentication to Exchange has nothing to do with this. His ability to reach the DNS while in VPN without help is curious, but there are too many varibles involved to track. Thank you for your help.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question