Remote network cannot communicate with Microsoft ISA Server 2004 in a Site-to-Site VPN using 2 Linksys RV082s.

Is the ISA server also your gateway?

Please post the routing table from the ISA server and one machine from the remote network.
example:
C:/Route Print > RT.txt

Vico1

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10002 ...00 53 45 00 00 00 ...... WAN (PPP/SLIP) Interface
0x10003 ...00 30 48 76 0a fd ...... Intel(R) PRO/1000 MT Dual Port Server Adapter #2
0x10004 ...00 30 48 76 0a fc ...... Intel(R) PRO/1000 MT Dual Port Server Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway            Interface               Metric
          0.0.0.0                        0.0.0.0          <external ip>    <external ip>                1
      10.149.86.0          255.255.255.0     192.168.11.1     192.168.11.9             1
    <external ip>          255.255.255.0     <external ip>    <external ip>              10
    <external ip>        255.255.255.255    127.0.0.1           127.0.0.1                  10
   69.255.255.255    255.255.255.255    <external ip>    <external ip>            10
        127.0.0.0                    255.0.0.0        127.0.0.1           127.0.0.1                    1
     192.168.11.0          255.255.255.0     192.168.11.9     192.168.11.9          10
     192.168.11.9       255.255.255.255        127.0.0.1        127.0.0.1                10
   192.168.11.146    255.255.255.255        127.0.0.1           127.0.0.1              50
   192.168.11.162    255.255.255.255   192.168.11.146   192.168.11.146      1
   192.168.11.255    255.255.255.255     192.168.11.9     192.168.11.9         10
        224.0.0.0                     240.0.0.0         <external ip>    <external ip>           10
        224.0.0.0                    240.0.0.0         192.168.11.9     192.168.11.9          10
  255.255.255.255   255.255.255.255      <external ip>    <external ip>            1
  255.255.255.255   255.255.255.255     192.168.11.9    <external ip>            1
Default Gateway:        69.95.44.1
===========================================================================
Persistent Routes:
  None

I inherited the network.  My company has a couple of external IPs.  All of our network, minus the ISA server, uses the RV082 ( 192.168.11.1 ) as the Gateway.  The ISA server's internal IP is 192.168.11.9.  

After adding the 10.149.86.0 rule to the routing table, I started seeing entries in the ISA server log stating that destination was unreachable.

Log type: Web Proxy (Forward)
Status: 10065 A socket operation was attempted to an unreachable host.  
Rule: Allow HTTP/HTTPS requests from ISA Server to selected servers for connectivity verifiers
Source: Local Host ( 192.168.11.9:0)
Destination: CSquaredNY ( 10.149.86.1:80)
Request: GET http://10.149.86.1/ 
Filter information: Req ID: 22f7cfbe  
Protocol: http
User: anonymous


 

Windows IP Configuration



   Host Name . . . . . . . . . . . . : lotus
   Primary Dns Suffix  . . . . . . . : CSquared.local
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : CSquared.local

PPP adapter RAS Server (Dial In) Interface:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
   Physical Address. . . . . . . . . : 00-53-45-00-00-00
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.11.146
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . :
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server Adapter #2
   Physical Address. . . . . . . . . : 00-30-48-76-0A-FD
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : <external IP>
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 69.xx.xx.1
   DNS Servers . . . . . . . . . . . : 192.168.11.9
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Dual Port Server Adapter
   Physical Address. . . . . . . . . : 00-30-48-76-0A-FC
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.11.9
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.11.9
   Primary WINS Server . . . . . . . : 192.168.11.9


Could it be that there is no Default Gateway set?

What are the IP addresses of the Local  and the remote router that is connecting the networks?

IP Address of Local RV082: 192.168.11.1
IP Address of Remote RV082: 10.149.86.1

The local side looks good.
Except there is no way to tell if router RV082: 192.168.11.1 knows the route to the other network.
What about the remote side.
can you get a routing table of a machine on the remote network and an ipconfig.

If possible the Routing table of the 2 Routers also.

Sorry for all the questions but you know how the routing business is :)

Vico1

First off, thanks for your help.

RV082: 192.168.11.1 passes the information over the established IP Sec tunnel to RV082: 10.148.86.1 and then the RV082 on the remote network knows how to route it to the correct destination.

For some reason I think it's not getting from the ISA Server(192.168.11.9) to the router.  I feel that the ISA Server is where my problem lies, but I'm not sure and can't prove it.

