Can't Ping Across ISA 2006 Site-To-Site VPN

I have setup a site-to-site vpn using 2 ISA 2006 servers. I have setup rules on both servers to allow all outbound traffic from local host, internal, vpn clients, and each others isa network. I can ping from each ISA server to the other successfully.

From ISA1 I can ping any ipaddress on ISA2's network including ISA2
From ISA2 I can ping any ipaddress on ISA1's network including ISA1

The problem is that clients on each network cant ping anything on the other network. If I am on client1 on ISA1's network, I try to ping client2 on ISA2's network and get no reply. After looking at logging entries on ISA1 it says initiated connection and closed connection for the pings but I never gets replies.

Any idea what i'm missing?
LVL 17
OriNetworksAsked:
Who is Participating?
 
OriNetworksConnect With a Mentor Author Commented:
Thank Raj-GT and I already had that configured but it was unsuccessful. I simply installed another network card into the server to connect the networks locally.
0
 
OriNetworksAuthor Commented:
The 2 isa servers can ping all computers on both networks. But no clients can ping anything on the other network.

On the first network, ISA1 is not the gateway for the network, it is simply a standalone server that controls VPN for the network. On the second network, ISA2 is the gateway for the entire network. Would this have anything to do with the problem?
0
 
Raj-GTConnect With a Mentor Systems EngineerCommented:
If you don't have ISA as the default gateway, you have to add a manual route entry to tell the clients how to get to the other side. Enter the following command on a client PC on ISA1 side, where x.x.x.x is the subnet id of the remote network, y.y.y.y is the subnet mask and z.z.z.z is the IP of the local ISA Server.

route add -p x.x.x.x mask y.y.y.y z.z.z.z

0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
OriNetworksAuthor Commented:
I am familiar with adding routes to computers and I did try adding a route with that command but no luck! I'm stumped.
0
 
Raj-GTConnect With a Mentor Systems EngineerCommented:
1. Check the firewall and network rules on both sides.
2. Confirm the VPN policies have the correct remote subnets defined (including the network and broadcast addresses for each site)
3. Monitor the remote ISA logs when you are sending a ping, as it might give you more clues.
0
 
OriNetworksAuthor Commented:
When I try to ping from a client to anything on the other network, I found that I get 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

I have searched through multiple articles that suggest disabling spoof detection which is certainly not an option for me. I also tried a suggestion from microsoft to add a registry key to extend the IPSec timeout period. They said this relates to 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED but i dont see how since the ISA servers both establish a connection correctly.

I did make sure that all ip addresses are included when defining the networks. So the traffic is getting across to the other server, but it is just identifying it incorrectly. Does anyone have the solution to this?
0
 
Raj-GTConnect With a Mentor Systems EngineerCommented:
Add each remote ISAs public IP to the VPN definition as part of the remote subnet. Eg. ISA1s VPN definition should have ISA2s local subnet as well as ISA2s public IP and vice versa.

The error message you are getting "FWX_E_FWE_SPOOFING_PACKET_DROPPED" can also be triggered by routing issues. Double-check that there are no multiple routes available between sites.
0
 
OriNetworksAuthor Commented:
I tried that and lost connection between the servers. Maybe I have to take a look at firewall rules or network setup which should actually be at default.
0
 
Raj-GTConnect With a Mentor Systems EngineerCommented:
Your network rule should be set to route between the subnets. And the firewall rule should allow all outbound protocols > from: internal, remote > to: internal, remote for all users. I am surprised adding the public IPs to the VPN definition killed the VPN! Can you export and copy the vpn configuration here?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.