Solved

netbios-dgm/udp 138 138 PPTP Firebox denied 265 128 (Unhandled External Packet-00)

Posted on 2009-03-31
18
2,191 Views
Last Modified: 2013-11-16
I have a user that is able to connect to our network thru a VPN with out any problem, but as he is logged in I see the following denied messages in the traffic on our Watchguard x1250e firewall.

2009-03-31 04:59:15 Deny 192.168.6.91 255.255.255.255 netbios-dgm/udp 138 138 PPTP Firebox denied 265 128 (Unhandled External Packet-00)  src_user="rarmstrong@Firebox-DB" rc="101"       Traffic

The user is not able to connect to our Exchange server to open Outlook, although he was doing this before we had some Firewall problems. He is using Vista, Office 2007 and is able to see the Network, including our Exchange server. He can see shared folders, but Outlook cannot connect. The client error message is "Exchange server is unavalable".
0
Comment
Question by:Rgoodlett
  • 9
  • 5
  • 4
18 Comments
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24030781
It sounds like the PPTP rule is blocking some traffic.  What version of Fireware are you using?  What are the rules of the PPTP policy?  For us, we allow the policy type "Any", from a group called "PPTP-Users" to "Trusted".  Depending on how secure you need this connection, that may be the easiest thing to change.  Otherwise, you will need to figure out which ports to open up and to where, and go from there.
0
 

Author Comment

by:Rgoodlett
ID: 24031745
We are using Watchguard Service Manager 10.2.7 and Fireware 10.2.7.
Is the PPTP rule that you are refering to, called "Watchguard PPTP"?
In it we are allowing: From - Any =  To - Firebox.
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24031844
That is the rule to allow the authentication to function.  There should be another rule that allows traffic from the PPTP users to the rest of the network.  On ours, we have a rule called "Allow PPTP VPN Users" from "PPTP-Users (Firebox-DB)" to "Any-Trusted".  It uses the "Any" policy type, so once you are authenticated, any and all traffic is allowed from the authenticated user to anywhere on the trusted network.

See if you have a policy like that, and let me know it's specifics.
0
 

Author Comment

by:Rgoodlett
ID: 24032005
I have a rule called: Watchguard Authentication that uses WG-auth that is Any-Trusted to Firebox.
Another called: HTTPS that uses HTTPS that is From PPTP-Users to Any-External.

Is it one of these? I believe that the HTTPS is for the iPhone users.
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032067
Nope.

If you're willing, you can take a screen shot of Policy Manager and paste it here.  Make sure to go to View > Details, and then shrink down the From and To tabs for security reasons; I shouldn't need any of that info.

There should be some rule in there that is allowing traffic from the PPTP users to the Trusted network, so...
0
 

Author Comment

by:Rgoodlett
ID: 24032139
Here you are. This was working for everyone before we upgraded to WSM 10.2.7 & Fireware 10.2.7.
A Windows XP user logging in with the same credentals as the Vista user was able to connect to the Exchange server.
Policy-Manager.jpg
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032240
The "ANY-Incoming" policy should be the one allowing traffic.  I am assuming you are using the Firebox itself for authentication?  Or are you using Active Directory or RADIUS?  Let me know the specifics of that policy.
0
 

Author Comment

by:Rgoodlett
ID: 24032368
The Any-Incoming policy is: From - PPTP Users to Any-Trusted, Any-External

As far as authentication is concerned, Active Directory nor Radius is enabled. Just Firebox Authentication. Here is another group of snapshots.
Policy-Manager3.jpg
Policy-Manager1.jpg
Policy-Manager2.jpg
0
 
LVL 1

Expert Comment

by:quinnjudge
ID: 24032818
Try removing Any-External as a destination in the Any-Incoming policy, and see if that clears it up.  Unless there are reasons I don't know about, you shouldn't need it in there.  Just have Any-Incoming go from PPTP-Users to Any-Trusted, or just remove all of the entries, which will force it to say Any in the "To" field.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Rgoodlett
ID: 24032968
That did not help. The Vista user still cannot get Outlook to connect from within the VPN.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24033060
Deny message only indicates that NetBIOS traffic was denied by WG; normally for exchange you would not use NetBIOS unless specifically configured.
Also, machines these days do not have NetBIOS enabled by default.

There should be another reason/log for exchange connection problem.

To confirm you said if someone else logs in with same username from different machine no problem is seen; if this is the case the problem is at client level not with firewall configuration.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24033105
You are correct. If i go to my house and VPN as rarmstrong and configure Outlook for his mailbox, it connects when i put in his password.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24033323
Is there any local firewall on the system; try turning if off. Also, keep an eye on traffic monitor when the user actually connect to see any unusual log; this would help identify the problem.

Upload the policy on the client again.

If nothing, try uninstalling and reinstalling the client once.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24033474
the client does have a firewall from Microsoft Live One-Care, but I turned it off and the same result.
However, I did get on his Vista machine, using his VPN and configure my own Exchange mailbox. It is his mailbox. Something is in Exchange or his mailbox that is not allowing connection. Within the office (within the firewall) all is well. Outside the firewall, only his iPhone and Outlook Web Access works for his mailbox.
At least the firewall if off the hook.
Now i need Exchange help. I am going to run cleanup agent and repair on his mailbox.
0
 
LVL 32

Expert Comment

by:dpk_wal
ID: 24036492
At least we are able to narrow the problem; please update about the results.

Thank you.
0
 

Author Comment

by:Rgoodlett
ID: 24039452
I have added the internal DNS server IP Address to the configuration of the TCP/IP ver4 protocol in the VPN. Once I did this, the users Outlook was able to find the Exchange server and connect. I have done this for the two users that use VPN and have Vista. The Windows XP users do not appear to be having this problem.

All is well and this incident can be closed. This was the first time I have used this service and it was positive and helped in solving the problem.

Thank you very much.
Richard C. Goodlett - I.T. Director
Urban Design Group, Inc. - Dallas, Texas
0
 
LVL 32

Accepted Solution

by:
dpk_wal earned 500 total points
ID: 24040812
Thank you for the update; this would help the community.
0
 

Author Closing Comment

by:Rgoodlett
ID: 31567699
We have a workaround to the original issue of the Vista user, while in a VPN, being unable to connect to Exchange; but not why he is the only one. The adding the DNS I.P. address to the TCP/IP settings within the VNC properties solves this issue. The user is still asking why this happened after upgrading the firewall and I believe that authentication to Exchange has nothing to do with this. His ability to reach the DNS while in VPN without help is curious, but there are too many varibles involved to track. Thank you for your help.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Overview Often, we set up VPN appliances where the connected clients are on a separate subnet and the company will have alternate internet connections and do not use this particular device as the gateway for certain servers or clients. In this case…
Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now