OriNetworks
asked on
Can't Ping Across ISA 2006 Site-To-Site VPN
I have setup a site-to-site vpn using 2 ISA 2006 servers. I have setup rules on both servers to allow all outbound traffic from local host, internal, vpn clients, and each others isa network. I can ping from each ISA server to the other successfully.
From ISA1 I can ping any ipaddress on ISA2's network including ISA2
From ISA2 I can ping any ipaddress on ISA1's network including ISA1
The problem is that clients on each network cant ping anything on the other network. If I am on client1 on ISA1's network, I try to ping client2 on ISA2's network and get no reply. After looking at logging entries on ISA1 it says initiated connection and closed connection for the pings but I never gets replies.
Any idea what i'm missing?
From ISA1 I can ping any ipaddress on ISA2's network including ISA2
From ISA2 I can ping any ipaddress on ISA1's network including ISA1
The problem is that clients on each network cant ping anything on the other network. If I am on client1 on ISA1's network, I try to ping client2 on ISA2's network and get no reply. After looking at logging entries on ISA1 it says initiated connection and closed connection for the pings but I never gets replies.
Any idea what i'm missing?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am familiar with adding routes to computers and I did try adding a route with that command but no luck! I'm stumped.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
When I try to ping from a client to anything on the other network, I found that I get 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_ DROPPED
I have searched through multiple articles that suggest disabling spoof detection which is certainly not an option for me. I also tried a suggestion from microsoft to add a registry key to extend the IPSec timeout period. They said this relates to 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_ DROPPED but i dont see how since the ISA servers both establish a connection correctly.
I did make sure that all ip addresses are included when defining the networks. So the traffic is getting across to the other server, but it is just identifying it incorrectly. Does anyone have the solution to this?
I have searched through multiple articles that suggest disabling spoof detection which is certainly not an option for me. I also tried a suggestion from microsoft to add a registry key to extend the IPSec timeout period. They said this relates to 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_
I did make sure that all ip addresses are included when defining the networks. So the traffic is getting across to the other server, but it is just identifying it incorrectly. Does anyone have the solution to this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried that and lost connection between the servers. Maybe I have to take a look at firewall rules or network setup which should actually be at default.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
On the first network, ISA1 is not the gateway for the network, it is simply a standalone server that controls VPN for the network. On the second network, ISA2 is the gateway for the entire network. Would this have anything to do with the problem?