Welcome to ISAserver.org

2006 VPN v/ 2000 VPN issue

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> VPN >> 2006 VPN v/ 2000 VPN issue

Page: [1]

Message

<< Older Topic Newer Topic >>

2006 VPN v/ 2000 VPN issue - 5.Oct.2006 7:45:25 PM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

Switched over to 2006 from 2000.
VPN works great on 2006 but with one issue. I VPN in and try to run Avocent's Swithview IP. This is a Web based viewer that lets me connect to my servers and it lets me see at the bios level. (great for remote work) On 2006 VPN I can get to the main viewer but when I try to launch the server connection it dies.
On 2000 VPN I can launche the server connection and all is fine.
It must be something with the viewer that the 2006 VPN filter does not like?
In the protocals section I have "All outbound traffic", Content types "All content types"
I will be the only one using this resource. So I could set up a different rule for me if needed.
Any Ideas.....

Thanks
Dan

Post #: 1

Featured Links*

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 10:29:15 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

with ISA 2000 VPN client traffic was not susceptible to any filtering. With ISA 2004 that changed completely. So, check out in the ISA logs if some traffic is denied; probably some traffic initiated from the internal network to the VPN client.

HTH,
Stefaan

(in reply to DanFletcher)

Post #: 2

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 10:42:37 PM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

Ok the log shows this.
10.0.0.240 destination Port 5900 Unidentified IP Traffic action Initiate Connection.

How would I create a rule to allow this....
Thanks
Dan

(in reply to spouseele)

Post #: 3

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 10:53:48 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

'Unidentified IP traffic' means just that there is no defined protocol definition but that doesn't prevent the communication because the action is 'Initiate Connection'.

A quick test could be to make sure you have also a rule allowing "All outbound traffic", Content types "All content types" from Internal to the VPN Clients network, at least if you have a Route relationship between both networks.

HTH,
Stefaan

(in reply to DanFletcher)

Post #: 4

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 11:12:45 PM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

I believe I already have that set.

Not sure if the image will come thru....
I have All outbound protocal from VPN clients to Internal.
Is there a different rule I should make to test.
The log shows initiate connection to 5900 and that is when I try to connect to the viewer part. Before that it is all Http 80 traffic.
After I click the error then it goes back to 80 traffic. No other info between the two. Does it not like the header info or something els.

Dan

< Message edited by DanFletcher -- 5.Oct.2006 11:27:55 PM >

(in reply to spouseele)

Post #: 5

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 11:27:54 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

quote:

I have All outbound protocal from VPN clients to Internal.

Yes, I've asked for the reverse too: from Internal to VPN Clients!

HTH,
Stefaan

(in reply to DanFletcher)

Post #: 6

RE: 2006 VPN v/ 2000 VPN issue - 5.Oct.2006 11:38:06 PM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

Created new rule in the reverse.
Still same issue.
Query shows destination 5900 initiated with rule VPN clients to internal
Then gets a Denied Connection not showing what rule. (I think this is new)
Then no more traffice till I click ok on the error then goes back to 80 traffic.

(in reply to spouseele)

Post #: 7

RE: 2006 VPN v/ 2000 VPN issue - 6.Oct.2006 8:40:41 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

can you be a little bit more specific about the log entries you see for such an Avocent's Swithview IP session?

If you can't determine out of he logs which traffic is blocked, you'll have to take a NetMon trace at the ISA internal interface to find out how that Avocent's Swithview IP stuff is really working.

BTW --- what network relationship have you defined between the VPN clients and the Internal network: Route or NAT?

HTH,
Stefaan

< Message edited by spouseele -- 6.Oct.2006 8:41:49 AM >

(in reply to DanFletcher)

Post #: 8

RE: 2006 VPN v/ 2000 VPN issue - 6.Oct.2006 11:32:39 AM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

Here is a partial copy of the log

Original Client IP
Source Port
Result Code
Destination Port
Protocol
Action
Rule

10.0.0.249
10305
0x0 ERROR_SUCCESS
80
HTTP
Initiated Connection

10.0.0.79
1112
0x0 ERROR_SUCCESS
80
HTTP
Initiated Connection
VPN Clients to Internal Network

10.0.0.249
10303
0x0 ERROR_SUCCESS
80
HTTP
Initiated Connection

0.0.0.0
5859

80
http
Allowed Connection
VPN Clients to Internal Network

10.0.0.249
10303
0x80074e20 FWX_E_GRACEFUL_SHUTDOWN
80
HTTP
Closed Connection

10.0.0.79
1113
0x0 ERROR_SUCCESS
5900
Avocent
Initiated Connection
VPN Clients to Internal Network

10.0.0.79
1112
0x80074e24 FWX_E_CONNECTION_KILLED
104105
HTTP
Closed Connection
VPN Clients to Internal Network

10.0.0.79
1113
0x80074e21 FWX_E_ABORTIVE_SHUTDOWN
5900
Avocent
Closed Connection
VPN Clients to Internal Network

10.0.0.79
1113
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED
5900
Avocent
Denied Connection

10.0.0.79
1115
0x0 ERROR_SUCCESS
146147
HTTP
Initiated Connection
VPN Clients to Internal Network
The bold is where I start the viewer part. 11130x0 error... Then I get an error in the browser and I click ok then the next logs show up.

Also I have it set for Routing in the Network Rules (VPN clients to internal Network, quarantined and vpn clients to internal) Also I am set as an Edge Firewall. Should I create another rule here also going the other way?

(in reply to spouseele)

Post #: 9

RE: 2006 VPN v/ 2000 VPN issue - 6.Oct.2006 4:25:34 PM

DanFletcher

Posts: 19
Joined: 22.Aug.2006
Status: offline

OK got it to work.
I changed it to NAT instead of Routing. Thanks for the help. That tip did it.
Should of saw that since my VPN instructions mention NAT.

Turned off Allow all the other way and still works.
Should I leave it off....?

Dan

(in reply to DanFletcher)

Post #: 10

RE: 2006 VPN v/ 2000 VPN issue - 7.Oct.2006 5:49:25 AM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi Dan,

hmm... that's weird!

By default the network relationship between the VPN clients and the Internal network is Route because NAT might break some protocol features typically used by domain members. So, the Route relationship is highly recommended for VPN clients.

Now, if it works with a NAT relationship and not with a Route relationship than that means to me that:

No connections are initiated from the Internal network to the VPN clients by the Avocent's Swithview IP stuff. Therefore, an access rule allowing all outbound protocol from the Internal network to the VPN Clients is not needed for this application.
You probably have a routing issue on your internal network. If NAT is used than the internal hosts will see as source IP address the primary IP address assigned to the ISA internal interface. With a Route relationship they will see the IP address assigned to the VPN client.

Conclusion: if it works with a NAT relationship it should definitely work with a Route relationship too. However, the reverse is not necessary true!

HTH,
Stefaan

< Message edited by spouseele -- 7.Oct.2006 5:51:40 AM >

(in reply to DanFletcher)

Post #: 11