Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Cisco VPN still
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Cisco VPN still - 20.Sep.2002 8:28:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
I have made some progress in the Cisco VPN issue i've been having, but still not totally sure whats wrong.
Here's a recap of what i've done:
-Clients configured as SecureNAT clients, able to ping the VPN server we are trying to connect to, and have the firewall client disabled.
-Server has protocol definitons set up for UDP 500 and 10000 send receive on both (though we've tried other combinations)
-Server has protocol rules set up to allow everyone to use the above mentioned protocol definitions at any time.
-Server has IP Routing enabled, as well as allow PPTP enabled.
Here is my setup:
-Fractional T1 comes into Cisco router.
-Server is connected to router, using 192.168.0.2 IP address (router has 192.168.0.1)
-Server is then connected to patch panel, and has IP address on that interface of 192.168.16.2
-All clients that use server are on the 192.168.16.* subnet.
If i take a computer and plug it straight into the router (or, more precisely through a hub, so i don't have to take the server off the connection) then i can connect to the VPN server with no problems, so the router is configured properly.
Is there anything i'm missing? Anything i can do? Yall have been a great help so far, i think i'm almost there and just missing some one or two things.
|
|
|
|
RE: Cisco VPN still - 20.Sep.2002 11:42:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tim,
you seems to have all the proper configuration in place for a connection to a Cisco VPN3000 concentrator who uses the default Cisco NAT Traversal UDP port 10000. That's very good!
But... are you sure it is an VPN3000, he is configured to use that UDP port 10000 for the UDP encapsulated ESP traffic and that the NAT Tarversal feature is enabled for your profile?
Check out the ISA firewall and ip packet filter log for denied are blocked packets.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN still - 21.Sep.2002 2:43:00 AM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
quote:
Originally posted by spouseele:
Hi Tim,
you seems to have all the proper configuration in place for a connection to a Cisco VPN3000 concentrator who uses the default Cisco NAT Traversal UDP port 10000. That's very good!
But... are you sure it is an VPN3000, he is configured to use that UDP port 10000 for the UDP encapsulated ESP traffic and that the NAT Tarversal feature is enabled for your profile?
Check out the ISA firewall and ip packet filter log for denied are blocked packets.
HTH,
Stefaan
Am i sure? no.. definitely not. The guy on the server end is a bit less than helpful. He said the only port he knew about was 500, didn't know anything about 10000, but he did tell me that i had to (his words) "enable the server so it'll work with ESP" - quite clear huh?
So i was working under the presumption that it was on the default port and all that. He hasn't responded to the last few questions i've asked him, so i'm still trying to get a reply on that - i just wanted to make sure i was doing the right thing for what i thought i had...
|
|
|
|
|
RE: Cisco VPN still - 21.Sep.2002 12:28:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tim,
take a look in the ISA packet filter log. If the Cisco device is not properly configured you will probably see some blocked packets with the field protocol set to 50 (ESP) or 51 (AH). This would indicate that the Cisco device is *not* properly configured.
Another method is to take a Network Monitor trace. You can try the W2K buildin NetMon feature or use another one such as Ethereal (my favorite). Check out http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=14;t=000062 for more info about Ethereal.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN still - 22.Sep.2002 6:35:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
quote:
Originally posted by spouseele:
Hi Tim,
take a look in the ISA packet filter log. If the Cisco device is not properly configured you will probably see some blocked packets with the field protocol set to 50 (ESP) or 51 (AH). This would indicate that the Cisco device is *not* properly configured.
I checked the packet filter logs and so no blocked packets wtih the protocol set to 50 or 51. So, i went into the other sections and tried to find items referencing the application, or anything, and i found the following (some info changed, but this is mostly the original stuff)
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:15 HEATHER cisco.server.address XXX.XXX.XXX.XXX - 32 - - - - GHBN 0 2 0
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:15 HEATHER - - - - - - 0 UDP Bind 0 2 1
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:15 HEATHER - XXX.XXX.XXX.XXX 62514 - - - 62514 UDP UdpMap 0 2 1
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:16 HEATHER - XXX.XXX.XXX.XXX 62514 1000 - - 62514 UDP UdpMap 20000 2 1
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:16 HEATHER - - - 1000 - - 0 UDP Bind 20000 2 1
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:16 HEATHER - - - - - - 0 UDP Bind 0 2 2
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:16 HEATHER - XXX.XXX.XXX.XXX 62514 - - - 62514 UDP UdpMap 0 2 2
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:17 HEATHER - XXX.XXX.XXX.XXX 62514 1000 - - 62514 UDP UdpMap 20000 2 2
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:17 HEATHER - - - 1000 - - 0 UDP Bind 20000 2 2
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:17 HEATHER - - - - - - 0 UDP Bind 0 2 3
192.168.16.102 SYSTEM cvpnd.exe:3:5.0 2002-09-20 18:07:17 HEATHER - XXX.XXX.XXX.XXX 500 - - - 500 UDP UdpMap 0 2 3
I know its hard to read and all, but does this tell me anything (it was in one of the FWSEXTD*.log files)
Thanks,
Tim
|
|
|
|
|
RE: Cisco VPN still - 22.Sep.2002 10:50:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi Tim,
first of all, if you post excerpts from any log file, it is much easier if you enable ISA to log *all* fields. Otherwise it becomes very hard to read them without header line. ![[Big Grin]](/image/smiles/biggrin.gif)
Now, from what I can see in the posted excerpt from the firewall log, the requests are coming from a firewall client (fields cs-username and c-agent are filled in). This means that the Firewall client was active at that moment. However, in order to pass the Cisco VPN connection through ISA, the client *must* be a SecureNAT client and if the Firewall client is also installed, he *must* be disabled!
So, disable the Firewall client and test it again. Please, don't forget to enable on ISA the logging of *all* fields.
HTH,
Stefaan
|
|
|
|
|
RE: Cisco VPN still - 22.Sep.2002 11:01:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
sorry, i knew there had to be a better way to get all that displayed, but i wasn't sure.
I haven't actually been _in_ the office where this problem is occuring in a while - i _thought_ i made sure to tell them that they shouldn't be using it with the firewall client enabled, but maybe they forgot and that's part of the problem. who knows.
I'll get them to make changes and try again in the morning and re-post the results from the logs.
Thanks for all your help so far,
Tim
|
|
|
|
|
RE: Cisco VPN still - 23.Sep.2002 7:05:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
quote:
Originally posted by spouseele:
Hi Tim,
first of all, if you post excerpts from any log file, it is much easier if you enable ISA to log *all* fields. Otherwise it becomes very hard to read them without header line.
Now, from what I can see in the posted excerpt from the firewall log, the requests are coming from a firewall client (fields cs-username and c-agent are filled in). This means that the Firewall client was active at that moment. However, in order to pass the Cisco VPN connection through ISA, the client *must* be a SecureNAT client and if the Firewall client is also installed, he *must* be disabled!
So, disable the Firewall client and test it again. Please, don't forget to enable on ISA the logging of *all* fields.
HTH,
Stefaan
OK, hopefully this will help, this is from the firewall log from when they tried to connect, without the firewall client enabled, after choosing to log all files:
192.168.16.102 - - N 2002-09-23 12:01:00 fwsrv HEATHER - - - - - - - 0 UDP Bind - - - 0 - - - 1624 3394
192.168.16.102 - - N 2002-09-23 12:01:00 fwsrv HEATHER - - XXX.XXX.XXX.XXX 500 - - - 500 UDP UdpMap - - - 0 - JTS Rule Allow rule 1624 3394
192.168.16.102 - - N 2002-09-23 12:02:28 fwsrv HEATHER - - XXX.XXX.XXX.XXX 500 87125 2810 - 500 UDP UdpMap - - - 20000 - JTS Rule Allow rule 1624 3394
192.168.16.102 - - N 2002-09-23 12:02:28 fwsrv HEATHER - - - - 87125 2810 - 0 UDP Bind - - - 20001 - - - 1624 3394
Does this show anything is wrong?
