Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Stateful Packet Inspection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Stateful Packet Inspection Page: [1]
Login
Message << Older Topic   Newer Topic >>
Stateful Packet Inspection - 11.Oct.2007 8:27:22 AM   
madmonky

 

Posts: 1
Joined: 11.Oct.2007
Status: offline 		Hello everyone,
I currently have a site to site VPN connection setup between my NJ office and an office in Prince Rupert Canada. We are running ISA 2006. We have to buildings at each location each with their one ISA box. Building A in NJ and Building A in Canada are connected with a VPN link. Building B in NJ are and Building B in Canada are connected with a separate VPN link. We have LAN access between Building's A and B in NJ as all LAN access between Building's A and B in Canada. We would like to setup asymmetrical routing over the VPN tunnels.
The problem is that packets will leave Building B in NJ headed for a computer/server in Canada. The enter through Building B's (canada) ISA box, but the return traffic leaves through Build A's (canada) ISA box. Since Building A's (canada) ISA box is unaware of the connection, it drops the packets with the following error "TCP_NOT_SYN_PACKET". I've been told this is because of ISA's stateful packet inspection feature. Is there a way to disable this feature on the Site to Site network so that I can have asymmetrical routing of the VPN tunnels but still have the protection of Stateful Packet Inspection on the other ISA networks?

_____________________________

David Marques
System Adminsitrator
Maher Terminals, LLC
Post #: 1
RE: Stateful Packet Inspection - 18.Dec.2007 4:08:30 PM   
pwindell

 

Posts: 663
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline 		You need to treat both buildings in Canada as one Site, and treat both buildings in NJ as one Site.  Then you will have to get rid of one VPN and just run a single VPN between the Canadian and US Sites.

You might be able to work out some kind of static routing scheme using the LAN Routers internally within each site and keep both VPNs, but there really isn't a prayer in the world that I will gain enough understanding of how all 4 facilities are put together in order to "invent" something for that from where I am sitting.


_____________________________

Phillip Windell
www.wandtv.com

(in reply to madmonky)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Branch Office >> Stateful Packet Inspection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts