• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1379
  • Last Modified:

Can't Ping Across ISA 2006 Site-To-Site VPN

I have setup a site-to-site vpn using 2 ISA 2006 servers. I have setup rules on both servers to allow all outbound traffic from local host, internal, vpn clients, and each others isa network. I can ping from each ISA server to the other successfully.

From ISA1 I can ping any ipaddress on ISA2's network including ISA2
From ISA2 I can ping any ipaddress on ISA1's network including ISA1

The problem is that clients on each network cant ping anything on the other network. If I am on client1 on ISA1's network, I try to ping client2 on ISA2's network and get no reply. After looking at logging entries on ISA1 it says initiated connection and closed connection for the pings but I never gets replies.

Any idea what i'm missing?
0
OriNetworks
Asked:
OriNetworks
  • 5
  • 4
5 Solutions
 
OriNetworksAuthor Commented:
The 2 isa servers can ping all computers on both networks. But no clients can ping anything on the other network.

On the first network, ISA1 is not the gateway for the network, it is simply a standalone server that controls VPN for the network. On the second network, ISA2 is the gateway for the entire network. Would this have anything to do with the problem?
0
 
Raj-GTSystems EngineerCommented:
If you don't have ISA as the default gateway, you have to add a manual route entry to tell the clients how to get to the other side. Enter the following command on a client PC on ISA1 side, where x.x.x.x is the subnet id of the remote network, y.y.y.y is the subnet mask and z.z.z.z is the IP of the local ISA Server.

route add -p x.x.x.x mask y.y.y.y z.z.z.z

0
 
OriNetworksAuthor Commented:
I am familiar with adding routes to computers and I did try adding a route with that command but no luck! I'm stumped.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
Raj-GTSystems EngineerCommented:
1. Check the firewall and network rules on both sides.
2. Confirm the VPN policies have the correct remote subnets defined (including the network and broadcast addresses for each site)
3. Monitor the remote ISA logs when you are sending a ping, as it might give you more clues.
0
 
OriNetworksAuthor Commented:
When I try to ping from a client to anything on the other network, I found that I get 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

I have searched through multiple articles that suggest disabling spoof detection which is certainly not an option for me. I also tried a suggestion from microsoft to add a registry key to extend the IPSec timeout period. They said this relates to 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED but i dont see how since the ISA servers both establish a connection correctly.

I did make sure that all ip addresses are included when defining the networks. So the traffic is getting across to the other server, but it is just identifying it incorrectly. Does anyone have the solution to this?
0
 
Raj-GTSystems EngineerCommented:
Add each remote ISAs public IP to the VPN definition as part of the remote subnet. Eg. ISA1s VPN definition should have ISA2s local subnet as well as ISA2s public IP and vice versa.

The error message you are getting "FWX_E_FWE_SPOOFING_PACKET_DROPPED" can also be triggered by routing issues. Double-check that there are no multiple routes available between sites.
0
 
OriNetworksAuthor Commented:
I tried that and lost connection between the servers. Maybe I have to take a look at firewall rules or network setup which should actually be at default.
0
 
Raj-GTSystems EngineerCommented:
Your network rule should be set to route between the subnets. And the firewall rule should allow all outbound protocols > from: internal, remote > to: internal, remote for all users. I am surprised adding the public IPs to the VPN definition killed the VPN! Can you export and copy the vpn configuration here?
0
 
OriNetworksAuthor Commented:
Thank Raj-GT and I already had that configured but it was unsuccessful. I simply installed another network card into the server to connect the networks locally.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now