Welcome to ISAserver.org

Weird Site-to-Site VPN Issues

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Weird Site-to-Site VPN Issues

Page: [1]

Message

<< Older Topic Newer Topic >>

Weird Site-to-Site VPN Issues - 8.Jul.2005 10:56:00 PM

markgarcia

Posts: 4
Joined: 21.Mar.2005
Status: offline

I have a really strange situation occurring. I have two different VPN tunnels to two different partner companies, ill call them EAST and WEST. We have a server that initiates the tunnels to EAST and WEST. The server has two NICs, with its own IP address: WEST (172.16.30.10/24) and EAST(172.16.31.10/24).

These tunnels were originally set up on our corporate ISA server, ill call it CORP. Once connection is to a Nortel VPN concentrator the other to a Sonicwall multi-purpose device. In the original configuration the EAST VPN was consistent; meaning it never went down, was never slow, etc. The WEST VPN was inconstant; meaning it was up and down, to the point that it was down more than up. We were so uncertain about hardware compatibilities that we tried a different device at the WEST location to no avail.In addition, we began to see some stability issues with CORP. As a result, we decided to move the VPN connections to a second ISA 2004 server, ill call PROJ.

When i first moved the site-to-site VPNs to PROJ, neither worked. After some troubleshooting, we decided that there were some inconsistencies with the build, namely that the server was running W2K3 SP1 with a slew of additional fixes. After rebuilding, i was able to get the site-to-site to WEST working with little issues. The VPN to EAST would not come up. After working with the admin at EAST he told me that he was receiving errors that pointed to a mismatched configuration. Looking at the Security Event log I see error 547 over and over again. The interesting thing is that the Source IP and Subnet mask are different that the client initiating the tunnel: ip address is 172.16.31.10/24 and the error logs reports 172.16.31.8/29. I went round and round with this, but because it had to be up by monday punted and put it back on CORP. I left the VPN to WEST on PROJ as it was working already. The VPN to EAST came up immediately and has not been down since. The VPN to WEST was up when i moved the connection to EAST but later on went down. Looking at the logs i now see 547 errors but this time coming from the subnet of WEST. The problem had migrated from EAST to WEST. I am at a loss as to why it is not working. I am not a newbie, but really feel like one at this point. Anyone have any ideas?