Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Site to Site VPN with ISA 2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Site to Site VPN with ISA 2004 - 1.Sep.2004 12:55:00 PM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
I have a little Problem with ISA 2004 and Site to Site VPN. I get an error 14147 if the remote Site connects to the ISA Server. Here is my configuration.
Remote Site:
Dial up Bintec Router no VPN.
Windows 2000/2003 Server with 2 NICs and a DOD
Interface to the Router:
10.0.0.2/24
Interface for the Network:
192.168.40.1/24
DOD Interface
DHCP
Main Site:
The ISA Server:
External interface
xxx.yyy.zzz.www/24
Internal Interface
192.168.39.1
The ISA VPN is configured to get IPs from the internal DHCP.
The internal Network uses 192.168.39.1-192.168.39.100
The DHCP Server has a scope for 192.168.39.101-192.168.39.200
All works fine. But if the Remote Site connects I get this Event: 14147 telling me that there is a wrong router.
Can someone explain me why this happens?
thx in advance
Bjoern
[ September 01, 2004, 12:56 PM: Message edited by: Bjoern Wolfgardt ]
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 3.Sep.2004 10:47:00 AM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
I think I found the Solution. Now it is error free.
But what I don't understand is why sometimes the ISA Server doesn't accept new VPN connections and the RRAS MMC hangs sometimes. I have to restart the server than. Maybe I will also find the sultion for this.
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 3.Sep.2004 1:28:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bjoern,
None of the management takes place in the RRAS MMC, so it shouldn't even be exposed.
HTH,
Tom
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 3.Sep.2004 2:44:00 PM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
okay thats right. I just take it to monitor what vpn connections are active and which are still disconnected. What I found out right now is that the mmc hangs. Today ISA MMC hangs. I also found a resource error (German, sorry):
Ereignistyp: Fehler
Ereignisquelle: Microsoft-Firewall
Ereigniskategorie: Keine
Ereigniskennung: 14007
Datum: 03.09.2004
Zeit: 11:24:39
Benutzer: Nicht zutreffend
Computer: FW-1
Beschreibung:
Der Firewalldienst kann wegen Speichermangels nicht fehlerfrei ausgefnhrt werden. Das Datenfenster der Ereignisanzeige zeigt die Anzahl der aktiven Verbindungen an.
Weitere Informationen nber die Hilfe- und Supportdienste erhalten Sie unter http://go.microsoft.com/fwlink/events.asp.
Daten:
0000: de 00 00 00 ¦...
I use a 2xXEON CPU with 1 GB RAM. The memory usage is something around 780MB. So there shouldn't be any resource problems.
After I have to kill the MMC I am not able to logoff or logon to the Server (Remote or Console). It takes to long (waited 10 minutes and than restartet the server).
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 6.Sep.2004 4:50:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bjoern,
Can't say that I know what that error message says, but it could be that the interface name and the calling VPN router names don't match.
HTH,
Tom
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 7.Sep.2004 8:20:00 AM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
thank you for your answer. I found a translation now from isa_evnt.chm.
ISA Server 2004: Event 14007
Event Message:
A shortage of available memory caused the Firewall service to fail. The Event Viewer Data window displays the number of active connections.
Explanation:
The ISA Server computer cannot support additional connections for the server.
User Action:
Check the number of current connections and reduce that number to an acceptable level.
Close other programs that are running. Use the Task Manager to check programs and processes using large amounts of system resources. For more information about managing memory resources, see Windows Help.
The names are correct. I have now vpn clients in RRAS but I can see that the interfaces are connected. I can also see that the VPN_Remotesite is connected in ISA 2004.
The error happens after I reboot the server. All remote sites will try to connect. Some connect, than I get the error and after that the other will connect.
I am not short of memory as far as I can see. I have 1 GB. But only 750 (max.) is used.
I also don't see a high number of current connections. It's around 150.
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 7.Sep.2004 3:11:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bjoern,
If you see the remote VPN router as a Remote Access client in the RRAS console, then you have not created a site to site VPN. The remote router's account does not appear as a remote access client VPN connection. It will show as an active demand dial interface.
HTH,
Tom
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 7.Sep.2004 3:15:00 PM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
it doesn't show as a client. There is only an active DOD Interface.
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 7.Sep.2004 3:20:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bjoern,
OK, so the problem is related to the memory issue with too many connections. Have you checked the logs to see what hosts may be virus infected? Have you enforced connection limits?
Thanks!
Tom
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 8.Sep.2004 10:54:00 AM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
today I had the same problem again. It seems that after 18 - 20 hours the server hangs. He will not accept new VPN Connections from remote sites (but telnet ISA-Server 1723 works from outside the network).
The sql-server (sql-servr.exe) used 850 MB this morning. I turned off the logging today to see what happens.
I found some erros in the eventlog that may also be helpfull:
1053 userenv
Windows cannot determine the user or computer name. (error description). Group Policy processing aborted.
Error Description (translated): Domain not present or could not be contacted.
This error starts after ca. 8 hours uptime.
To your question:
Connection limit is set to:
created connection oper second and rule: 1000
connection limit per user or computer: 160
user defined limit: 1000000
It is all default.
Virus infected clients are blocked if the reach the connection limit. The error (1053) started when all clients where off.
Pls also take a look at this: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=30;t=000194
Looks like he has the same problem.
I maybe should tell you that we have 27 VPN remote sites (remote site uses windows 2000/2003 rras to connect) and about 1000 Clients.
I switched from windows 2000 RRAS as central vpn router to windows 2003 isa as vpn router. Now we have the problem.
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 8.Sep.2004 2:12:00 PM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Some news,
Error 14007 3 minutes after reboot. I rebooted because I instealled 2 GB RAM. Taskmanager shows 1.6 GB of free RAM.
At this time there were 12 remote vpn sites online and 120 connections were displayed in the ISA MMC.
cu
Bjoern
[ September 08, 2004, 02:14 PM: Message edited by: Bjoern Wolfgardt ]
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 8.Sep.2004 3:49:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bjoern,
Could you be under a SYN flood attack? Check out the article and Registry fix on the front page of this site.
Thanks!
Tom
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 9.Sep.2004 7:14:00 AM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
I will try this registry fix.
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 9.Sep.2004 8:01:00 AM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
I set the registry HotFix. I rebooted the server. After that 5 VPN remote Site connected and than I get Error 14007.
Other sites still connect.
I will be back if the server hangs (or not).
cu
Bjoern
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 10.Sep.2004 9:59:00 AM
|
|
|
frentin
Posts: 12
Joined: 28.Apr.2004
From: Berlin / Germany
Status: offline
|
By the way: The registry fix message seems to have disappeared from this site, and in the knowledgebase it did not arrive yet. Is there any intention behind this?
Regards,
Peter
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 10.Sep.2004 2:07:00 PM
|
|
|
Walzing
Posts: 20
Joined: 1.Sep.2004
Status: offline
|
Hi,
I have no idea why the article is gone. But I applied the patch and had no change.
I have switched back to RRAS (W2K) and ISA 2004 as Firewall. All Remote sites reconected after 10 Minutes. With ISA 2004 as VPN Server it took 1 hour or more sometimes.
cu
Bjoern
[ September 10, 2004, 04:10 PM: Message edited by: Bjoern Wolfgardt ]
|
|
|
|
|
RE: Site to Site VPN with ISA 2004 - 31.Jan.2006 1:03:39 PM
|
|
|
rodent
Posts: 11
Joined: 29.Nov.2002
From: Stockholm
Status: offline
|
Hi,
I have similar problems. My FW is a Dell PowerEdge 1850, 3,66GHz CPU, Win2K3 STD, ISA 2K4, 3GB RAM, 2x36GB 15K.
MSDE eats about 1,5GB RAM, the rest up to 1,9GB RAM other services. Still there is more than 1 GB RAM available.
boot.ini has the /3GB option.
I did not try to set a maximum value for MSDE to use because i have a lot of RAM.
I have 3 site to site VPN which are seldom used. I get error 14007 quite often and also "connection limit exceeded".
The FW has 6 NIC of which 4 are used, Internet, DMZ, LAN and another net to our customers.
Any ideas?
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
