Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cannot VPN from internal clients to outside VPN servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Cannot VPN from internal clients to outside VPN servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cannot VPN from internal clients to outside VPN servers - 16.Feb.2005 6:54:00 AM   
rjodwyer

 

Posts: 13
Joined: 16.Feb.2005
From: Melbourne, Australia
Status: offline 		Hi,

I have a problem where i cant create a VPN connection to any external VPN sites from any client pc's situated behind a ISA server.

I have followed the ISA servers pages regarding setting an outbound access rule to allow PPTP traffic to a VPN, but this does not work for me.

Also i have allowed unrestricted access rule to internet.

I get an error 619: a connection to the remote computer could not be established.

I can attach the output of the monitoring query i also ran, which shows that a connection is made via PPTP then closed.

Many thanks in advance, this has been bugging me for ages as i cant make any outbound vpn.
Post #: 1
RE: Cannot VPN from internal clients to outside VPN ser... - 18.Feb.2005 1:24:00 AM   
tshinder

 

Posts: 47663
Joined: 10.Jan.2001
From: Texas
Status: online 		Hi Ryan,

Could be a problem at the destination, as the only thing required is that you create a PPTP Access Rule and make the client a SecureNAT client.

HTH,
Tom

(in reply to rjodwyer)
Post #: 2
RE: Cannot VPN from internal clients to outside VPN ser... - 26.Feb.2005 10:07:00 AM   
rjodwyer

 

Posts: 13
Joined: 16.Feb.2005
From: Melbourne, Australia
Status: offline 		to create the rules, does this mean if i had 1000 vpn remote sites i would have to create 1000 outbound pptp rules?

I have setup another ISA2004 box totally new hardware, modem, different ISP. and I have the exact same problem.

The ISA is running its own PPPOE dialup connection from windows.

I have had an IPCOP in front of ISA, and exact same thing. Remove ISA and leave IPCOP and I can VPN through just fine.

This is driving me nuts, especially as its happenening in a different location with all different hardware and different modems.

Can anyone shed any light on this?

Regards,
Ryan O'Dwyer

[ March 06, 2005, 06:33 AM: Message edited by: Ryan O'Dwyer ]

(in reply to rjodwyer)
Post #: 3
RE: Cannot VPN from internal clients to outside VPN ser... - 26.Feb.2005 1:16:00 PM   
rjodwyer

 

Posts: 13
Joined: 16.Feb.2005
From: Melbourne, Australia
Status: offline 		i have removed all internet access via the unrestricted outbound. leaving only the connection that allows the outbound PPTP connection, and it still doesnt work [Frown]

Regards,
Ryan

(in reply to rjodwyer)
Post #: 4
RE: Cannot VPN from internal clients to outside VPN ser... - 28.Feb.2005 1:32:00 PM   
smokeskull

 

Posts: 25
Joined: 28.Sep.2003
Status: offline 		I am having this same problem. The PPTP connection starts to authenticate, then dies with the listed error. I did a clean install of server 2003 and ISA 2004. I set up allow all internet access rules. I also tried adding specific PPTP rules.

Here are a couple of other wrinkles:

1. I have one extra internal NIC blocked off so that it only allows PPTP traffic. This NIC has a WEP wireless access point on it. The idea is that even if WEP is cracked, a hacker would need a VPN account to get into the network or do any surfing at all. This works great. No issues VPNing from the wireless to the external ISA NIC or the internal NIC being used. All internal and external access rules work.

2. I started having issues initially when I was using ISA 2000 and upgraded from a standard cable modem to an Ambit router provided by my ISP. At that point my connections would always die out after 2 minutes. This happened even when I removed the ISA server from the mix entirely and tried to go directly through the Ambit.

My conclusion is that there are some hardware vendors out there that need to get their acts together. I think the problem may be related to bridging or NAT settings within certian routers/modems. If someone has a work around, or a better conclusion, let me know.

(in reply to rjodwyer)
Post #: 5
RE: Cannot VPN from internal clients to outside VPN ser... - 6.Mar.2005 6:31:00 AM   
rjodwyer

 

Posts: 13
Joined: 16.Feb.2005
From: Melbourne, Australia
Status: offline 		Hey smokeskull,

I have tried with Netcomm NB1300, Netgear DG814, Dlink DSL-300G, all running in bridge mode, connected to an IPCOP firewall( which all VPN works through when no ISA Server) which in turn is connected to the ISA2k4 server.

Running on Realtek NIC's, Dell NIC's in a DELL Server, and Nvidia nForce NIC's. All of which return this same error.

even when running PPPOE dialup from the ISA Server box, this still does not work.

I am at the point where the only people that might have an answer is Microsoft and I have to pay to find out why they arent helping, as I am not the only one having this trouble. So it defninately reproduceable.

If i cannot get this to work in a test environment, I wont be selling this to clients.

Regards,
Ryan O'Dwyer

(in reply to rjodwyer)
Post #: 6
RE: Cannot VPN from internal clients to outside VPN ser... - 20.Apr.2006 3:49:26 AM   
teknique

 

Posts: 1
Joined: 20.Apr.2006
Status: offline 		I'm having the exact same issue,

I have an ISA 2004 server here with a demand dial net connection and a number of sites (all running ISA 2004 servers) that i need to VPN into from my desktop. I have created an "all outbound access rule" for testing and have a preceeding PPTP outbound allow rule. The connection seams to verify then drops and gives me a 619 error, when i check the ISA FWS logs this is what i get:

PLATINUM 4/20/2006 1:13:08 GRE 192.168.16.50 X.X.X.X
192.168.16.50 Internal External Establish 0x0 PPTP Outbound PPTP 0 0 0 0 - - - - 274 38628 PLATINUM 4/20/2006 1:13:08 TCP 192.168.16.50:2411 X.X.X.X:1723 192.168.16.50 Internal External Terminate 0x80074e24 PPTP Outbound PPTP 516 516 356 356 282 235 - - 274 38626
I have searched Technet for the error code and got no results, I googled it and the error code means FWX_E_CONNECTION_KILLED.

From previous searches i remember seeing an article from technet describing a similar issue and saying the issue was because ISA (by default) will only pass TCP/UDP traffic, and suggested that adding an outbound rule for the GRE protocol would work...... From the looks of the log above the GRE outbound rule has worked and it is now the TCP packet that gets killed using the same rule.

Because i am using my laptop to connect to multiple sites I can absolutly say its my isa server that is the problem, I can take my laptop to a net cafe and connect to all of them.

Thanks,
Roo Smith


(in reply to rjodwyer)
Post #: 7
RE: Cannot VPN from internal clients to outside VPN ser... - 27.Apr.2006 9:04:05 PM   
Wim Pouseele

 

Posts: 14
Joined: 6.Nov.2003
Status: offline 		Guys,

try these one:
http://support.microsoft.com/kb/916106/en-us

Be sure to reboot the server after patching.
Fixed all my outgoing pptp problems!

(in reply to teknique)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Cannot VPN from internal clients to outside VPN servers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts