Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
GRE port 47
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
GRE port 47 - 18.Jun.2007 3:50:12 PM
|
|
|
douglas_paz
Posts: 4
Joined: 18.Jun.2007
Status: offline
|
I installed about 6 months ago ISA 2004 on a Windows server 2003 SP1 computer. Initially, it worked perfect except for 1 problem: I was unable to add users/ groups from the domain (I joined it to the domain).Recently, I manage to fix it, it a problem with the RPC protocol from Win2003 SP1 by applying ISA server 2004 SP3. If was not easy, because the SP3 damaged the firewall service and I had to export -> Uninstall -> re-install -> SP3 -> import procedure. All seemed right in place
I did not notice until now (not sure if it's related) but the VPN access stop working. I have a server publishing rule for the Windows 2003 VPN server (RRAS). On the client I get the following error from the Windows 2003 VPN server:
A connection between the VPN server and the VPN client aaa.bbb.ccc.ddd has been established, but the VPN connection cannot be completed. The most common cause for this is that a firewall or router between the VPN server and the VPN client is not configured to allow Generic Routing Encapsulation (GRE) packets (protocol 47). Verify that the firewalls and routers between your VPN server and the Internet allow GRE packets. Make sure the firewalls and routers on the user's network are also configured to allow GRE packets. If the problem persists, have the user contact the Internet service provider (ISP) to determine whether the ISP might be blocking GRE packets.
To just to make sure that the router is not the problem, I connected a laptop with a crossed cable to the external interface of the ISA 2004 and I get the same error. I also eliminated the VPN rule, disabled the vpn access (on ISA) and redo all. In the LAN I can connect
I have been searching in forums, but usually people have problems with routers and 3rd party firewall, which it's not my case. Any suggestions?
< Message edited by douglas_paz -- 18.Jun.2007 3:52:15 PM >
|
|
|
|
|
RE: GRE port 47 - 19.Jun.2007 4:12:11 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi Douglas,
So you have a Windows 2003 Server acting as a VPN Server located behind ISA?
You have a Server publishing rule for the PPTP server.
You have tracked down this and say that GRE is not allowed through ISA.
GRE is allowed through the PPTP filter. Make sure in your server publishing rule that the PPTP filter is bind to the PPTP protocol.
By the way is not GRE port 47 is GRE IP Protocol 47!
Best regards!
< Message edited by justmee -- 19.Jun.2007 4:17:42 AM >
|
|
|
|
|
RE: GRE port 47 - 19.Jun.2007 7:44:58 AM
|
|
|
douglas_paz
Posts: 4
Joined: 18.Jun.2007
Status: offline
|
Yes, it's protocol 47, thanks.
And yes, the 2003 VPN is behind the ISA therefore, I created a server publishing rule using ‘PPTP server’. I do not know what to do. I tried to fix it by upgrading to ISA 2006 but I get the same problem.
It was working for about 7 months
|
|
|
|
|
RE: GRE port 47 - 19.Jun.2007 9:01:29 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
I see. As I said before make sure that the PPTP filter is enabled and bind to the PPTP protocol.
Right click on the rule. go to the Traffic tab, here click Properties. In the new window go to the Parameters tab and make sure that the PPTP filter is checked.
A step by step approach must be followed.
From where I you connecting?
"First" test should be with a computer connected directly to ISA's external interface(if on this interface is configured ISA to listen to PPTP connections).
If you have done the above and it is still not working then we need to know if the packets are actually reaching the VPN server and if not, who is blocking them and why.
What do you see in ISA's logs?
What would definetely tell us the story would be some Wireshark traces.
|
|
|
|
|
RE: GRE port 47 - 19.Jun.2007 9:55:30 AM
|
|
|
douglas_paz
Posts: 4
Joined: 18.Jun.2007
Status: offline
|
I checked the rule, all fine Tested locations: 1 home --> internet --> cisco router --> isa 20042 pc --> router --> isa 20043 pc --> cross cable --> isa 2004 from the monitor I can see the protocol pptp initiating and after some seconds it closes. no errors
|
|
|
|
|
RE: GRE port 47 - 19.Jun.2007 3:49:18 PM
|
|
|
douglas_paz
Posts: 4
Joined: 18.Jun.2007
Status: offline
|
I found the problem.
I do not know why it took so much time this problem toi surface but, I have some IP alias on the external NIC, and in the rule the 'requests for the published server' was set to 'appear to come from the original client'. I presume that in some point it was listening for the IP I specified on the network tab, but the reply was done thru another of the aliases. I switched it to 'appear to come from ISA'. This will ensure that it will listen and talk thru the same IP.
Thanks
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
