Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Windows XP Pro Service pack 2 fails to connect to ISA 2004 VPN

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Windows XP Pro Service pack 2 fails to connect to ISA 2004 VPN Page: [1]
Login
Message << Older Topic   Newer Topic >>
Windows XP Pro Service pack 2 fails to connect to ISA 2... - 18.Aug.2004 12:02:00 PM   
Howto

 

Posts: 17
Joined: 8.Nov.2001
Status: offline 		After upgrading a Windows XP Pro machine (with SP1 and the NAT-T update installed) to SP2, I am not able to establish an L2TP/IPSec connection to ISA 2004 anymore. Before SP2 everything worked fine. Error message: The remote computer did not respond. Which is weird because other clients can still connect to the ISA VPN.

If I check the event logs, I see the following failure audit in the security log:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 8/18/2004
Time: 11:54:19 AM
User: NT AUTHORITY\NETWORK SERVICE
Computer: HOME
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 10.0.0.5
Source IP Address Mask 255.255.255.255
Destination IP Address 12.12.12.1
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 10.0.0.5
IKE Peer Addr 12.12.12.1

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=HOME.home.local
My SHA Thumbprint c0e7e8bfa13c439b751ec412366789087cebffd5
Peer IP Address: 12.12.12.1

Failure Point:
Me

Failure Reason:
New policy invalidated SAs formed with old policy

Extra Status:
0x0 0x0

Anybody got any ideas? "[Confused]"
Post #: 1
RE: Windows XP Pro Service pack 2 fails to connect to I... - 18.Aug.2004 1:41:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Howto,

Where is the XP client?

Where is the ISA firewall?

Where is the VPN server?

What lies between them?

Thanks!
Tom

(in reply to Howto)
Post #: 2
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Aug.2004 9:44:00 AM   
Howto

 

Posts: 17
Joined: 8.Nov.2001
Status: offline 		ISA Firewall acts as VPN and is behind a CheckPoint firewall.
XP client is connected to the Internet using a router (tried it first behind a NAT device).

Thus:

XP <-> Router <-> Internet <-> CheckPoint <-> ISA <-> LAN

Note: Windows XP clients with SP1 and the NAT-T update can still connect. Only clients with SP2 can't.

(in reply to Howto)
Post #: 3
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Aug.2004 1:20:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Howto,

Please write to me privately and I can give you the fix today. Next week I can give a public solution.

Thanks!
Tom

(in reply to Howto)
Post #: 4
RE: Windows XP Pro Service pack 2 fails to connect to I... - 31.Aug.2004 9:31:00 AM   
Danjay

 

Posts: 2
Joined: 30.Aug.2004
Status: offline 		I am currently experiancing a similar issue but connecting from a Server 2003 Box. I an trying to connect from a perimeter network so it is not going through a firewall. The ISA Server is another Win 2003 std Server with ISA 2004 any help would apreciated.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 547
Date: 31/08/2004
Time: 5:05:35 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: xxx-xxx
Description:
IKE security association negotiation failed.
Mode:
Key Exchange Mode (Main Mode)

Filter:
Source IP Address 172.16.x.x
Source IP Address Mask 255.255.255.255
Destination IP Address 172.16.x.x
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 172.16.x.x
IKE Peer Addr 172.16.x.x
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr

Peer Identity:
Certificate based Identity.
Peer Subject
Peer SHA Thumbprint 0000000000000000000000000000000000000000
Peer Issuing Certificate Authority
Root Certificate Authority
My Subject CN=xxxxx.xxxxx.COM.AU
My SHA Thumbprint 44764e4495ad95eec5e36bb5ed59c7918de5a08f
Peer IP Address: 172.16.x.x

Failure Point:
Me

Failure Reason:
General processing error

Extra Status:
Processed second (KE) payload
Initiator. Delta Time 0
0x80092004 0x0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

(in reply to Howto)
Post #: 5
RE: Windows XP Pro Service pack 2 fails to connect to I... - 1.Sep.2004 4:29:00 AM   
tdawson

 

Posts: 1
Joined: 1.Sep.2004
From: Melbourne, Australia
Status: offline 		Hi, I have also encountered exactly the same issue using ISA 2000 and XP SP2.

The remote XP Client is using a NAT-T connection through a wireless router.

XP SP2 - Router - Internet - Router - ISA/VPN - LAN

The ISA server is behind a router and it is acting as the VPN server

Previously worked fine using XP SP1 with the NAT-T update.

Any info appreciated!

Tim

IKE security association negotiation failed
Mode:
Key Exchange Mode (Main Mode)

--- edited

Failure Point:
Me

Failure Reason:
New policy invalidated SAs formed with old policy

Extra Status:
0x0 0x0

(in reply to Howto)
Post #: 6
RE: Windows XP Pro Service pack 2 fails to connect to I... - 1.Sep.2004 8:15:00 AM   
Danjay

 

Posts: 2
Joined: 30.Aug.2004
Status: offline 		please ignore my comments above ... I manged to fix the issue by using a Pre-Shared Key on the ISA Server and the client, this might be a fix for everyone else, if it is please let me know.