|
|
|
|
|
RE: Cisco VPN still - 24.Sep.2002 12:57:00 AM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
quote:
Originally posted by spouseele:
Hi Tim,
if you look into the excerpt of the firewall, you will see that the internal station '192.168.16.102' tries to communicate with the VPN server on UDP port 500 and this is allowed by the ISA server (s-operation=UdpMap and sc-status=0). About 90 seconds later, you can see that the UdpMap is closed (s-operation=UdpMap and sc-status=20000) and that the amount of data transferred is cs-bytes=2810 (bytes sent) and sc-bytes=0 (bytes received). In other words, no response seems to be received! Because UDP 500 is used for the IKE negotiation, that doesn't sounds good. ![[Frown]](/image/smiles/frown.gif)
I don't know if you can work with a Network Monitor, but I would check with the free Network Monitor Ethereal what exactly is happening. First I would take a trace on the external segment and verify that the packets are indeed leaving ISA and if there are some packets returned by the VPN gateway.
Are you sure there are no blocked packets possible related to this issue in the IP packet filter log?
HTH,
Stefaan
Upon further inspection, i did see something in the packet filter log that i initially missed. And it is in the same time frame as the items in the firewall log. It is for ports 68 and 67. Here is the info from the packet filter logs:
2002-09-23 12:01:59 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 2c 00 00 80 11 38 07 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc b5 d1 01 01 06 00 ce 78 68 58 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:07 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 a0 00 00 80 11 37 93 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:16 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 de 00 00 80 11 37 55 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:24 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 33 09 00 00 80 11 36 2a c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
If i'm reading this correctly, it means these were sent out as broadcast packets, right? cuz the destination address is 255.255.255.255? Does that help at all?
I can try to use a network monitor, though my time in that office is very slim, so i don't know when i'll get to it. Hopefully that stuff from the packet filter log makes a difference.
Thanks for all your help so far Stefaan, you've been a great help.
Tim
|
|
|
|
|
RE: Cisco VPN still - 24.Sep.2002 1:24:00 AM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
I figured this might work better if you saw ALL blocked packets in the packet filter log during the time frame that the connection establishment was attempted -
2002-09-23 12:01:25 192.168.0.110 255.255.255.255 Udp 11001 11001 - BLOCKED 192.168.0.146 45 00 00 c7 24 08 00 00 80 11 55 08 c0 a8 00 6e ff ff ff ff 2a f9 2a f9 00 b3 1d b6 00 00 00 00 00 00 00 04 01 00 00 00 00 00 00 ff 00 df 65 ff 00 00 65 65 00 65 65 00 00 00 00 04 01 05 29 00 64 00 00 00 40 90 08 00 f9 2a 00 00 00 00 0b 00 02 ab 00 04 01 fe 04 00 d7 06 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:01:32 192.168.0.133 192.168.0.255 Udp 138 138 - BLOCKED 192.168.0.146 45 00 00 f8 34 60 00 00 80 11 82 c0 c0 a8 00 85 c0 a8 00 ff 00 8a 00 8a 00 e4 5e 18 11 0e 8b 9a c0 a8 00 85 00 8a 00 ce 00 00 20 45 44 45 4d 45 42 46 44 46 44 46 43 45 50 45 50 45 4e 44 44 43 4e 44 43 43 41 43 41 43 41 43 41 00 20 45 43 46 43 45 4b 45 45 43 41 43 41 43 41 43 41 43 41 43 41 43 41 43
2002-09-23 12:01:55 192.168.0.146 192.168.0.255 Udp 137 137 - BLOCKED 192.168.0.146 45 00 00 60 30 31 00 00 80 11 00 00 c0 a8 00 92 c0 a8 00 ff 00 89 00 89 00 4c e3 c0
2002-09-23 12:01:55 192.168.0.146 192.168.0.255 Udp 137 137 - BLOCKED 192.168.0.146 45 00 00 60 30 b1 00 00 80 11 00 00 c0 a8 00 92 c0 a8 00 ff 00 89 00 89 00 4c e3 c0
