• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

VPN client via ISA to VPN server error 619/628

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN client via ISA to VPN server error 619/628 Page: [1] 2   next >   >>
Login
Message << Older Topic   Newer Topic >>
VPN client via ISA to VPN server error 619/628 - 3.Oct.2005 12:02:00 AM   
TimML

 

Posts: 2
Joined: 14.Jan.2004
From: CHCH New Zealand
Status: offline
This is possibly not an ISA Server issue, so if thats the case I apologise up front.

I am trying to establish a VPN connection to a customer site using PPTP on my desktop machine. The desktop is networked to my DC that runs ISA 2004 (and RRAS, IAS, Exchange etc.) then to an ADSL Modem with GRE and port 1723 open both ways.

The ADSL Modem config seems OK as I can plug my laptop into it and get the VPN running bypassing the DC machine with ISA etc.

When I attempt to connect from the dekstop (via DC / ISA) I get error 619 (under XP) = "The port is disconnected". If I try on the ISA machine I get error 628 = "The port was disconnected. These errors occur duing the Validating Username / Password phase.

Under W2K3 dial out, I have tried diagnostics and can't see a single error code being returned anywhere (there is a Reason = 1 and later a Reason = 2)...

Does anyone have any ideas?

VPN has been enabled under ISA System Policies and I have 3 VPN firewall policies listed "Allow VPN Client...", and 2 "Allow VPN site to site " To and From rules. (The VPN system policy now seems to have disappeared if I try to edit it).

Port 1723 also has an Allow rule from Internal to Internet. I can watch via the ISA monitor Initiate on port 1723, open GRE, then close both.

Thanks in advance to anyone that can shed light on this. We know the VPN works by using laptops... The "DC" machine also acts as an 802.11x Radius server via IAS and RRAS - to get that going I had to "comment out" a DLL load reference in the registry... I'll look for it.

- Tim
Post #: 1
RE: VPN client via ISA to VPN server error 619/628 - 3.Oct.2005 8:42:00 AM   
southernit

 

Posts: 6
Joined: 20.Aug.2003
Status: offline
Same problem here - PPTP VPN also works when the client pc is connected directly to the router bypassing ISA 2004.
However testing making a connection to an other PPTP VPN server works (this VPN server is a draytek router). The VPN server to which the connection fails is running Windows 2000 RRAS (no further details known as yet)

Let's hope we can get this sorted as more users seem to have this problem, but so far I have not seen any sollution.

[ October 03, 2005, 09:27 AM: Message edited by: southernit ]

(in reply to TimML)
Post #: 2
RE: VPN client via ISA to VPN server error 619/628 - 4.Oct.2005 12:23:00 PM   
bluezone

 

Posts: 12
Joined: 19.Sep.2005
Status: offline
I'm having the same problem. ISA 2004 on Server 2003 trying to connect through from xp to a windows 2000 server running ISA 2000. No matter what I do, I get a 619 error. Works fine when ISA 2004 server is disconnected. Also installed ISA 2000 on gateway machine for test. It worked. Only the ISA 2004 prevents the VPN connection. Wish someone could answer this one.

Jeff

(in reply to TimML)
Post #: 3
RE: VPN client via ISA to VPN server error 619/628 - 6.Oct.2005 12:17:00 AM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
Hi
Same problem here
More than 20 ISA 2004 servers installed lots of different hardware/connections /routers XDSL/ADSL/CABLE etc.
Lots of combinations Server 2003 Standard SP1 + ISA 2004 SP1, SBS 2003 SP1 standard + ISA 2004 SP1, SBS Premium Sp1 with ISA 2004 SP1

Most are behind routers with NAT, 1 as a public IP and is Housed in a big ISP and I donÆt believe I can make them change is network hardware.

Some of them have real complex configurations; IÆve no problem with that. Edge, Back, Trihomed and more.

VPNÆs works fine PPTP and L2TP/IPSEC with certificates.

But, and for me itÆs a big one, when behind any of the ISAÆs L2TP pass-through works fine, BUT PPTP pass-through still doing the annoying 619 error.

When put the client in front the local ISA I connect to the remote ISA with no problem

When behind the local ISA I can see
Destination IP Port- 1723 Protocol- PPTP Initiated con Rule
Destination IP Port- 0 Protocol- PPTP Initiated con Rule
Destination IP Port- 1723 Protocol- PPTP Closed con Rule

On Remote ISA I see
Destination IP Port- 1723 Protocol- PPTP Initiated con Rule Allow VPN Client Traffic to ISA Server

Destination IP Port- 0 Protocol- PPTP Initiated con Rule Allow VPN Client Traffic to ISA Server

Destination IP Port- 1723 Protocol- PPTP Closed con Rule Allow VPN Client Traffic to ISA Server

All in the same second

On remote ISA on Routing and Remote Server the Wan miniports PPTP stand inactive

Tom, you hare my last hope on that, please help

(in reply to TimML)
Post #: 4
RE: VPN client via ISA to VPN server error 619/628 - 9.Oct.2005 1:04:00 AM   
apoc_nz

 

Posts: 1
Joined: 9.Oct.2005
From: Auckland, New Zealand
Status: offline
Same problem here also,

619 from client
628 from ISA server.

Havn't tried bypassing ISA yet, but by
the sounds of it, its the same issue.

Only change in setup lately is switching
from a DSL-Router(Static IP) -> ISA -> Network
to Wireless(Static IP on NIC) ISA - > Network

Any ideas ? I'm getting the bash cos people cant
connect to customer VPN's [Frown]

(in reply to TimML)
Post #: 5
RE: VPN client via ISA to VPN server error 619/628 - 9.Oct.2005 6:20:00 PM   
longman

 

Posts: 50
Joined: 7.Feb.2005
Status: offline
Are the workstations configured as securnat clients?

(in reply to TimML)
Post #: 6
RE: VPN client via ISA to VPN server error 619/628 - 10.Oct.2005 10:54:00 AM   
hgerrit

 

Posts: 16
Joined: 20.Jan.2005
Status: offline
Got the same issue over here
Also tested the machines with SecureNAT
No result

When I run a net stop fweng on the ISA server, I can establish a PPTP from my workstation
Als a PPTP connection from the ISA server to the PPTP server isn't possible

I've came across several people who have the exact same problem.

So hope to hear a solutions soon.

Regards

(in reply to TimML)
Post #: 7
RE: VPN client via ISA to VPN server error 619/628 - 10.Oct.2005 6:22:00 PM   
achurba

 

Posts: 9
Joined: 27.Sep.2005
From: Ft. Lauderdale, FL
Status: offline
The problem being described is related to NAT or in this case double NAT (replacing the source address twice). We had many problems allowing single IP NAT and PPTP VPN passing through a Check Point. The only solution for us was to use a static NAT for the client computer needing the PPTP outbound connection (a waste of an IP address). This of course is not desirable or usually impossible in the DSL environment (due to the lack of IP addresses) with a RFC1918 address space ISA Public NIC. We never found a solution to this double NAT problem and would be very interested in seeing a true working solution.

A possible workaround:
I don't know if the DSL router can pass through the public DSL address to the ISA Public NIC thereby eliminating the RFC1918 address. I did a pass through in a BellSouth environment and it worked using ISA 2004 and a Wiltel router under the User Configuration tab. The server needed to do the PPPoE verses the router.

Interesting reading:
Microsoft Knowledge Base article 885407
Publishing VPN Protocols in ISA Server
If you installed the support tools (C:\Program Files\Support Tools) you should have executables called pptpclnt.exe & pptpsrv.exe that might help too.

Hope it helps.

(in reply to TimML)
Post #: 8
RE: VPN client via ISA to VPN server error 619/628 - 10.Oct.2005 7:32:00 PM   
rallydriver

 

Posts: 3
Joined: 10.Oct.2005
Status: offline
Having the same problem as you guys although it was working OK before I put all the SBS 2003 service packs on including ISA 2004 SP1

Any ideas would be appreciated

Mark

(in reply to TimML)
Post #: 9
RE: VPN client via ISA to VPN server error 619/628 - 13.Oct.2005 6:44:00 PM   
Guest
Same problem.
Windows Server 2003 SP1, ISA Server 2004 SP1.

VPN server: Windows 2000 SP4, ISA Server 2000 SP2.

Error: 619 when "verifying user name and password"

Anybody found how to resolve this problem?

(in reply to TimML)
  Post #: 10
RE: VPN client via ISA to VPN server error 619/628 - 15.Oct.2005 1:57:00 PM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
quote:
Originally posted by AlbertC:
The problem being described is related to NAT or in this case double NAT (replacing the source address twice). We had many problems allowing single IP NAT and PPTP VPN passing through a Check Point. The only solution for us was to use a static NAT for the client computer needing the PPTP outbound connection (a waste of an IP address). This of course is not desirable or usually impossible in the DSL environment (due to the lack of IP addresses) with a RFC1918 address space ISA Public NIC. We never found a solution to this double NAT problem and would be very interested in seeing a true working solution.

A possible workaround:
I don't know if the DSL router can pass through the public DSL address to the ISA Public NIC thereby eliminating the RFC1918 address. I did a pass through in a BellSouth environment and it worked using ISA 2004 and a Wiltel router under the User Configuration tab. The server needed to do the PPPoE verses the router.

Interesting reading:
Microsoft Knowledge Base article 885407
Publishing VPN Protocols in ISA Server
If you installed the support tools (C:\Program Files\Support Tools) you should have executables called pptpclnt.exe & pptpsrv.exe that might help too.

Hope it helps.

Albert, 1 of my ISA servers as a public IP so there is no NAT on that case.
I have no problem in server publication; IÆm working with PPTP and L2TP/IPSEC with certificates and no problem.

The problem is PPTP VPN when

Client----ISA----Internet--------ISA<-VPN Server

No Problem in PPTP VPN when

Client---NAT---Internet---NAT---ISA<-VPN Server

No problem in L2TP/IPSEC VPN in any configuration.

Regards

(in reply to TimML)
Post #: 11
RE: VPN client via ISA to VPN server error 619/628 - 20.Oct.2005 3:41:00 AM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
updates?

(in reply to TimML)
Post #: 12
RE: VPN client via ISA to VPN server error 619/628 - 11.Nov.2005 11:01:18 PM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
Updates?

(in reply to jdl)
Post #: 13
RE: VPN client via ISA to VPN server error 619/628 - 21.Dec.2005 11:42:07 PM   
ishloss

 

Posts: 3
Joined: 21.Dec.2005
Status: offline
Looks like this is a dead issue, but I am having the problem too.  Anybody get this working?

(in reply to TimML)
Post #: 14
RE: VPN client via ISA to VPN server error 619/628 - 26.Apr.2007 12:05:23 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Dragging up this old thread as it seems to explain the problem the best and I am having this exact issue.

I can plug in directly to the NAT Router and intiate a PPTP VPN connection to the remote server, even if there is another NAT router before the ADSL connection.

Trying to connect to a VPN server running ISA 2004 that is also behind a NAT router (but as mentioned it works fine if I bypass our ISA server on the way out).

Have tried everything, even tried creating a client VPN connection from the ISA server itself and I get the same problems as detailed above.

Has there been any more information on this?  ISA server is supposed to be as good as anything yet there seem to be an awful lot of people that still have problems with outbound VPN connections.

< Message edited by Money Penney -- 26.Apr.2007 12:06:36 AM >

(in reply to ishloss)
Post #: 15
RE: VPN client via ISA to VPN server error 619/628 - 15.May2007 4:25:43 AM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Well it seems that ISA does not play well with other NAT devices.  While I can chain NAT devices together and have no problems, as soon as ISA is introduced it all breaks down.

I have tried connecting a broadband modem directly to the server and using PPPoE client on the server and I have no problems with PPTP connections.  I am unsure why ISA has this problem, or why there is more knowledge about it?  Maybe it's only a problem for some configurations?  I am sure that Tom has mentioned in an article somewhere that having a NAT device connected to ISA is a good idea?

I have Microsoft looking into the problem for me now.  Hopefully they will have something for me.

I am unable to leave the connection like this as I have two Internet connections with a fail-over and load sharing NAT router.  Changing it all to routed instead of NAT is something I am considering but not sure where to start or if the hardware supports it.

(in reply to Money Penney)
Post #: 16
RE: VPN client via ISA to VPN server error 619/628 - 11.Jun.2007 8:10:56 PM   
jdl

 

Posts: 42
Joined: 23.Sep.2005
From: Portugal
Status: offline
Hi
update
since ISA 2004 SP3 I can connect passthrough the ISA server 50% of the times

the other 50% i still have to plug the cliente directly on the NAT ADSL router

Also have 1 configuration with


cliente - ISA - NAT router 2 wan ports in load balancing -
WAN1 ADSL NAT router - WAN2 NAT ROUTER connected to Cable modem

and off course all the other configurations Ive been talking about in these years

regards



(in reply to Money Penney)
Post #: 17
RE: VPN client via ISA to VPN server error 619/628 - 11.Jun.2007 8:30:16 PM   
Money Penney

 

Posts: 132
Joined: 18.Sep.2002
From: Melbourne
Status: offline
Have you spoken to the router vendors?  The makers of mine (Billion) where brilliant in taking on the problem and releasing a firmware to resolve the issue for me.

It was basically the NAT router not doing the right thing with the PPTP packets, ISA is very fussy about this and just dropped the connections.  I sent packet traces to Microsoft and they worked this out for me, armed with this info it was easier to get the manufacturer to help.

(in reply to jdl)
Post #: 18
RE: VPN client via ISA to VPN server error 619/628 - 11.Jun.2007 8:46:43 PM   
bwhansen

 

Posts: 1
Joined: 5.Jun.2007
Status: offline
Hi Monney Penny,

This may seem like a silly question, but... How do I run a packet trace?  I'm also having the exact same problems, and have tried everything!

Thank you,
Brody.

(in reply to Money Penney)
Post #: 19
RE: VPN client via ISA to VPN server error 619/628 - 12.Sep.2007 5:16:51 PM   
dferrett

 

Posts: 6
Joined: 10.Sep.2007
Status: offline
Hi Money Penney,

Can you supply details around Billion router and firmware? I have the same problem using Billion bipac 7402L, running 5.07 software. Or is there anything I can do with the config of the billion to fix the PPTP outbound issue?

Thanks
Dave

(in reply to Money Penney)
Post #: 20

Page:   [1] 2   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN client via ISA to VPN server error 619/628 Page: [1] 2   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts