Solved

Joining XP to W2K3 AD Domain over IPSec VPN

Posted on 2009-04-07
47
1,827 Views
Last Modified: 2012-05-06
I'm trying to join a windows XP computer to a AD Domain. The PDC is a W2K3.
I've added the PDC's IP Address to my DNS list and so I'm able to ping the PDC from the remote location.

The problem is that when joining the domain, AFTER inputting username and password I was given a warning box called: "COMPUTE NAME CHANGE" and the message on it says: "Cant join domain . Remoter Procedure Call Failed".
I'm not sure if its the PDC's fault because we can join many computers on local network into the domain without a problem. I've only encountered this problem when joining via VPN.

We're using site-to-site IPSec VPN, with a Juniper SSG20 on the PDC side, and Linksys RV042 on the remote side.
I'm able to ping the remote router (juniper), the PDC's IP Address, and the PDC's fqdn.

Thank You


0
Comment
Question by:SW111
  • 20
  • 19
  • 5
  • +1
47 Comments
 
LVL 31

Expert Comment

by:DrUltima
ID: 24090809
What is the threshold on your slow link connection settings on your default domain GPO?
0
 

Author Comment

by:SW111
ID: 24093583
Hi, DrUltima,
Sorry I dont understand. What is this and how would I go about setting up this slow link connection? I'm using a fiber optics connection at about 1mb download and 200kb upload from remote location. (The PDC is at about the same speed)
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 24098110
Well, Slow Link is defined in GPO to tell AD how to treat fast verses slow connections.  Generally it only affects items like pushing a particular GPO to a user or computer once already joined to the domain, but I was traveling down a rabbit trail for a little bit.  What is the throughput of your VPN connection to your main office which houses the DC?
0
 

Author Comment

by:SW111
ID: 24099084
The connection on the main office is about 1mb download and 200 kb upload. I dont know how to find out what the throughput of the vpn tunnel is. But I get the feeling that its not the connection speed because I have no problem sending ping (average ping is 45ms) to the DC.

Does the "Remote Procedure Call Failed" message mean I'm missing something on the DC side though?
0
 
LVL 31

Expert Comment

by:DrUltima
ID: 24099422
I was operating under the assumption that you had no problems adding computers to the domain when at your local office and not using the VPN.
0
 

Author Comment

by:SW111
ID: 24106940
yes DrUltima. Your assumption would be correct.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24106988
What are your DNS IP address set to on the Workstation?  Can you make an UNC connect to the remote office.  I have multi Junipers  (and also talking to a sonicwall) and I know t  hen will pass the traffic correctly, it could be an issue with the linksys.  Do you have an exchange server at the corporate office?  If so, telnet to the ip address using port 25 and see if you get a responce back.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24106996
On other thing, it the DC the ONLY IP address in the DNS. If not make it the only one.  
0
 

Author Comment

by:SW111
ID: 24125614
We dont have an exchange server at the office. but I am able to ping the server and the router.

I'm not quite sure what you wanted me to do with "it the DC the ONLY IP address in the DNS. If not make it the only one".  Did you mean I should make the DC the only IP in the DNS by changing its IP Address so it wont match the other computers (clients)? Wouldnt that mess up my network?
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24126585
I have seen some people set Secondary DNS Server in remote office that are not part of the Currect active directory schema. What I was asking is your remote office this that's PC only DNS server your domain controller or do you have any secondary DNS defined?
0
 

Author Comment

by:SW111
ID: 24127584
Woodall01, we currently only have 1 DC in the corporate office. I saw in books also that I'm supposed to be able to setup another "tree" (?) with different subnet/IP to join to the current domain. So, as you say, it should have worked. I dont mind setting a secondary DC at the remote site.
But I would have thought that without a secondary DC it should also work (an example scenario would be a laptop connecting back to the office)
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24127621
It should work with one DC, it could be that the linksys device is not passing information correctly back to the DC, you might have the same problem with a remote DC, what happens if you use a //servername/path ?  Once you enter the password and username does it connect?  Are you able to open a file from the remote office to the local office?  BTW what are you IP setting on the remote side (IE IPconfig)? Could you cut and paste them in?
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24127627
Just so you know, I am remote to my office with an SSG5 at the office and a NS-5GT at the house with VPN.  I can join workstations from here and do any domain fuctions with out a secondard controller?
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24127634
One last thing, what I was talking about is the DNS server at the remote office,  I am assuming have just set the workstation with one controller (the DC) and no secondary (the ISP), Correct?
0
 
