?
Solved

Forefront TMG - Outbound IPSec Connection gets blocked

Posted on 2010-01-07
21
Medium Priority
?
3,834 Views
Last Modified: 2013-11-16
Hey guys,

I've just installed the new TMG. Well, so far everything works fine.
Except some outbound VPN connections doesn't work.

I've checked the tmg event protocols and it shows me that following connection is dropped:
Client IP - Destination IP - Port - Protocol - Result Code
192.x.x.x(local) - 212.x.x.x(extern) - 4500 - Ipsec NAT-T Client - FWX_E_FW_IPSEC_DROPPED

The status message says:
Status: A packet was dropped due to periodic inconsistency between the IPSec policy and the Forefront TMG snapshot of the IPSec policy.

I already added a rule which allows all outbound traffic from internal network.
So why does it drop this connection?

Thanks in advance!
Regards Dave
 
0
Comment
Question by:jPDave
  • 11
  • 9
21 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26207910
Are you also seeing ike client errors?
What version of tmg are you using - the RC or the RTM version?
Is the 2008 R2 box fully patched up?

0
 
LVL 3

Author Comment

by:jPDave
ID: 26208461
It's RTM and the server is fully patched.
I only receive the error message I've already posted above.
Error Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED

The Client-IP is the WAN-IP of the TMG server and the Destination-IP is the VPN gateway in the internet. The client we're having trouble with is a 'cisco ipsec over udp' client.
It worked all fine with our ISA2006 (and it still does if I change the gateway back to the old ISA).

Regards Dave
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26208843
In the gui - logs & reports - logging - click start query. You may need to edit the query to pick up the ipsec protocols only if there is a lot of output.
Please post exactly what is being seen and, if necessary, any lines prior to that particular error message  that you feel may be relevant.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 3

Author Comment

by:jPDave
ID: 26209141
Hello,
I've added a excel document with the detailed log.
Please note, that I've translated it to english - but it should be understandable.

Regards Dave
TMG-IPSec-error-log.xls
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26209262
Life would be so much simpler if Cisco/Microsoft just kissed and made up. Nearly all the bigger issues I troubleshoot these days seems to be Cisco and MS talking to or through each other.

Whilst I see if i can reproduce it, is this of any use to you?
http://social.technet.microsoft.com/Forums/en/ForefrontedgeIA/thread/cd0433e4-e15c-44e0-abe2-d90ae2375305 
0
 
LVL 3

Author Comment

by:jPDave
ID: 26209385
I've found this thread via google, too.
But setting the registry key, mentioned in the thread, doesn't work for me.

Regards Dave
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26209510
lol - no problem - just downloading the Cisco VPN client. As a matter of interest, do you have anything between the FTMG and the internet that is providing NAT functionality?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26209555
Also, the version of the vpn client - is it v4 or v5?
0
 
LVL 3

Author Comment

by:jPDave
ID: 26209886
Yeah, there is a router (NAT) which forwards all ports to our TMG.
I'm not sure about the version, gonna need to check this.

Regards Dave
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26210303
Thanks - just to be clear then on the scenario before I start hacking my system about, this for certain internal clients who are attempting to make IP sec VPNs to an external VPN Server/Concentrator that requires a passthrough of the FTMG to the Internet. The initial phase 1 connection appears to establish but then we get the error you have logged.

I have downlaoaded v4 of the Cisco client vpn but can get v5 if needed.
0
 
LVL 3

Author Comment

by:jPDave
ID: 26210483
Yeah, that's right! It's an outgoing client IPSec connection.
Have to talk to our customer to check which cisco client version he got, but he's out of office and will be back in about an hour.

Big Thanks & Best Regards
Dave
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26210502
No problem :)  Snowed in here at home so it will keep me occupied for a while.
0
 
LVL 3

Author Comment

by:jPDave
ID: 26284968
Hey,
how was your weekend - snowy? ;)

Just for information, I've just spoken to our customer: It's a v4 client!!!
But made some test with v5 ... it doesn't work in our network, too.

Regards Dave
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26285911
lol - nor mine but that is because I am running 64-bit across the board so I can't even install the damn thing.

Snowy? Doesn't even come close but the actual weekend was clear bizarrely enough :(
I am not good at working from home as i don't have the will power to remain focussed on work - ended up playing Call of Duty for an hour or two on one of the days...

OK - to work :)

Am just installing the Cisco Connect client which supports 64-bit client OS's.
Are you using the FTMG firewall client on the work stations?

I know this sounds silly but the file attachment you posted is failing between localhost and external but your rule is for internal to external - have you tried including localhost to external? Sure, you shouldn't have to but......

I have also fired off an email to the development team (Besides being an MVP I am a Moderator on the Technet ISA/FTMG/UAG forums and an article writer on Technet so sometimes I can sneak questions in through the back door so to speak. They may give me short shrift as they are REALLY busy with the new releases of FTMG/UAG but it is worth the effort of trying.

I don't want a username or password but a contact point would be useful for me to test against. If you review my profile you will see a contact point as obviously nothing should be openly published.

keith - ISA Forefront MVP





0
 
LVL 3

Author Comment

by:jPDave
ID: 26307220
Hey,
thanks for your help so far! Great work :)

About your questions: There is no FTMG firewall client installed on the pc, since we are not allowed to do so :/ And yes, I can give you the IPSec contact point - but if possible, I would like to send it by email or private message. Don't want to post it public.

Regards Dave
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 26307254
<<< If you review my profile you will see a contact point  >>>
Understood :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 26307307
0
 
LVL 3

Author Comment

by:jPDave
ID: 26307473
Yeah, sure! I gonna check this.
But since everything else works fine (Web Access, Exchange publishing, VPN incoming and outgoing over PPTP), I don't believe it's about the basic configuration.

Regards Dave
0
 
LVL 3

Author Closing Comment

by:jPDave
ID: 31674085
Well, I've setup the a second gateway with ISA2006 for IPSec clients now. Still no idea why it doesn't work with TMG. Nevermind, thanks for your time :)
0
 

Expert Comment

by:basilthompson
ID: 34830416
Hi There, not sure if you will get this, but I use TMG, and have an IPsec VPN setup, which I struggled for a while to get going, but eventually figured it out. It would have been easier if I could see the logs to work out whats was going on. In my TMG setup though, it seems IPsec logging is off by default, so even if I start a query in the logging section and choose all the IPsec protocols, I see no results except conection denied, even though I have a good connection, and sent data across, that does not appear to be logged.

For future use I would like to see real time logging, or when I start the query if I can see some info that would be great, how do you turn on IPsec logging?

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34833825
Logging of what exactly? Once a vpn tunnel has been created from an internal client to an external vpn header, what do you think FTMG could log seeing as the traffic would be encrypted?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question