Avatar of nsourceit
nsourceit
Flag for Afghanistan asked on

ISA Server 2006 VPN/RDP problems

Hi,

The ISA server went down unexpectedly over the weekend and after a clean shutdown/restart RDP is failing to connect as well as VPN connections are being blocked.  The remote access services are running as well as everything else associated.  Does anyone have a good idea as to where to start troubleshooting this?

Thank you,

Brian
Software FirewallsVPNWindows Server 2003

Avatar of undefined
Last Comment
footech

8/22/2022 - Mon
Kash

have you double checked the rules ?
nsourceit

ASKER
Everything looks correct.  We did have an internet provider change a while ago but have since rebooted.  What gets me is that the internal RDP is not working either.
footech

Check your event logs, and also check Monitoring in ISA (either Live or otherwise) so you can see how the connection was processed, whether it was blocked by a rule, allowed, etc., no you know whether to look at ISA as the problem or another Windows component.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
nsourceit

ASKER
first with the RPD I get an initiated connection followed by

Closed Connection XXX10 5/22/2012 2:02:25 PM
Log type: Firewall service
Status:  
Rule: Allow access between XXXL2TP and Internal
Source: Internal (192.168.2.139:61237)
Destination: Local Host (192.168.2.10:3389)
Protocol: RDP (Terminal Services)
User:  
 Additional information
Number of bytes sent: 48 Number of bytes received: 40
Processing time: 0 ms Original Client IP: 192.168.2.139
Client agent:

Here is the VPN Errors

Failed Connection Attempt XXX10 5/22/2012 2:06:03 PM
Log type: Firewall service
Status:  
Rule: [System] Allow VPN client traffic to ISA Server
Source: External (XXX.XXX.XXX.250:1195)
Destination: Local Host (XXX.XXX.XXX.154:1723)
Protocol: PPTP
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 906 ms Original Client IP: XXX.XXX.XXX.250
Client agent:

Then immediately

Denied Connection XXX10 5/22/2012 2:06:08 PM
Log type: Firewall service
Status:  
Rule: [Enterprise] Default rule
Source: External (XXX.XXX.XXX.250:2263)
Destination: Local Host (XXX.XXX.XXX.154:500)
Protocol: IKE Client
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0 ms Original Client IP: XXX.XXX.XXX.250
Client agent:
footech

First thought is I don't see a problem.  "Closed connection" is normal if it didn't succeed.  And for VPN, PPTP was allowed, but then it looks like it tried using IKE.

What type of VPN connection are you trying to use?  I would try setting the client to use the specific method that you want.  Are you getting an error message on the client when trying to connect?

For RDP, same question RE: errors.    Double-checked that Remote Desktop is enabled?

Have you checked your Windows Event Logs?  Is ISA a member of the domain?  If authenticating via IAS (RADIUS) I would also check your IAS logs in C:\Windows\system32\LogFiles (default location).  IASParse is a good tool for this, which is included in the Windows support tools if you don't have them installed already.
nsourceit

ASKER
ISA is setup for IPsec Nat Client and PPTP and it is all set to allow traffic.  When I set the connection to specifically PPTP instead of automatic it returns an error 807.  I checked the certificates and everything looks correct.  There is nobody connected to the VPN so it is not at capacity.  A few errors but nothing out of the ordinary:

The number of HTTP requests per minute from the source IP address 192.168.2.200 exceeded the configured limit. ISA Server will block new HTTP requests sent from this IP address.  This event indicates that this IP address probably belongs to an infected host.  See the product documentation for more information about ISA Server flood resiliency.

The number of concurrent TCP connections from the source IP address 192.168.2.150 exceeded the configured limit. As a result, ISA Server will not allow the creation of new TCP connections from this source IP. This IP address probably belongs to an attacker or an infected host.  See product documentation for more info about ISA flood resiliency.

Remote desktop is enabled on the server.

I also checked the windows event logs and did not see anything out of the ordinary.  The only thing that stuck out was:

Terminal Server session creation failed. The relevant status code was 0x2740.

I went through and checked everything listed here http://support.microsoft.com/kb/555382
and still didn't come up with anything useful.  Everything is configured correctly, registry and all from what I can tell.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
footech

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
nsourceit

ASKER
Well after not being able to find anything regarding this we went ahead and put a Cisco ASA 5505 in.  The ISA server still is not accepting VPN or RDP connections for no apparent reason, could be related to the update but I am not going to spend any more time trying to troubleshoot.  That ISA box is going to get reformatted and re-purposed for something else.  Thank you for all your help footech.
footech

Thanks.  Sorry we weren't able to find the root cause for you.