ISA Server 2006 VPN/RDP problems

nsourceit
nsourceit used Ask the Experts™
on
Hi,

The ISA server went down unexpectedly over the weekend and after a clean shutdown/restart RDP is failing to connect as well as VPN connections are being blocked.  The remote access services are running as well as everything else associated.  Does anyone have a good idea as to where to start troubleshooting this?

Thank you,

Brian
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kash2nd Line Engineer

Commented:
have you double checked the rules ?

Author

Commented:
Everything looks correct.  We did have an internet provider change a while ago but have since rebooted.  What gets me is that the internal RDP is not working either.
Top Expert 2014

Commented:
Check your event logs, and also check Monitoring in ISA (either Live or otherwise) so you can see how the connection was processed, whether it was blocked by a rule, allowed, etc., no you know whether to look at ISA as the problem or another Windows component.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
first with the RPD I get an initiated connection followed by

Closed Connection XXX10 5/22/2012 2:02:25 PM
Log type: Firewall service
Status:  
Rule: Allow access between XXXL2TP and Internal
Source: Internal (192.168.2.139:61237)
Destination: Local Host (192.168.2.10:3389)
Protocol: RDP (Terminal Services)
User:  
 Additional information
Number of bytes sent: 48 Number of bytes received: 40
Processing time: 0 ms Original Client IP: 192.168.2.139
Client agent:

Here is the VPN Errors

Failed Connection Attempt XXX10 5/22/2012 2:06:03 PM
Log type: Firewall service
Status:  
Rule: [System] Allow VPN client traffic to ISA Server
Source: External (XXX.XXX.XXX.250:1195)
Destination: Local Host (XXX.XXX.XXX.154:1723)
Protocol: PPTP
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 906 ms Original Client IP: XXX.XXX.XXX.250
Client agent:

Then immediately

Denied Connection XXX10 5/22/2012 2:06:08 PM
Log type: Firewall service
Status:  
Rule: [Enterprise] Default rule
Source: External (XXX.XXX.XXX.250:2263)
Destination: Local Host (XXX.XXX.XXX.154:500)
Protocol: IKE Client
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: XXX.XXX.XXX.250
Client agent:
Top Expert 2014

Commented:
First thought is I don't see a problem.  "Closed connection" is normal if it didn't succeed.  And for VPN, PPTP was allowed, but then it looks like it tried using IKE.

What type of VPN connection are you trying to use?  I would try setting the client to use the specific method that you want.  Are you getting an error message on the client when trying to connect?

For RDP, same question RE: errors.    Double-checked that Remote Desktop is enabled?

Have you checked your Windows Event Logs?  Is ISA a member of the domain?  If authenticating via IAS (RADIUS) I would also check your IAS logs in C:\Windows\system32\LogFiles (default location).  IASParse is a good tool for this, which is included in the Windows support tools if you don't have them installed already.

Author

Commented:
ISA is setup for IPsec Nat Client and PPTP and it is all set to allow traffic.  When I set the connection to specifically PPTP instead of automatic it returns an error 807.  I checked the certificates and everything looks correct.  There is nobody connected to the VPN so it is not at capacity.  A few errors but nothing out of the ordinary:

The number of HTTP requests per minute from the source IP address 192.168.2.200 exceeded the configured limit. ISA Server will block new HTTP requests sent from this IP address.  This event indicates that this IP address probably belongs to an infected host.  See the product documentation for more information about ISA Server flood resiliency.

The number of concurrent TCP connections from the source IP address 192.168.2.150 exceeded the configured limit. As a result, ISA Server will not allow the creation of new TCP connections from this source IP. This IP address probably belongs to an attacker or an infected host.  See product documentation for more info about ISA flood resiliency.

Remote desktop is enabled on the server.

I also checked the windows event logs and did not see anything out of the ordinary.  The only thing that stuck out was:

Terminal Server session creation failed. The relevant status code was 0x2740.

I went through and checked everything listed here http://support.microsoft.com/kb/555382
and still didn't come up with anything useful.  Everything is configured correctly, registry and all from what I can tell.
Top Expert 2014
Commented:
So the RDP connection is bound only to the internal NIC?

Unfortunately, I don't have any further suggestions for you.  Searching "isa Terminal Server session creation failed. The relevant status code was 0x2740" on Google brings up quite a few links that mention both RDP and VPN problems tied to some update, but the update was from 2009...any chance you just applied the update?

Author

Commented:
Well after not being able to find anything regarding this we went ahead and put a Cisco ASA 5505 in.  The ISA server still is not accepting VPN or RDP connections for no apparent reason, could be related to the update but I am not going to spend any more time trying to troubleshoot.  That ISA box is going to get reformatted and re-purposed for something else.  Thank you for all your help footech.
Top Expert 2014

Commented:
Thanks.  Sorry we weren't able to find the root cause for you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial