Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
VPN Site To Site problems
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
VPN Site To Site problems - 30.Jun.2008 7:26:47 AM
|
|
|
4Fred
Posts: 4
Joined: 7.Feb.2007
Status: offline
|
VPN Site To Site problems.
What I need help with is troubleshooting a site-to-site connection between ISA Server 2006 Standard Edition and a Cisco Pix 506. Below is more info.
For a few months there have been a site to site connection using ISA Server 2006 Standard Edition and a Cisco PIX 506. This connection has worked flawlessly the whole time until Thursday last week. Now it drops the VPN connection for a few minutes, then it comes back up for a few minutes and then dies again. This has been going on since Thursday last week.
No changes have been made to the ISA server or any other communication thingies here, almost everyone is on vacation. I haven’t set the ISA server up or done any configuration to it, I have very basic knowledge of ISA server. Since people are on vacation I at least have to try to look in to it, and maybe learn a thing or two along the way.
ISA Server is setup as an Edge firewall, LAN is connected to one NIC, Internet to the other. We are connected to the internet using a cable modem (satellite office containing the ISA Server, a DC and a application/fileserver.
I have just made some very basic testing. I can ping and access the internet at all times, no connection problems, even if the VPN is down. There are no alerts in ISA Server or in Windows Event logs. Everything is reported to be working great, but it’s not.
The guy at the other side of the tunnel has gone through the Pix config and finds nothing wrong and no problems with the configuration. He believes it’s the ISA at this end that is the problem, I believe it’s the Pix at the other end.
How do I troubleshoot this issue? How do I search the logs to find information about what could be the problem?
Here is the Site-to-site summary of the VPN connection:
Local Tunnel Endpoint: [ISA external IP]
Remote Tunnel Endpoint: [Pix external IP]
To allow HTTP proxy or NAT traffic to the remote site,
the remote site configuration must contain the local
site tunnel end-point IP address.
IKE Phase I Parameters:
Mode: Main mode
Encryption: 3DES
Integrity: SHA1
Diffie-Hellman group: Group 2 (1024 bit)
Authentication Method: Pre-shared secret (OurPresharedKey)
Security Association Lifetime: 86400 seconds
IKE Phase II Parameters:
Mode: ESP tunnel mode
Encryption: 3DES
Integrity: SHA1
Perfect Forward Secrecy: ON
Diffie-Hellman group: Group 2 (1024 bit)
Time Rekeying: ON
Security Association Lifetime: 86400 seconds
Kbyte Rekeying: OFF
Remote Network 'SiteName' IP Subnets:
Subnet: 192.168.167.0/255.255.255.0
Local Network 'Internal' IP Subnets:
Subnet: 192.168.168.0/255.255.255.0
Routable Local IP Addresses:
Subnet: 192.168.168.0/255.255.255.0
|
|
|
|
RE: VPN Site To Site problems - 30.Jun.2008 9:15:00 AM
|
|
|
paulo.oliveira
Posts: 919
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
you said that nothing has changed on your side and how about the other side? Check if the other end point guy did some change on the PIX.
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN Site To Site problems - 30.Jun.2008 4:34:44 PM
|
|
|
4Fred
Posts: 4
Joined: 7.Feb.2007
Status: offline
|
I asked him and he said nothing is changed.. he even restored to a 14 days old config and still same problem. This is strange ¿
|
|
|
|
|
RE: VPN Site To Site problems - 30.Jun.2008 5:32:10 PM
|
|
|
paulo.oliveira
Posts: 919
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
is your bandwidth overloaded? Try to monitor the ISA logs in real-time, I mean, before the problem starts and go on until it´s "done".
Regards,
Paulo Oliveira.
|
|
|
|
RE: VPN Site To Site problems - 1.Jul.2008 7:14:23 PM
|
|
|
4Fred
Posts: 4
Joined: 7.Feb.2007
Status: offline
|
Went through just about everything, looking at logs and reading KBs till my eyes bled, still nothing. So tonight I shut down everything at this location and monitored the logs live as suggested, still nothing useful.
So me and the "pix-admin" went trough the configuration again at both ends and still found nothing. We exported the configuration and backed everything up. Then cleaned out the configuration at both ends and re-created the configuration manually according to the exported data.
The site-to-site connection have been up for over an hour and no dips or anything. So things seems to be working okay again.
Since we did this at both ends we can’t say where the problem was, but as far as I can tell problem solved. Thank you so much for your time and help!
|
|
|
|
|
RE: VPN Site To Site problems - 2.Jul.2008 7:38:38 AM
|
|
|
paulo.oliveira
Posts: 919
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline
|
Hi,
glad you solve your problem. Thanks for share it with us!
Regards,
Paulo Oliveira.
|
|
|
|
|
RE: VPN Site To Site problems - 3.Jul.2008 4:39:32 PM
|
|
|
4Fred
Posts: 4
Joined: 7.Feb.2007
Status: offline
|
If we had only had ISA SP1 and the cool feature "ISA Server Configuration Changes" I could have shoved the logfile in the "pix-admins" face that nothing was changed over here... but oh well, next time I guess :)
I'll have the admins install ISA SP1 asap when they get back to work.
Have a great summer!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
