Solved

ISA 2006 PPTP VPN - PPTP Miniports gone

Posted on 2009-07-07
11
1,177 Views
Last Modified: 2012-05-07
I have an ISA 2006 standard edtion with PPTP VPN access configured. It was working fine until the last reboot. Eversince then PPTP is no longer working.
There is no process listening on port 1723. Checking the RRAS configuration reveals that there are no PPTP miniports configured anymore.
- They are not configurable via the RRAS console.
- Removing and reinstalling the PPTP miniport using devcon.exe did not help.
- Reconfiguring the NICs did not help.

Restoring the server from a backup made at a point of time where the PPTP was still working shows up the same problem now.
0
Comment
Question by:Yossarian-22
  • 5
  • 4
  • 2
11 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24798622
RRAS was screwed up by the KB956570 Windows Update patch.  Either remove the update or fix it with the script indicated in this article.
KB956570 stops PPTP in ISA VPN
DNS queries that are passed through the ISA Server 2006 NAT do not use random source ports
http://support.microsoft.com/kb/956570
 
0
 
LVL 3

Author Comment

by:Yossarian-22
ID: 24801192
I had removed that update already, but the miniports are still gone.
Also the possible RSS issue has been fixed by turning it off in the registry.

Windows 2003 runs on SP2, ISA on SP1.
0
 
LVL 3

Accepted Solution

by:
Yossarian-22 earned 0 total points
ID: 24812670
One protocol definition contained a port range which covered port 1723. A rule bound to the main external IP contained that protocol definition. Even though though there was no active listing on that port going on according to netstat, the port was blocked and the miniports could not be created.
0
 

Expert Comment

by:dchorobski
ID: 34853574
OK.  This is exactly the problem I'm having and I found the same description of the problem and the solution somewhere else (no details though).  How exactly do I solve this?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34853782
It is not likely that you have the same problem as Yossarian-22,....what you most likely have is the same symptoms,...not the same problem.  His Protocol issue is unusual, unlikely, and unique to him only.  

What I described in my previous post is the very common and well established and verified problem with PPTP Ports and Windows Updates.   Here is is again:

RRAS was screwed up by the KB956570 Windows Update patch.  Either remove the update or fix it with the script indicated in this article.

KB956570 stops PPTP in ISA VPN
DNS queries that are passed through the ISA Server 2006 NAT do not use random source ports
http://support.microsoft.com/kb/956570



0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Expert Comment

by:dchorobski
ID: 34854442
Thanks a lot.
This was exactly what I needed.
Why would Microsoft push-out a screwed-up update and fail to push a fix with next round of updates?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34854599
I've annoyed an MS employee a time or two,  with that same question  :-)

Well the script from that article that fixes it was the "update" that fixed it, and the response before the script came out was to just remove the patch which also worked.  MS did respond pretty quickly with that.  This problem is probably almost a year old by now,...but you probably just recently allowed that one patch to apply and ended up with the problem.

When you consider the 100's of OS Patches that come out over time,...this is the only one that I know of that has caused a problem like this,...so in the big picture they haven't done that bad.  But I have to admit that knocking out the PPTP Ports was kind of a big one to trip and fall into  :-)
0
 

Expert Comment

by:dchorobski
ID: 34854719
Actually, i had the problem with that patch just about a year ago - maybe little longer.  So, at that time, I uninstalled all patches one-by-one, until there was none and VPN still didn't work.  Somewhere I found that restarting RRAS solves the problem, and it did.  Then, I reinstalled patches until that infamous  KB956570 killed VPN again.  After removal I marked it to never appear in my update list.  
Every time I run ISA updates I get chills up my spine and this time it happened again.  I think what happened is that some remnant settings must have been left in the registry and one of the new updates either used them or enabled it.  As far as I know no KB956570 is on my ISA but the issue was solved by the fix.

Thanks again,
Daniel
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34854772
Even when you remove the patch (even if you hit the right one the first time) it still requires a reboot to take effect,...which you restarting RRAS probably accomplished the same thing.

I just applied the patch then adjusted it with the script,...so now I don't have to worry about the patch applying again or accidentally being re-enabled to apply because it is already there.  I'm not sure that the script disabled everything the patch did but rather adjusted it to correct the problem,...the patch was to correct DNS issues and may have fixed other things not including the PPTP thing,...so I wanted it applied.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34854845
I did leave a copy of the Script right on the ISA's Desktop in case I ever had to repeat it  :-)
0
 

Expert Comment

by:dchorobski
ID: 34854866
I think its a good Idea.  It will stay there as a reminder.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

When you connect to your workplace's VPN, you may not notice that you are using your workplace's servers to serve up webpages.  This might be undesirable since the workplace can log all the places you've been.  It also might be very slow to load pag…
Like many others, when I created a Windows 2008 RRAS VPN server, I connected via PPTP, and still do, but there are problems that can arise from solely using PPTP.  One particular problem was that the CFO of the company used a Virgin Broadband Wirele…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now