Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN/Network issue

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> VPN/Network issue Page: [1]
Login
Message << Older Topic   Newer Topic >>
VPN/Network issue - 19.Aug.2004 10:26:00 AM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		This is driving me mad...

We have an ISA 2004 server that is working just fine. However when I set up a VPN connection with a client to the box the whole server will freeze up and nothing works till I disconnect the VPN connection.

When the client connects ISA will record the following message in the eventlog:

ISA Server detected routes through adapter "Internal" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.0.0-192.168.0.249;192.168.0.251-192.168.0.254;192.168.1.0-192.168.255.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

Setup:

Internal network:
NIC: 192.168.0.250, subnet 255.255.0.0, no gw and internal dns
clients 192.168.20.x
servers 192.168.0.x

DMZ:
NIC: 172.16.0.1, subnet 255.255.255.0, no gw and no dns

Internet:
NIC 212.x.x.134, subnet 255.255.255.248, dg 212.x.x.129, dns ISP

Routing table before VPN connection:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 212.x.x.129 212.x.x.134 30
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.1 172.16.0.1 20
172.16.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
172.16.255.255 255.255.255.255 172.16.0.1 172.16.0.1 20
192.168.0.0 255.255.0.0 192.168.0.250 192.168.0.250 20
192.168.0.250 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.250 192.168.0.250 20
212.x.x.128 255.255.255.248 212.x.x.134 212.x.x.134 30
212.x.x.134 255.255.255.255 127.0.0.1 127.0.0.1 30
212.x.x.255 255.255.255.255 212.x.x.134 212.x.x.134 30
224.0.0.0 240.0.0.0 172.16.0.1 172.16.0.1 20
224.0.0.0 240.0.0.0 192.168.0.250 192.168.0.250 20
224.0.0.0 240.0.0.0 212.x.x.134 212.x.x.134 30
255.255.255.255 255.255.255.255 172.16.0.1 172.16.0.1 1
255.255.255.255 255.255.255.255 192.168.0.250 192.168.0.250 1
255.255.255.255 255.255.255.255 212.x.x.134 212.x.x.134 1
Default Gateway: 212.x.x.129
===========================================================================
Persistent Routes:
None

After fiddling around I gave the VPN clients a separate IP range being 10.0.0.x, however I would like them to have an address from the internal DHCP server. The freezing seems to have stopped but I am still not able to connect to any resource on the internal network. Also will all connections after the first connection fail. (error 691)

Route after first VPN connection:

Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 212.x.x.129 212.x.x.134 30
10.0.0.1 255.255.255.255 127.0.0.1 127.0.0.1 50
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.0.0 255.255.255.0 172.16.0.1 172.16.0.1 20
172.16.0.1 255.255.255.255 127.0.0.1 127.0.0.1 20
172.16.255.255 255.255.255.255 172.16.0.1 172.16.0.1 20
192.168.0.0 255.255.0.0 192.168.0.250 192.168.0.250 20
192.168.0.250 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.250 192.168.0.250 20
212.x.x.128 255.255.255.248 212.x.x.134 212.x.x.134 30
212.x.x.134 255.255.255.255 127.0.0.1 127.0.0.1 30
212.x.x.255 255.255.255.255 212.x.x.134 212.x.x.134 30
224.0.0.0 240.0.0.0 172.16.0.1 172.16.0.1 20
224.0.0.0 240.0.0.0 192.168.0.250 192.168.0.250 20
224.0.0.0 240.0.0.0 212.x.x.134 212.x.x.134 30
255.255.255.255 255.255.255.255 172.16.0.1 172.16.0.1 1
255.255.255.255 255.255.255.255 192.168.0.250 192.168.0.250 1
255.255.255.255 255.255.255.255 212.x.x.134 212.x.x.134 1
Default Gateway: 212.x.x.129
===========================================================================

Everything works (server publishing etc) except VPN which is crucial. I need to get this box working to replace our ISA 2000 server.

Anybody an idea what I am doing wrong here?

Thanks in advance.

Frank Verheggen
Bergson Technology B.V.
The Netherlands

PS Tom is there a way to display a decent routing table is this is completely messed up "[Embarrassed]"

[ August 19, 2004, 01:56 PM: Message edited by: FrankVerheggen ]
Post #: 1
RE: VPN/Network issue - 19.Aug.2004 1:28:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		hi ,

In short , you fixed the VPN problem by isolating the VPN clients to their own network range.
Do you still get the error "ISA Server detected routes through adapter ...." etc ? You shouldn't if you isolated the clients to 10.x.x.x

Now , what do you see in the monitoring tab when clients connect thru VPN using 10.x.x.x ?
Any denied rules denying 10.x.x.x access to certain protocols towards your resource servers ?

LexP

(in reply to FrankVerheggen)
Post #: 2
RE: VPN/Network issue - 19.Aug.2004 2:45:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		Thought I solved the freezing part but I did not [Mad] .

This is driving me mad. All seems so simple and then ISA starts throwing with IP addresses that do not belong to that particular NIC. Whatever I try I receive this error message from one or more networks...

Could this be a plain hardware issue? This server is a Pentium III 550 Mhz with 256 MB memory... is that causing the freezing and as a result ISA will not work???

Frank

[ August 19, 2004, 02:59 PM: Message edited by: FrankVerheggen ]

(in reply to FrankVerheggen)
Post #: 3
RE: VPN/Network issue - 24.Aug.2004 12:59:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Frank,

What do you mean by "freezing"?

Thanks!
Tom

(in reply to FrankVerheggen)
Post #: 4
RE: VPN/Network issue - 24.Aug.2004 5:02:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		The server will stop responding to any input/request untill I disconnect the VPN client. Performance monitor stops recording, Taskmanager will not update etc.

