• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Cisco VPN Client Behind ISA 2006 Ent NLB

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Cisco VPN Client Behind ISA 2006 Ent NLB Page: [1]
Login
Message << Older Topic   Newer Topic >>
Cisco VPN Client Behind ISA 2006 Ent NLB - 18.Apr.2009 6:14:16 PM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Hi,

I have about 15 WinXP clients in internal network wich use Cisco VPN Client to connect to public server. They worked perfectly before i implemented ISA 2006 NLB. Now, when they try to connect usig Cisco VPN client, they get message "Reason 412: The remote peer is no longer responding.". When i stop ISA NLB they are able to connect. There is rule for them (cisco VPN clients) on ISA with IPSec IKE and IPSec NAT-T client outbound protocol allowed... ISA Server array is between Cisco ASA devices, on internal and external network of ISA Array. I am using NLB Unicast mode.

Any ideas?

Thank you in advance and best regards

Muhamed Ahmovic
Post #: 1
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 20.Apr.2009 12:31:02 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Key things to check:

1. There is no NAT between the VPN client and ISA Array
2. Client machines have ISA client installed OR they should point to ASA and in turn ASA should point to ISA as DG
3. Client should use ISA NLB IP and not ISA nodes IP

A network trace on Client machine and on the ISA server nodes at the same time will give you alot more information. If you want i can help you reading the traces. Let me know

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to mahmovic)
Post #: 2
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 21.Apr.2009 4:21:18 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Hi,

1. u are right about it, but how come they are able to connect without NLB enabled???
2. they do not have FW client installed, they are not members of domain, ASA is theirs DG and ASA point to ISA Array NLB IP
3. ASA use ISA NLB IP.

One more thing to add, clients are in 172.20.0.1/24 network, and ISA Array is in 192.168.210.1/24 network. Clients are ROUTED to ISA Array. That is how our Cisco Admin has configured network relationship.

Thank You and best regards

(in reply to inderjeet)
Post #: 3
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 21.Apr.2009 12:58:11 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
You should have 172.20.0.1/24 mentioned in the Internal network in ISA Array. I am sure that will be in place.

What do you see in ISA logs? Did you try tacking Netmon traces on client and ISA machine?

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to mahmovic)
Post #: 4
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 22.Apr.2009 3:34:33 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Every VLAN in internal network of ISA Array is defined as ISA Array internal network.
One thing is unusual, without NLB enabled i can capture traffic from client on port UDP 500 and UDP 4500. But when i enable NLB all i capture, from clients, is traffic using port UDP 4500???

Here is our network topology, maybe this will help:

INTERNET
I
Outside router
I
Cisco ASA (192.168.0.1/24)
I
ISA Array (192.168.100.0/24)
I
Cisco ASA (192.168.100.1/24)
I
LAN router* ( 26 VLANs using 172.16.x.x to 172.50.x.x )

*LAN router is in routing mode.

Best Regards

(in reply to inderjeet)
Post #: 5
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 22.Apr.2009 6:45:20 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi,

Been mulling this question over for a few days as it has intruiged me

This looks similar:

http://forums.isaserver.org/m_2002028686/mpage_1/key_/tm.htm#2002028686

If you leave NLB enabled, but shut down one node, does the problem go away?

Can you check the ARP and CAM tables on the ASA's to make sure that it is not getting confused with MAC addresses at Layer 2?

How is the back ASA physically connected to the ISA Servers - via a hub or switch (please be exact)?

When you disable NLB I assume you update the DGs on the ASAs to point to one of the ISA Server dedicated IP addresses, rather than the VIP?

I assume you have enabled NLB on both ISA internal and external interfaces?

Have you considered going to NLB multicast mode? This will probably require the addition of static ARP entries on the ASA's to manually map the VIPs to the NLB virtual MAC, but may be a potential way forward if you want to keep NLB...

Cheers

JJ

< Message edited by Jason Jones -- 22.Apr.2009 6:49:12 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mahmovic)
Post #: 6
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 22.Apr.2009 7:23:46 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Hi Jason,

if i stop NLB (only on one member, any member), or stop ms firewall service (only on one member, any member) or shut down one member of array, problem goes away.... Cisco vpn client is only problem with NLB enabled, everything other works perfect!

ASA`s have "learned" MAC`s well, they have ISA VIP MAC address in tables...
I have balanced both networks, int and ext, both of them are connected with ASA`s using HUB, each network has own HUB, and nothing else is connected to HUB.

Why do you think multicast mode will help? Please explain....

How come ISA, NLB disabled, (on one member, any member) capture UDP 500 port and UDP 4500 port traffic, and when NLB enabled it capture only UDP 4500 port traffic from cisco vpn clients (when they try to connect)?

Thank you and Best Regards

(in reply to Jason Jones)
Post #: 7
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 22.Apr.2009 7:32:52 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
If it is a hub and not a switch, have a look at this:

http://support.microsoft.com/kb/193602/EN-US/

Unicast and multicast work very differently, so I thought it may be worth considering a different NLB mode to try and move forward if you have limited other options...

It somehow looks like IKE traffic never reaches ISA when NLB is enabled; hence the different logs...bit weird though I agree

The symptoms of "only works when single node available" is classic example of NLB problems at layer 2 in my experience...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mahmovic)
Post #: 8
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 23.Apr.2009 4:21:35 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
I try multicast mode, only thing left....

I will let you know if there is any result....

Thank you and best regards

(in reply to Jason Jones)
Post #: 9
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 23.Apr.2009 4:24:58 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hope it works out...

Don't forget to consider the static ARPs

These may help:

http://blog.msfirewall.org.uk/2008/08/enabling-nlb-multicast-mode-on-isa.html

http://blog.msfirewall.org.uk/2008/10/resource-guide-for-using-microsoft-nlb.html

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mahmovic)
Post #: 10
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 26.Apr.2009 12:58:27 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
I'm not sure if you got it working, but, technically speaking you cannot see UDP 4500 traffic without UDP 500 traffic for your new VPN connections.
How did you take the capture ?
The VPN client connects to the VPN server on UDP port 500 to begin IKE negotiations. During these, the presence of the NAT device(s) will be detected, and the client will connect(switch) to UDP port 4500 to the VPN server, and the IKE negotations and Cisco's non-RFC compliant extensions will continue. If completed successfully, the IPsec ESP traffic will be also encapsulated within UDP and send to UDP port 4500 of the VPN server.

To get a better view of the traffic flow, you can try to get the captures like this, on the two ASAs(exiting the first ASA, and entering the second ASA) and on the client itself.
http://blogs.techrepublic.com.com/networking/?p=1317
http://www.cisco.com/en/US/docs/security/asdm/6_1/user/guide/tools.html#wp1556018

So you can see the original packets from the client, how the packets leave the first ASA and go to the ISA cluster, and then how they will reach the last ASA after it they passed through an ISA member and vice-versa.
And you may be able to pay attention to the MAC addresses too.
I'm not saying this is your case(just an example), but sometimes, taking captures can be tricky, because some packets(say maybe some low level packets) will not be supplied to the mechanism used to capture the packets(pcap), so you will not see them in your packet sniffer, or some packets, like TCP ones send by the host, may be displayed with TCP checksum offloading errors, if the TCP checksum will be done in hardware(NIC) when the packet is sent out by the NIC, after the capture mechanism intercepted the packet.

Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 11
RE: Cisco VPN Client Behind ISA 2006 Ent NLB - 27.Apr.2009 1:56:36 AM   
mahmovic

 

Posts: 11
Joined: 6.May2008
Status: offline
Thank you for reply Adrian,

i did not tried multicast mode yet....

I used isa monitoring for capturing traffic from XP clients.....

I will try to monitor traffic on ASAs and see what is happening there...

Best regards

(in reply to adimcev)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Cisco VPN Client Behind ISA 2006 Ent NLB Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts