Welcome to ISAserver.org

Bizzare VPN troubles...

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Bizzare VPN troubles...

Page: [1]

Message

<< Older Topic Newer Topic >>

Bizzare VPN troubles... - 15.Apr.2004 9:42:00 PM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Hello,

OK. This is a very strange problem.

The setup:
============
3 servers:
1) ISA server connected to the internet and internal LAN (LAN IP range=10.2.1.x)
2) WWW server on the internal LAN
3) VPN (RRAS, PPTP) server on the internal LAN (static pool of IP addresses assigned=10.2.3.x)

-All servers have ISA set as the DG.

-ISA has a static route entry so that servers on the LAN can talk to VPN clients on the 10.2.3.x network (the static route forwards everything to the VPN server for that network).

-ISA publishes both the WWW and VPN servers to the external world. This works perfectly. All servers are windows server 2003.

-I can VPN into the network, obtain an IP on the 10.2.3.x network, and PING all internal servers on the 10.2.1.x network.

THE PROBLEM:
============
If I try to HTTP or RDP or make any form of connection from the VPN client onto the WWW server then it just times out, nothing happens. EVEN THOUGH I CAN PING THE SERVER!

From the VPN server (and all other servers) I can HTTP,RDP,etc with no problems to the www server.

-From the external world I can HTTP to the www server with no problem.

-ONLY form the VPN clients is where I cant HTTP,RDP,etc to the www server EVEN THOUGH i can ping it!

THE BIZZARE PART:
==================
Now the bizzare part: If I manually go to the www box and then ping the vpn client address, a "connection" is then open between the two machines. While this "connection" is open I can use HTTP,RDP, etc from the VPN client to the www server. However, if I wait for a while and the "connection" closes then the VPN client again cannot access the www server.

Is that strange or what??

PLEASE some advice/suggestions/explanation because I'm going crazy here!

Questions:
-Why can I ping the www server from the vpn client but not http/rdp/etc onto it?
-why does it only work when the www server pings the vpn client in order to open a connection and then everything works fine.. temporarily.

Also: Once the VPN client is connected, it does NOT go through ISA in order to talk to the www server because it goes direct to the VPN server to the www server... ISA is not involved and thus nothing shows up in the ISA realtime monitor.
However, when the www server tries to talk to the vpn client then it goes through ISA because ISA is the DG and the VPN client is on a different subnet. Thus the www-->vpn client ping shows up in ISA logs.

Anyways -sorry for the long post. Many apologies. PLEASE HELP!

thanks

-ZD

Post #: 1

Featured Links*

RE: Bizzare VPN troubles... - 15.Apr.2004 9:45:00 PM

tshinder

Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi ZD,

Do you have access rules to support VPN client's access to the networks you're trying to reach?

Thanks!
Tom

(in reply to ZD)

Post #: 2

RE: Bizzare VPN troubles... - 15.Apr.2004 10:19:00 PM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Hi Tom,

thanks for the response.

I thought I dont need access rules from the VPN client because its on a different server other than ISA. SO, when a vpn client tries to contact a local network then the RRAS/VPN server just routes it direct to the serer and ISA is not involved.

But either way, during the debug process I set ALL protocolls FROM all networks TO all networks and this sitll made no difference.

any suggestions? this is driving me nuts!
-ZD

(in reply to ZD)

Post #: 3

RE: Bizzare VPN troubles... - 15.Apr.2004 10:40:00 PM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Tom:

I've kind of fixed the problem but I TOTALLY don't understand why this works.

On the VPN server I added a static route that basically routes all traffic for the 10.2.1.x network (internal LAN) up to the ISA server.

But I DONT UNDERSTAND!?!?!?!

Why cant the VPN server just route the traffic directly to the WWW server? It has an IP address on that same subnet!

Here's the IP's to make it more clear:
ISA: 10.2.1.1
WWW: 10.2.1.2
VPN: 10.2.1.3 (LAN) & 10.2.3.1(VPN Client's static pool)

So now a VPN client connects and gets an IP of: 10.2.3.99. In order for it to contact the www server it has to follow this route:
10.2.3.1 (VPN server)
10.2.1.1 (ISA server)
10.2.1.2 (www server)

BUT WHY can't it just do this:
10.2.3.1 (VPN server)
10.2.1.2 (www server)

It shouldn't HAVE to go through the ISA server because it the VPN server has an IP address on the same subnet as the www server!