2002-09-23 12:01:56 192.168.0.146 192.168.0.255 Udp 137 137 - BLOCKED 192.168.0.146 45 00 00 60 30 b3 00 00 80 11 00 00 c0 a8 00 92 c0 a8 00 ff 00 89 00 89 00 4c e4 c0
2002-09-23 12:01:59 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 2c 00 00 80 11 38 07 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc b5 d1 01 01 06 00 ce 78 68 58 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:07 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 a0 00 00 80 11 37 93 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:13 192.168.0.123 192.168.0.255 Udp 137 137 - BLOCKED 192.168.0.146 45 00 00 4e e6 cd 00 00 80 11 d1 06 c0 a8 00 7b c0 a8 00 ff 00 89 00 89 00 3a 77 ef 97 2c 01 10 00 01 00 00 00 00 00 00 20 45 44 46 4a 45 43 45 46 46 43 46 41 45 42 46 45 46 43 45 50 45 4d 43 41 43 41 43 41 43 41 43 41 00 00 20 00 01
2002-09-23 12:02:16 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 31 de 00 00 80 11 37 55 c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:24 192.168.16.2 255.255.255.255 Udp 68 67 - BLOCKED 192.168.0.146 45 00 01 10 33 09 00 00 80 11 36 2a c0 a8 10 02 ff ff ff ff 00 44 00 43 00 fc ec a2 01 01 06 00 00 00 00 00 0a 00 80 00 c0 a8 00 92 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
2002-09-23 12:02:25 192.168.0.110 255.255.255.255 Udp 11001 11001 - BLOCKED 192.168.0.146 45 00 00 c7 4f 08 00 00 80 11 2a 08 c0 a8 00 6e ff ff ff ff 2a f9 2a f9 00 b3 1d b6 00 00 00 00 00 00 00 04 01 00 00 00 00 00 00 ff 00 df 65 ff 00 00 65 65 00 65 65 00 00 00 00 04 01 05 29 00 64 00 00 00 40 90 08 00 f9 2a 00 00 00 00 0b 00 02 ab 00 04 01 fe 04 00 d7 06 00 00 00 00 00 00 00 00 00 00
|
|
|
|
|
RE: Cisco VPN still - 24.Sep.2002 11:17:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
I was able to get Ethereal on the server and test to see what was going on... here is the ONLY thing that happened when someone tried to connect:
myserver.mydomain.local XXX.XXX.XXX.XXX ISAKMP Aggressive
(source, destination, protocol, [can't remember last field name])
Nothing came back in when those went out.
XXX.XXX.XXX.XXX was the correct address.
Since nothing is coming back, what does that say?
Tim
|
|
|
|
RE: Cisco VPN still - 25.Sep.2002 1:04:00 AM
|
|
|
skipster
Posts: 550
Joined: 12.Oct.2001
From: newport beach
Status: offline
|
Try this. Disable filtering of ip fragemts on the ISA server. Also what is the status of your default allow all rule, is it enabled? do you have any restricted rules denying any sites?
|
|
|
|
|
RE: Cisco VPN still - 7.Oct.2002 7:41:00 PM
|
|
|
nowimnothing
Posts: 15
Joined: 22.Aug.2002
Status: offline
|
OK, i was able to get a computer plugged into a hub, using promiscuous mode to view all the packets going into and out of the server.
The same thing still applies as when i did the network monitor tool on the server itself.
I get packets going outbound
source = 192.168.0.146 (this is the server, its behind a Cisco router)
destination = XXX.XXX.XXX.XXX (this is the server we are trying to connect to)
Protocol = ISAKMP
Info = Aggressive
I get a couple of those while the VPN client is trying to connect, but that is it, nothing else at all.
On a different note, i have tried the VPN client on a computer that connects directly to the Cisco Router, bypassing the server. It can connect fine to the VPN server. When i monitor the network during those connection sessions, i see the same outbound packets as i described above, but i see inbound ones with the same information also (just the source/destination addresses reversed).
What does this mean? Why am i not seeing responses when i'm going through the server, but i am seeing responses when i'm bypassing the server, even though the same packets are going out? Shouldn't i still see the responses coming back in, even if ISA Server were misconfigured and were blocking them?
Any help would be appreciated.
Tim
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