Unfortunately, I cannot obtain the routing tables that routers/gateways are using.  If you want I can post the settings for my VPN tunnel if you think that will help.

No I am trying to rule out the routers.
What you can do is :
If in fact the problem is coming from the ISA server you should be able to communicate with 2  workstations. Have you try that?
If we can rule out routing problems then we can solve the ISA part.

Vico1

Yes, I have tried that.

Using my personal computer on the network ( 192.168.11.172 ) I was able to communicate to an FTP server running on the other network ( 10.149.86.150 ).

Ok then do the following:
1.- Open ISA Management.
2.- On the left pane, Expand your server
3.- Then Click on Firewall Policy.
4.- On the Right Pane, Click On "Toolbox" Tab  Then Click on "Network Objects"
5.- Expand "Networks" The Double Click on Internal
6.- Click on "Addresses" TAB
7.- Click on "Add Range" Then ADD The following Range: 10.0.0.0     10.255.255.255

As you stated earlier that you have added the external IP also, you should remove that if its there
Then Click ok then apply the changes in ISA

Let me know if that works
Vico1

Sadly it didn't work.

I added the following ranges to the Internal Network:
1) 10.149.86.0 - 10.149.86.255
2) 10.0.0.0 - 10.255.255.255

I wasn't sure if I was reading your last post correctly, because the ranges overlapped. I tried it both with and without and acheived the same results - it didn't work.

To experiment, I tried to FTP from the ISA Server (192.168.11.9) to a machine on the remote network (10.149.86.150).  I saw the 'failed connection' record in ISA log, but didn't see any packets in the packet sniffer ( wireshark ).

As far as added proof goes that the Tunnel is setup properly, here is a tracert log from a computer on the remote network:

Tracing route to 192.168.11.172 over a maximum of 30 hops

1      <1ms      <1ms      <1ms      10.149.86.1
2      *      *      *      Request timed out.
3      66ms      67ms      67ms      192.168.11.172

Trace complete

Juging from Tracert the problem seems to be in the Router.
It enters the router and does not reach the next hope which is the router at the other end.

Is there a way to print the route on the routers.
vico1

The tracert was just to show that it was working.

If I ping from the home network over I get the following:

Tracing route to 10.149.86.150 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.11.1
  2     *        *        *     Request timed out.
  3    69 ms    79 ms    86 ms  10.149.86.150

Trace complete.

So the information is getting where it is supposed to go.

The problem still has to lie with the ISA server or the routing in the ISA server.

Then again, something positive.

I just tried to FTP from 10.149.86.150 to the ISA Server and got this:

C:\Documents and Settings\Administrator>ftp 192.168.11.9
Connected to 192.168.11.9.
Connection closed by remote host.

It connected instead of saying it couldn't be found.

After I attempted the FTP, I looked at the packet sniffer on the server, it showed the packets from 10.149.86.150 coming in, but nothing going back, and no logs in the ISA Server.

I just found this in the 'Alerts Section' of the ISA Server:

Description: ISA Server detected routes through the network adapter Server Local Area Connection that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.149.86.0-10.149.86.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter Network Connection that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.149.86.0-10.149.86.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Angryjoe1426,
You will not be able to connect to the SBS FTP site since you have to set it up before you can use it.
By default FTP is not accessible in SBS until that you Set it up.

you need to try something else, like an http  connection  http://sbsserver  or a UNC path \\sbsserver\

the remote network must also have 192.168.11.9  as DNS server.

 

I know that I wouldn't be able to actually FTP, I just wanted to see if it would connect or give me a 'Could not reach destination' message.  As an alternative, I did try to reach the server via http://192.168.11.9 and it timed out.

Sadly, again, no logs in the ISA Server Manager but I did see the packets using Wireshark.

I'm holding off on setting the DNS of my remote network to 192.168.11.9 until I can successfully communicate with it.

Do a tracert from to the sbs, what are the results?

Tracert from 192.168.11.1 (SBS 2003/ISA 2004):

Tracing route to 10.149.86.1 over a maximum of 30 hops

  1     *     Negotiating IP Security.

Trace complete.

Thanks, I'll try that in the morning.  I really do appreciate your help.

Just an FYI, we couldn't restart our server this morning.  We will be doing the restart later this afternoon around 5:30.

Vico1, thanks a ton.  The big thing was editing the Routing Table for the computer and adding the addresses to my internal network. I really do appreciate all of the help.  You're a life saver.

Cool!
Glad to help.