I'm SOOOOO confused...
*******Does ISA server have some magical powers that intercepts / firewalls on-subnet communication?? I dont get it, and I dont want to leave this workaround in place because its inefficient!

please help! thanks [Big Grin]

-ZD

(in reply to ZD)

Post #: 4

RE: Bizzare VPN troubles... - 16.Apr.2004 6:25:00 PM

Posts: 15
Joined: 15.Apr.2004
Status: offline

TOM:

I started doing more analysis and I think I may know what is causing the problem. Here is what I think:

- When the vpn client initiates a connection to the www01 server, it gets routed directly to www01 from the vpn server (sbs01). When this happens, the ISA server (fw01) doesn't know about this communication.

- Now, when the www01 wishes to respond, it goes through ISA server (it's default gateway) because it is trying to contact the vpn client which is on a different subnet (10.2.3.x).

- Since ISA doesn't know about the inital communication from vpn client to the www server, it may think that www01 is responding to a request that was never asked and thus blocks/denies the connection.

-When I look at the ISA logs, right after the vpn client makes an http request to the www01 server, I see the following in the log:

Destination: 10.2.3.5 (vpn client IP address)
Destination port: 3426
Protocol: Unidentified Network Traffic
Action: Denied Connection
Rule: (BLANK!)
Client: 10.2.1.2 (www01 server IP address)
Source network: Internal
Destination Network: internal

- SO, ISA seems to be blocking the response from www01. To test this out, I changed the DG on www01 from the ISA server to the VPN server. When I do this, everything works fine!

-Also, I guess PING works fine because ISA only cares about TCP protocols?

-Also: As mentioned in my previous email, when I set the route on the VPN server to go through the ISA server then it works fine because then ISA knows about the inital request so thus it allows the response.

Anyways - this is just my thoughts on what the problem is. Does this mean it's a bug in ISA?

Why doesn't it show the specific rule that it used to deny the request? Under the rule heading in the log, it is just blank! It does not specify a rule that was used to block the communication!

How do I go about telling ISA to enable this communication? I even tried ALLOW ALL protocols / all networks access rule but that doesn't help, it still denies the connection and doesnt tell me what rule it used to deny it!

Regards,
-ZD

(in reply to ZD)

Post #: 5

RE: Bizzare VPN troubles... - 20.Apr.2004 12:23:00 AM

tshinder

Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi ZD,

OK, you got it!

To simplify things, the return path has to be the same as the entry path. If not, then the firewall doesn't know about the conneciton and drops the response.

HTH,
Tom

(in reply to ZD)

Post #: 6

RE: Bizzare VPN troubles... - 20.Apr.2004 12:42:00 AM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Hi Tom,

Whoa! Finally! Someone has confirmed my suspicions! Thankyou! [Smile]

Now my question is WHY? I understand that being the case when going to the outside world, however, if ISA knows that this is internal/internal communication then why would it act like htis? I just want it to be a regular router in this case when processing internal/internal communication!
(dont forget it still has RRAS and is a default gateway for internal cross-subnet communication).

So now the only options I have to fix the problem is:
1) use an inefficient route that forces the VPN server to route everything to the ISA server EVEN THOUGH the vpn server has an interface on the local LAN(10.2.1.x).
This way, ISA server knows about the request from the vpn client and will allow the subsequent response from the lan www server.

2) setup an 'internal' RRAS router that is the DG for all the servers on the network (except ISA). This internal router will not block the responses like ISA does. It will then get the static route that's currently in ISA (forward all communications for 10.2.3.x to the VPN server).

Either way, I'm having to do more work because of ISA. Is this a bug or a real feature?

AND why doesnt it show which rule was used to block the communication? That cell in the realtime log is just blank!

any suggestions? or am I nuts?

thanks [Smile]

-ZD

(in reply to ZD)

Post #: 7

RE: Bizzare VPN troubles... - 21.Apr.2004 1:41:00 PM

tshinder

Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi ZD,

It shows the rule that disallowed the request because there is no explicit rule to allow it or deny it, so it shows the default deny rule.

HTH,
Tom

(in reply to ZD)

Post #: 8

RE: Bizzare VPN troubles... - 21.Apr.2004 10:40:00 PM

Posts: 15
Joined: 15.Apr.2004
Status: offline

Tom,

It doesn't! Look again:

Destination: 10.2.3.5 (vpn client IP address)
Destination port: 3426
Protocol: Unidentified Network Traffic
Action: Denied Connection
Rule: (BLANK!)
Client: 10.2.1.2 (www01 server IP address)
Source network: Internal
Destination Network: internal

The rule cell for that row in the realtime monitor log is BLANK! (ie nothing is there). It does not say "Default Rule" or anything like that... it is just blank! empty! null! nothing!

[Smile]

That's why I thought that either it was a bug in the monitor log or ISA was nuts and denying it for no reason...

any thoughts? I can send you a screenshot if you wish

-ZD

(in reply to ZD)

Post #: 9

RE: Bizzare VPN troubles... - 22.Apr.2004 3:10:00 PM