LVL 1

Accepted Solution

by:
harnamsc earned 250 total points
ID: 24127681
Greetings SW111,
Could you try running netdiag from one of the workstations? See if DsBind is able to complete an RPC call to the domain controller. It could be that your VPN is rejecting the RPC packets, thus causing the problem.
Also can I ask, is the workstation configured to access one LAN or multiple LANs?
0
 
LVL 1

Expert Comment

by:harnamsc
ID: 24127687
Also, is your DC installed with SP1 or SP2?
0
 

Author Comment

by:SW111
ID: 24144724
Actually, I think the DC is not even SP1. we've been using it for quite a while without doing much to it. This vpn project is quite recent.
On a separate note, I've just learned that we needed to activate RRAS server (hence the late reply) in order to allow VPN connection to the DC. I had thought a site-to-site vpn is just like a switch whereby all I needed was to join the domain.

However, I'm stuck at the same place, but different warning box. This time, after clicking join domain and inputting password, I'm getting the following error: "Network path could not be found". But I still can ping the DC and the firewall at the HQ. My network guy told me that it was a routing problem in W2k3.

To answer Harnamsc,  the workstation is currently configured for a single lan, but it would be great if we could allow it to join to multiple Domain
0
 
LVL 1

Expert Comment

by:harnamsc
ID: 24145040
Greetings SW111, did you run DsBind? I'm trying to determine if your problem is due to port blocking by your VPN firewall or if the RDP packets being sent are incompatible with your DC.
0
 
LVL 1

Expert Comment

by:harnamsc
ID: 24145090
RPC port is TCP 135, please check if this port is being blocked by your VPN firewall.
Also check following hotfix:
http://support.microsoft.com/?kbid=899148

See if installing the hotfix and changing the mentioned registry setting helps. Some non SP2 versions of Windows Server use a different RPC packet (dunno why though?) which can be rejected by VPN's and firewalls because they doesn't recognize them as RPC packets. If this is the cause you'll need to install the hotfix, reboot, and then set the registry key and reboot again.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24148399
I can tell you that your network guy might be wrong.  It sounds like to me that the RV04 might be blocking traffice from the juniper. Do you know on the Juniper of they are using a routed based policy or a routed basied policy for the VPN.  If you have access to the firewall I can walk you thru what to look for.  I have seen this more then once and usually the firewall on one side (or both) are not confured correctly.  One other thing to look at, if you can ping your W2K3 box from the remote location then your network guy does not know what he is talking about to blame it on routing.  If it was routing, then you could not ping it at all. One last thing, if you have a site to site VPN there is no reason to use RRAS unless you are going to have a workstation outside of the network (the local and remote offices) connect remotely.  Sounds like someone is leading you up the wrong tree.
0
 

Author Comment

by:SW111
ID: 24148699
Woodall01, you're right. Just an hour ago my network guy is telling me that he's thinking that RRAS might not be the right tree to bark at  :)

I do have access to both the juniper and rv042 though. Although, I'm normally to afraid to do the changes myself, so I will discuss any necessary with him.

A point  that might be of interest: my network guy is also having problem joining into the domain from another remote location using l2tp connection. A recent "discovery?" was that after we allow remote access to admin, he was able to join the domain but lose the connection immediately after restarting the remote computer. On my side though, I'm using site-to-site IPSEC route based VPN.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24149226
My guess it's the RV042 that is not correctly set up.  With Juniper out of the box policy will pass all VPN traffic.  Have you network guy look at his setting on the RV042, and could you find out what kind of VPN Policy is on the Juniper (Policy based or Routed based). He should know the answer to the question.  
0
 

Author Comment

by:SW111
ID: 24158464
the Juniper is router based. It's not exactly out of the box actually. We've made some changes to it (because we were having problems connecting the vpn from linksys to ssg20 in the first place. COuldnt even ping.) ANyhow, can you tell me what settings in rv042 to check?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:SW111
ID: 24158504
btw, how would one go about doing a DsBind?I've been trying Harnamsc's suggestion above, but couldnt figure out how to do DsBind. I've tried DOS and the Run box, both doesnt work.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24158763
what I meant about out of the box, is that that is the default setting for the Juniper and is total normal.  Do you know if the tunnel is comming up (layer 1 and layer 2) Can you ping the other side yet?  If so, when you wiill to check the rules on the RV042 to see if all traffic is allow and it's Policy for the VPN is First.  It's been a while since i messed with a Linksys RV042 and I will have to look in to a little bit.

0
 

Author Comment

by:SW111
ID: 24159144
Oh, I meant we've changed the settings on the ssg. So it's not really out of the box setting anymore. So maybe some changes would actually have caused some of the difficulties (although I doubt it).

I can ping from remote location (RV042 side) to the HQ (SSG side). I've never thought of trying the other direction...

on the rv042:
ipsec, pptp and l2tp pass through are all enabled.
pptp server is disabled
firewall setting is to enable everything, except the remote management and multicast pass through
Access Rules is not defined yet. <--is this what you meant with the policy for rv042?
0
 
LVL 1

Expert Comment

by:harnamsc
ID: 24164386
Greetings SW111, DsBind is a command run from your DOS prompt from the directory in which you've installed your Windows Support Tools. These tools have to be manually installed from the Windows Server installation CD.
0
 
LVL 1

Assisted Solution

by:woodall01
woodall01 earned 250 total points
ID: 24164432
In the RV042, you need to add access rules. By default the Linksys block incomming traffic unless other told.  Add a rule for the remote network, btw what are the IP address of you local and remote networks (not the outside address, just the internal lan address of both networks).  
0
 

Author Comment

by:SW111
ID: 24168417
Woodall01, the hq side is 50.0.0.0 and the remote site is 50.0.1.0
Updates so far: if I try finding the network domain from Windows Explorer>My Network Place>Explore, I wont be able to find the domain. BUT: if I search for computer, say 50.0.0.x from the remote location, I can actually access shared files on that computer (after inputting my domain password).

What does this mean? I'm starting to think to not bother joining the domain if I can access the files anyways. But my preference is to still join the domain, and have w2k3 enforce the folder's access privileges. (I'm not too happy by the fact that I can vpn to the HQ, and access files without joining the domain...even though I have a password)

I've also added the access rules on rv042. And because I'm not sure, I created 2 rules:
1. source: 50.0.0.1-50.0.0.254 to destination: 50.0.1.1-50.0.1.254
2. source 50.0.1.1-50.0.1.254 to destination: 50.0.0.1-50.0.0.254
But doesnt really help.

Btw, a juniper tech support actually contacted my network guy today.... very impressive.... didnt actually help us solve anything yet, but impressive nevertheless. Never had a tech support guy actually call us back.

Also, I've actually installed adminpak.msi but I dont think this is what harnamsc is looking for? I havent had the chance to install the windows support tools on the DC yet. WIll update you as soon as I have.

0
 
LVL 1

Expert Comment

by:woodall01
ID: 24172217
It's passing Netbois traffic, what happens when you ping the remote server by name?  Do you get a responce back?  I am assuming the RV042 doing DHCP? If it is, then under the DHCP setting on that unit, what is the DNS set to ( I am assuming you are running DNS on that Server, correct)?  I have found Juniper support good.
0
 

Author Comment

by:SW111
ID: 24175237
How can you tell it's passing Netbios traffic?
To answer your question, when I ping servername, Id ont get a response, but when I ping ServerName.DomainName I do get the replies. And yes, we are using DNS Server.

I'm not quite sure what you meant by "under the DHCP setting on that unit, what is the DNS set to"? I know we have dhcp and dns and active directory. If you mean which computer is the dns server, it is the same computer as the dhcp and ad.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24175701
I was talking about the remote location. Are the machine set to Static IP address or DHCP. I have had issues with Sonicwall before on their DHCP server and DNS forwarding.  Have you tried setting a Workstation on a remote network to a static IP address with the DNS set to the to your Local DC?  Then try joining the domain?
0
 

Author Comment

by:SW111
ID: 24176071
Ah, I see. On the remote location, there is no server. Just the RV042 acting as DHCP. It has no static Public IP. And now that you mention it, on the RV042, under DHCP>Setup, There's a DNS section where it says: DNS Server (required): with 2 sets of boxes to input DNS Server addresses. Both boxes are empty.

IPCONFIG from a workstation gives me the DNS IP address provided by the ISP.
On the workstation though, I've previously added the HQ DNS Server on TCP/IP>Advanced>DNS

There's also a DIAGNOSTICS section on the RV042. It has ping and DNS Lookup.
From here, if I ping the HQ DNS Server using its' IP Address, the test is successful.
But if I input the ServerName.DomainName on the DNS Lookup tool, it will fail.

We've previously tried setting the remote workstation with a static IP address to, but it doesnt work.

On a separate note, I've noticed that if I use REMOTE DESKTOP CONNECTION to the HQ, using RV042 on the remote location, it wouldnt work. But using a different ISP, and not using RV042, does work. Perhaps this is connected?
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24177603
That is your problem, if the ISP is your DNS servers then it will not work.  Set the RV042 DNS server on the DHCP server to your DC IP Address. That should fix the issue.

The problem before could have been problems with the VPN.  If you are able to make an UNC connection then usually your are able ot Auth to the server, but the workstation can't find the DC because it need to look it up VIA DNS.


Answer to the "on a separate note". BTW, it sounds like you might be having issues with the RV042 passing correct traffic.  Can you connect to the DC using the internal IP address? If this does not work you might consender replacing the Linksys.  You can pick up an Juniper off of Ebay for 50 to 200. I would look for a ns-5xt to ns-5gt (possible a 101, this means unlimited users).
0
 

Author Comment

by:SW111
ID: 24178881
I've tried that also:

On RV042, under:
- DHCP>Setup>DNS Server 1 = IP of DC at the HQ (Originally this was at Linksys default = 0.0.0.0)
- Setup> Wan Connection Type> WAN1>DNS Server 1 = IP of DC at the HQ (Originally this was at Linksys default = 0.0.0.0)
- for both pages, I left DNS Server 2 at the default 0.0.0.0
- from the rv042, I was able to ping the IP address of the DC at the HQ, but I'm not able to ping the fqdn of the DC.

On The Remote workstation (i.e, ones that are connected tho the RV042):
- IP Address automatic (Obtained from RV042)
- DNS: Manually add the IP of DC at the HQ.
- from here I was able to ping both the IP address AND the fqdn.

So based on these conditions, your recommendation is to change the RV042?

This option was actually on the table also and we've actually bought a Cisco ASA 5500 to replace the RV042. Just that my network guy is currently studying the cisco and how to install it. Too bad. I was hoping rv042 would work. I kinda liked it. Anyhow, a second juniper is not an option now because I'm not in the states and it'll take me months to get another juniper. No one here stocks it.

Anyhow, please tell me if I understood you correctly and the above is your final recommendation.

0
 
LVL 1

Expert Comment

by:woodall01
ID: 24179773
Try these two things first; This will telll us if it's the linksys.  Put the DC IP address in both the Primary and Secondary. That might do the trick,.If that does not work could you try one other thing, on a workstations, can you just change the DNS from automatic and put the DC in at the primary. Then try ping and/or Joining it.  I want to make sure that the RV042 is not proxing the DNS.  One other thing, what is the verison of o/s on the unit?  Do you know if your network guy has done any logging on the rv042 or the juniper?  If not, he might want to.  I dont know if I would give up that soon.  If you think you network needs help with this, have him drop me a post and I will see if I can help ( or he wishs me to look at it for him)..  I do have something close to what you are trying to do and it work fine.  

BTW, Cisco ASA can be a pain if you don't understand how Cisco work.Your statement that your network guy is studing the unit worries me a little bit.  
0
 

Author Comment

by:SW111
ID: 24184108
to answer your questions:

1. Put DC IP address on both primary & secondary field on the RV042:
then ping DC name using RV042: Failed

2. Put DC IP Address on the preferred DNS Server of a workstation (have done this since a while ago):
ping DC Name from workstation: success.
ping DC IP from workstation: success

3. O/S of the RV042? it's firmware 1.3.12.6-tm. I'm not quite sure how to find out what OS it uses.
O/S on DC server: windows 2003
O/S on workstation: windows XP

4. we've done some logging on the juniper, but not on the rv042. Although, I've occasionally try looking for clues in the logs.