I have created a small testnetwork on my pc using VMware and I cannot reproduce the error. All is working as expected on my testnetwork. Can create VPn connection, can browse network etc.

Only difference between the 2 networks is that I did not have a network connection on the DMZ adapter when creating the productionserver (I even used the same IP addresses for the client/servers nics).

Today I removed the complete ISA configuration and rebuild it from scratch. Same result as before.

There are 2 options now I guess.
Or my routing tables are somehow messed up due to the fact that the adapter was not connected. So if I can fix them I should be in the clear.

Alternative is rebuilding the complete server.

So if you could find an error in the routing tables above I would be thankfull. I did not see any error...

Frank

(in reply to FrankVerheggen)
Post #: 5
RE: VPN/Network issue - 25.Aug.2004 1:41:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Frank,

Could it be that the ISA firewall's VPN interface is registering in DNS and the clients are trying to connect to the ISA firewall using the VPN address instead of the ISA firewall's address?

Thanks!
Tom

(in reply to FrankVerheggen)
Post #: 6
RE: VPN/Network issue - 25.Aug.2004 10:08:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		The client uses the dns name to connect to the server. However this dns name is used internally for another server (split dns). Is this the problem?

Have to check to this tomorrow, I will try to connect using the ip address in stead of dns name.

Frank

(in reply to FrankVerheggen)
Post #: 7
RE: VPN/Network issue - 26.Aug.2004 4:04:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Frank,

I've seen in several places where if DDNS is enabled, the VPN interface on the ISA firewall is registered. You need to disable this or DDNS. What happens is the Web Proxy and Firewall clients are no longer able to resolve the ISA firewall's name to a correct address and it fails.

HTH,
Tom

(in reply to FrankVerheggen)
Post #: 8
RE: VPN/Network issue - 27.Aug.2004 12:26:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		Damn... to late... Just started to rebuild the server. I will check that DDNS is disabled...

(I checked the settings of the old one in my documentation, DDNS was only enabled on the LAN interface and not on the other).

Frank

(in reply to FrankVerheggen)
Post #: 9
RE: VPN/Network issue - 30.Aug.2004 12:19:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		Rebuild the server. Same configuration as on my testnetwork and I now get the error on the VPN interface. [Mad]

I disabled DDNS on all interfaces and on the DNS server.

I am starting to think the hardware can not handle the load and MS ISA is generating errors that do not make any sense. I still do not understand why the server completely freezes. On the server everything stops working till I disconnect the client.

Has anybody a server with roughly the same specs (Pentium III 550, 256 Mb memory) and no problems? I checked the MS site and it seems this are the minimum specs for the server. [Eek!]

Frank

[ August 30, 2004, 02:05 PM: Message edited by: FrankVerheggen ]

(in reply to FrankVerheggen)
Post #: 10
RE: VPN/Network issue - 3.Sep.2004 2:02:00 PM   
tshinder

 

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Frank,

Its very odd. What errors do you see in the Event Viewer?

Thanks!
Tom

(in reply to FrankVerheggen)
Post #: 11
RE: VPN/Network issue - 8.Sep.2004 8:46:00 AM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		Hi Tom,

The error message I get is Event id 14147:

ISA Server detected routes through adapter "Internal" that do not correlate with the network element to which this adapter belongs. The address ranges in conflict are: 192.168.0.0-192.168.0.249;192.168.0.251-192.168.0.254;192.168.1.0-192.168.255.255;. Fix the network element and/or the routing table to make these ranges consistent; they should be in both or in neither. If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

However we deceided that the server might be used as a spare for some other old ones. We have ordered a new one yesterday. Hope that that will solve the problem.

For some reason I still believe this is a routingtable problem but I can not image where to look as all looks OK. Only thing I know that is odd in our configuration is the subnetmask of 255.255.0.0 for the 192.168.x.x range.

Frank

(in reply to FrankVerheggen)
Post #: 12
RE: VPN/Network issue - 9.Sep.2004 3:15:00 PM   
santon

 

Posts: 1
Joined: 9.Sep.2004
Status: offline 		I have the same problem with Frank but not with VPN clients and pptp but with an ipsec tunnel with another firewall (not isa).
I have setup the site connector with the other firewall (my isa 2004 is on windows 2000) and as far as the others site's administrator tells me the vpn is on. I can ping from my internal network ips on the other site, but when i run the IE to look at some corporate site (which is excluded from caching and is directly accessible from the clients through is) the isa restarts !
Just like that, restarts, no events no nothing..

PIII at 1100MHZ 512 Ram IBM server if that matters..

(in reply to FrankVerheggen)
Post #: 13
RE: VPN/Network issue - 10.Sep.2004 4:37:00 PM   
FrankVerheggen

 

Posts: 24
Joined: 16.Jun.2004
From: The Netherlands
Status: offline 		Unbelievable. Ordered new server and now I have it working.... [Mad]

Changed the separate range for VPN clients to DHCP assigned. Flushed the routing table (very important as otherwise the errors keep coming back!) and restarted the services. I also had to create some new access policies but now all seems to work as expected...

However I guess running ISA on minimum hardware is not recommended so a new server would have been needed in the future.

(in reply to FrankVerheggen)
Post #: 14
RE: VPN/Network issue - 3.Oct.2004 9:25:00 AM   
SimonYao

 

Posts: 19
Joined: 30.Sep.2004
From: China
Status: offline

I have read the article, and I'm sure that I understand what you say, we can know how to setup network when we have a network behind network, but if we have a situation as the picture, the subnet could not be use, any suggestion about it?

(in reply to FrankVerheggen)
Post #: 15

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> VPN/Network issue Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts