Forefront TMG - Outbound IPSec Connection gets blocked

Are you also seeing ike client errors?
What version of tmg are you using - the RC or the RTM version?
Is the 2008 R2 box fully patched up?

It's RTM and the server is fully patched.
I only receive the error message I've already posted above.
Error Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED

The Client-IP is the WAN-IP of the TMG server and the Destination-IP is the VPN gateway in the internet. The client we're having trouble with is a 'cisco ipsec over udp' client.
It worked all fine with our ISA2006 (and it still does if I change the gateway back to the old ISA).

Regards Dave

In the gui - logs & reports - logging - click start query. You may need to edit the query to pick up the ipsec protocols only if there is a lot of output.
Please post exactly what is being seen and, if necessary, any lines prior to that particular error message  that you feel may be relevant.

Hello,
I've added a excel document with the detailed log.
Please note, that I've translated it to english - but it should be understandable.

Regards Dave
TMG-IPSec-error-log.xls

Life would be so much simpler if Cisco/Microsoft just kissed and made up. Nearly all the bigger issues I troubleshoot these days seems to be Cisco and MS talking to or through each other.

Whilst I see if i can reproduce it, is this of any use to you?
http://social.technet.microsoft.com/Forums/en/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305 

I've found this thread via google, too.
But setting the registry key, mentioned in the thread, doesn't work for me.

Regards Dave

lol - no problem - just downloading the Cisco VPN client. As a matter of interest, do you have anything between the FTMG and the internet that is providing NAT functionality?

Also, the version of the vpn client - is it v4 or v5?

Yeah, there is a router (NAT) which forwards all ports to our TMG.
I'm not sure about the version, gonna need to check this.

Regards Dave

Thanks - just to be clear then on the scenario before I start hacking my system about, this for certain internal clients who are attempting to make IP sec VPNs to an external VPN Server/Concentrator that requires a passthrough of the FTMG to the Internet. The initial phase 1 connection appears to establish but then we get the error you have logged.

I have downlaoaded v4 of the Cisco client vpn but can get v5 if needed.

Yeah, that's right! It's an outgoing client IPSec connection.
Have to talk to our customer to check which cisco client version he got, but he's out of office and will be back in about an hour.

Big Thanks & Best Regards
Dave

No problem :)  Snowed in here at home so it will keep me occupied for a while.

Hey,
how was your weekend - snowy? ;)

Just for information, I've just spoken to our customer: It's a v4 client!!!
But made some test with v5 ... it doesn't work in our network, too.

Regards Dave

lol - nor mine but that is because I am running 64-bit across the board so I can't even install the damn thing.

Snowy? Doesn't even come close but the actual weekend was clear bizarrely enough :(
I am not good at working from home as i don't have the will power to remain focussed on work - ended up playing Call of Duty for an hour or two on one of the days...

OK - to work :)

Am just installing the Cisco Connect client which supports 64-bit client OS's.
Are you using the FTMG firewall client on the work stations?

I know this sounds silly but the file attachment you posted is failing between localhost and external but your rule is for internal to external - have you tried including localhost to external? Sure, you shouldn't have to but......

I have also fired off an email to the development team (Besides being an MVP I am a Moderator on the Technet ISA/FTMG/UAG forums and an article writer on Technet so sometimes I can sneak questions in through the back door so to speak. They may give me short shrift as they are REALLY busy with the new releases of FTMG/UAG but it is worth the effort of trying.

I don't want a username or password but a contact point would be useful for me to test against. If you review my profile you will see a contact point as obviously nothing should be openly published.

keith - ISA Forefront MVP

Hey,
thanks for your help so far! Great work :)

About your questions: There is no FTMG firewall client installed on the pc, since we are not allowed to do so :/ And yes, I can give you the IPSec contact point - but if possible, I would like to send it by email or private message. Don't want to post it public.

Regards Dave

In addition, can we just check your basic configuration?
http://www.kalabaster.com/dasblog/2009/09/06/ISAServerAndFTMGBasicNetworkAndDNSSettingsOnceAndForAll.aspx

Yeah, sure! I gonna check this.
But since everything else works fine (Web Access, Exchange publishing, VPN incoming and outgoing over PPTP), I don't believe it's about the basic configuration.

Regards Dave

Well, I've setup the a second gateway with ISA2006 for IPSec clients now. Still no idea why it doesn't work with TMG. Nevermind, thanks for your time :)

Hi There, not sure if you will get this, but I use TMG, and have an IPsec VPN setup, which I struggled for a while to get going, but eventually figured it out. It would have been easier if I could see the logs to work out whats was going on. In my TMG setup though, it seems IPsec logging is off by default, so even if I start a query in the logging section and choose all the IPsec protocols, I see no results except conection denied, even though I have a good connection, and sent data across, that does not appear to be logged.

For future use I would like to see real time logging, or when I start the query if I can see some info that would be great, how do you turn on IPsec logging?

Logging of what exactly? Once a vpn tunnel has been created from an internal client to an external vpn header, what do you think FTMG could log seeing as the traffic would be encrypted?