Some entries from rvo42 vpn log (Date kept changing to 2003... I dont know why):

Jan 1 07:00:32 2003           VPN Log          [Tunnel Negotiation Info] >>> Initiator Send Aggressive Mode 1st packet
Jan 1 07:00:32 2003          VPN Log         initiating Aggressive Mode #1, connection "ips0"
Jan 1 07:00:32 2003          VPN Log         STATE_AGGR_I1: initiate
Jan 1 07:00:32 2003          VPN Log         Ignoring Vendor ID payload [8be3a4749a88111f...]
Jan 1 07:00:32 2003          VPN Log         Received Vendor ID payload Type = [Dead Peer Detection]
Jan 1 07:00:32 2003          VPN Log         Ignoring Vendor ID payload Type = [HeartBeat Notify 386b0100]
Jan 1 07:00:32 2003          VPN Log         [Tunnel Negotiation Info] <<< Initiator Received Aggressive Mode 2nd packet
Jan 1 07:00:32 2003          VPN Log         Aggressive mode peer ID is ID_IPV4_ADDR: '123.123.132.12'
Jan 1 07:00:33 2003          VPN Log         [Tunnel Negotiation Info] >>> Initiator send Aggressive Mode 3rd packet
Jan 1 07:00:33 2003          VPN Log         [Tunnel Negotiation Info] Aggressive Mode Phase 1 SA Established
Jan 1 07:00:33 2003          VPN Log         [Tunnel Negotiation Info] Initiator Cookies = d0b7 f62d 6289 88bc
Jan 1 07:00:33 2003          VPN Log         [Tunnel Negotiation Info] Responder Cookies = 244f fd92 e8e2 8d3a
Jan 1 07:00:33 2003          VPN Log         initiating Quick Mode PSK+TUNNEL+PFS+AGGRESSIVE
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24184327
On number 2 did you try joining the Workstation at that point?  If that works, then the firewall is proxing the DNS information.  You might need to set up a different DHCP Server.

Usually on the time issue you might need to set it for an sntp server (time server).

The OS is thru Cisco, you might need to register the unit to get the code.
0
 

Author Comment

by:SW111
ID: 24184533
Ok. So I've deleted all the logs, just so that I can make some sense of the entries. Here is the new entries. Most of these are from a single action of trying to join the domain from the remote workstation.
(Except the 2 bottom most lines. These are already there when I deleted the logs).
I'm also especially interested on the 3rd line from the bottom: Something seems to have failed.

Anyhow, here's the log entries:

Apr 20 20:31:53 2009          Connection Accepted          UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
Apr 20 20:31:25 2009         Connection Accepted         TCP 50.0.1.106:2375->50.0.0.1:445 on ixp0
Apr 20 20:31:25 2009         Connection Accepted         TCP 50.0.1.106:2375->50.0.0.1:445 on ixp0
Apr 20 20:31:25 2009         Connection Accepted         TCP 50.0.1.106:2375->50.0.0.1:445 on ixp0
Apr 20 20:31:25 2009         Connection Accepted         TCP 50.0.1.106:2375->50.0.0.1:445 on ixp0
Apr 20 20:31:10 2009         Connection Accepted         UDP 50.0.1.106:2385->50.0.0.1:88 on ixp0
Apr 20 20:30:55 2009         Connection Accepted         UDP 50.0.1.106:2384->50.0.0.1:389 on ixp0
Apr 20 20:30:55 2009         Connection Accepted         UDP 50.0.1.106:2384->50.0.0.1:389 on ixp0
Apr 20 20:30:45 2009         Connection Accepted         UDP 50.0.1.106:2382->50.0.0.1:88 on ixp0
Apr 20 20:30:34 2009         Connection Accepted         UDP 50.0.1.106:2381->50.0.0.1:389 on ixp0
Apr 20 20:30:34 2009         Connection Accepted         UDP 50.0.1.106:2381->50.0.0.1:389 on ixp0
Apr 20 20:30:29 2009         Connection Accepted         UDP 50.0.1.106:2379->50.0.0.1:88 on ixp0
Apr 20 20:30:24 2009         Connection Accepted         ICMP type 8 code 0 50.0.1.106->50.0.0.1 on ixp0
Apr 20 20:30:24 2009         Connection Accepted         ICMP type 8 code 0 50.0.1.106->50.0.0.1 on ixp0
Apr 20 20:30:06 2009         Connection Accepted         TCP 50.0.1.106:2364->50.0.0.1:445 on ixp0
Apr 20 20:30:05 2009         Connection Accepted         TCP 50.0.1.106:2364->50.0.0.1:445 on ixp0
Apr 20 20:30:05 2009         Connection Accepted         TCP 50.0.1.106:2364->50.0.0.1:445 on ixp0
Apr 20 20:30:05 2009         Connection Accepted         TCP 50.0.1.106:2364->50.0.0.1:445 on ixp0
Apr 20 20:30:05 2009         Connection Accepted         TCP 50.0.1.106:2364->50.0.0.1:445 on ixp0
Apr 20 20:29:53 2009         Connection Accepted         UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
Apr 20 20:29:50 2009         Connection Accepted         UDP 50.0.1.106:2374->50.0.0.1:88 on ixp0
Apr 20 20:29:35 2009         Connection Accepted         UDP 50.0.1.106:2373->50.0.0.1:389 on ixp0
Apr 20 20:29:35 2009         Connection Accepted         UDP 50.0.1.106:2373->50.0.0.1:389 on ixp0
Apr 20 20:29:25 2009         Connection Accepted         UDP 50.0.1.106:2371->50.0.0.1:88 on ixp0
Apr 20 20:29:14 2009         Connection Accepted         UDP 50.0.1.106:2370->50.0.0.1:389 on ixp0
Apr 20 20:29:14 2009         Connection Accepted         UDP 50.0.1.106:2370->50.0.0.1:389 on ixp0
Apr 20 20:29:09 2009         Connection Accepted         UDP 50.0.1.106:2368->50.0.0.1:88 on ixp0
Apr 20 20:29:06 2009         Connection Accepted         UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
Apr 20 20:29:04 2009         Connection Accepted         TCP 50.0.1.106:2349->50.0.0.1:445 on ixp0
Apr 20 20:29:04 2009         Connection Accepted         TCP 50.0.1.106:2349->50.0.0.1:445 on ixp0
Apr 20 20:29:03 2009         Connection Accepted         TCP 50.0.1.106:2349->50.0.0.1:445 on ixp0
Apr 20 20:29:03 2009         Connection Accepted         TCP 50.0.1.106:2349->50.0.0.1:445 on ixp0
Apr 20 20:28:48 2009         Connection Accepted         UDP 50.0.1.106:2359->50.0.0.1:88 on ixp0
Apr 20 20:28:33 2009         Connection Accepted         UDP 50.0.1.106:2358->50.0.0.1:389 on ixp0
Apr 20 20:28:33 2009         Connection Accepted         UDP 50.0.1.106:2358->50.0.0.1:389 on ixp0
Apr 20 20:28:23 2009         Connection Accepted         UDP 50.0.1.106:2356->50.0.0.1:88 on ixp0
Apr 20 20:28:13 2009         Connection Accepted         UDP 50.0.1.106:2355->50.0.0.1:389 on ixp0
Apr 20 20:28:13 2009         Connection Accepted         UDP 50.0.1.106:2355->50.0.0.1:389 on ixp0
Apr 20 20:28:08 2009         Connection Accepted         UDP 50.0.1.106:2353->50.0.0.1:88 on ixp0
Apr 20 20:28:03 2009         Connection Accepted         TCP 50.0.1.106:2349->50.0.0.1:445 on ixp0
Apr 20 20:28:03 2009         Connection Accepted         ICMP type 8 code 0 50.0.1.106->50.0.0.1 on ixp0
Apr 20 20:28:03 2009         Connection Accepted         ICMP type 8 code 0 50.0.1.106->50.0.0.1 on ixp0
Apr 20 20:27:55 2009         Connection Accepted         UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
Apr 20 20:27:46 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:46 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:44 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:44 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:43 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:43 2009         Connection Accepted         TCP 50.0.1.106:2336->50.0.0.1:445 on ixp0
Apr 20 20:27:28 2009         Connection Accepted         UDP 50.0.1.106:2348->50.0.0.1:88 on ixp0
Apr 20 20:27:13 2009         Connection Accepted         UDP 50.0.1.106:2347->50.0.0.1:389 on ixp0
Apr 20 20:27:13 2009         Connection Accepted         UDP 50.0.1.106:2347->50.0.0.1:389 on ixp0
Apr 20 20:27:03 2009         Connection Accepted         UDP 50.0.1.106:2345->50.0.0.1:88 on ixp0
Apr 20 20:26:53 2009         Connection Accepted         UDP 50.0.1.106:2344->50.0.0.1:389 on ixp0
Apr 20 20:26:53 2009         Connection Accepted         UDP 50.0.1.106:2344->50.0.0.1:389 on ixp0
Apr 20 20:26:48 2009         Connection Accepted         UDP 50.0.1.106:2342->50.0.0.1:88 on ixp0
Apr 20 20:26:43 2009         Connection Accepted         UDP 50.0.1.106:2340->50.0.0.1:88 on ixp0
Apr 20 20:26:43 2009         Connection Accepted         UDP 50.0.1.106:2340->50.0.0.1:88 on ixp0
Apr 20 20:26:43 2009         Connection Accepted         UDP 50.0.1.106:2334->50.0.0.1:389 on ixp0
Apr 20 20:26:43 2009         Connection Accepted         UDP 50.0.1.106:2334->50.0.0.1:389 on ixp0
Apr 20 20:26:37 2009         Connection Accepted         UDP 50.0.1.106:2332->50.0.0.1:389 on ixp0
Apr 20 20:26:18 2009         Connection Accepted         ICMP type 8 code 0 50.0.1.106->50.0.0.1 on ixp0
Apr 20 20:25:54 2009         Connection Accepted         UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
Apr 20 20:25:36 2009          VPN Log         ignoring Delete SA payload: IPSEC SA not found (maybe expired)
Apr 20 20:25:07 2009          System Log         50.0.1.104 access
Apr 20 20:17:53 2009         Connection Accepted         UDP 50.0.1.106:137->50.0.0.1:137 on ixp0
0
 

Author Comment

by:SW111
ID: 24184579
On no. 2, I did try joining the domain, but it also failed.
I've fixed the time for now, but not using ntp. I tried inputting time.windows.com, but it wont update the current time, so I did it manually. I have found sometimes that different dates caused an issue when joining domain, but trying to join the domain after fixing the time still fails.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24186519
If you find newer firmware for it, I would say put the Cisco in production and see what happens.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24205167
Any luck?
0
 

Author Comment

by:SW111
ID: 24211441
Sorry for the late reply. Not yet. We were being guided with Juniper support staff, but so far they're also not finding anything wrong with juniper or rv042. She says the problem is that the server seems to not replying requests from the remote site to join domain.

So I'm going to check on the server today and see if anything is wrong with it. It's a bit strange because I can still join local computers to the domain. But I'll check it anyways. I'll get back to you on the issue.

On the Cisco though (You mean the ASA5500 and not the Cisco Linksys RV042, correct?) my network guy is not confident enough to add more factors into the problem. He wanted to go into Cisco after we're 100% sure its not the RV042.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24211448
Understood about the Network guy.  The stange part is that you can pass netbois auth traffic when making an UNC connection, but not able to join the domain.  I ran in something like this and it end up being the firewall not passing traffic correctly (a watchguard FB), changed it to Juniper and the problem went a way and was sold from that point on with Juniper.

0
 

Author Comment

by:SW111
ID: 24213838
Hello Woodall, Harnamsc we found the problem. You're almost spot on, but the problem is actually not on the RV042 side, but on the Juniper side. The screen for fragmented traffic on juniper is preventing us to join the domain. Once we remove this screen from the internet zone, we can join the domain immediately.

I'm looking up what security issues might disabling screening for fragmented traffic cause. But otherwise, we're good to go. Thanks all.
0
 
LVL 1

Expert Comment

by:woodall01
ID: 24214371
Sorry, I should had you send me the config.  I had ran into that before, I usually just turn it off by default.  Don't worry about the security risked.  It's usually not a real big deal.
0
 

Author Comment

by:SW111
ID: 24214523
No worries. we've solved it and getting a good night sleep tonight!!! :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
A quick step-by-step overview of installing and configuring Carbonite Server Backup.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now