(in reply to Howto)
Post #: 7
RE: Windows XP Pro Service pack 2 fails to connect to I... - 1.Sep.2004 8:43:00 AM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Danjay,

Cheap wireless router probably fragmented the certificate exchange connection. That's what broke it, the ISA firewall works great with certificates and L2TP/IPSec and IPSec tunnel mode when working with good quality network components in front of it.

HTH,
Tom

(in reply to Howto)
Post #: 8
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Sep.2004 7:36:00 PM   
sparhawk

 

Posts: 1
Joined: 20.Sep.2004
Status: offline 		i work for texas A&M and am goign to have the same problem verry soon with alot of student computers trying to connect to our VPN network that will have problems with the SP2 issue.

i tried to contact you privatly but was unable to find a way to do that (i probably liiked right at it and didnt see it)

if there is any way that you could tell me a fix, even if temporary, for this problem i would greatly apreciate it.

Thanks

(in reply to Howto)
Post #: 9
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Nov.2004 5:31:00 AM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline 		I am having this same issue. I am using a Cisco PIX firewall as my Front End firewall and ISA 2004 as my back-end. I have the PIX setup to allow inbound udp 1701,500,4500, to the external interface of the ISA.

I would appreciate any help I can get. I am also working with Cisco support(I started a TAC) and they are saying it should work by passing through those ports. I am getting a:

New policy invalidated sas formed with old policy

error in my security log on the client. I am able to connect just fine when inside the PIX. The PIX MUST be doing something to the traffic.

Any body got any ideas?

Thanks

Eric Kufrin

(in reply to Howto)
Post #: 10
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Nov.2004 5:22:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		The default behavior of IPSec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2

This article has the registry key you'll need for the clients.

(in reply to Howto)
Post #: 11
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Nov.2004 7:41:00 PM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline 		Wow. I cant believe that is'nt an option in the vpn connection on the client.

Thanks for the link. I spent 2 weeks trying to figure this one out. The event log messages don't give you any clue as to whats actually wrong. MS should change the default back.

I'll bet alot of people are trying to do this...

Eric Kufrin

(in reply to Howto)
Post #: 12
RE: Windows XP Pro Service pack 2 fails to connect to I... - 20.Nov.2004 9:05:00 PM   
tshinder

 

Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Eric,

Do you think we need an article about this on www.isaserver.org?

Thanks!
Tom

(in reply to Howto)
Post #: 13
RE: Windows XP Pro Service pack 2 fails to connect to I... - 21.Nov.2004 12:41:00 AM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline 		Hey Tom,

Yes I do think it would be a good article. Seeing as most organizations already have some sort of packet filetering device in place, such as a PIX. An article would make it much easier to setup.

I found by google'ing around there were plenty of people wanting to do the same thing. Having the same problem.

I spent so much time messing around just because MS changed NAT-T between XP SP1 and SP2.

Thanks,

Eric Kufrin

(in reply to Howto)
Post #: 14
RE: Windows XP Pro Service pack 2 fails to connect to I... - 30.Mar.2005 9:11:00 AM   
TechFan

 

Posts: 19
Joined: 9.Dec.2004
Status: offline 		Tried applying this reg entry and still 721 error for me. . .ugh.

(in reply to Howto)
Post #: 15
RE: Windows XP Pro Service pack 2 fails to connect to I... - 31.Mar.2005 10:43:00 PM   
erickufrin

 

Posts: 58
Joined: 15.Apr.2003
From: Milwaukee, WI
Status: offline 		If the registry change did not help you then that is not your problem. There must be a configuration issue somewhere else.

Are you using certificates on the client machine? And what type? Is your certificate server a 2K3 box?

Also can you confirm what you are forwarding from your NAT device to the external interface on the ISA? Should be UDP 500, 4500 only.

Does the VPN client connect when placed on the same segment as the ISA server external interface?

Eric Kufrin

(in reply to Howto)
Post #: 16
RE: Windows XP Pro Service pack 2 fails to connect to I... - 1.Apr.2005 2:14:00 AM   
TechFan

 

Posts: 19
Joined: 9.Dec.2004
Status: offline 		I am actually testing with PPTP to get things working first and I am still getting this error.

The forwarding is correct. I actually just set it to forward all ports below 65000. Basically, it seems like people have been using routers outside their ISA boxes to allow port forwarding. . .is that not necessary?

It seems like it is actually the router. . .I put another client on the same subnet as the external ISA interface and it connects no problem.

How would I describe this problem to Hawking? I really would like to continue to be able to use our dual WAN router for internet sharing. . .but at this point VPN is more important. Is there a link or a technical description that I can point out where they are doing something incorrectly?

(in reply to Howto)
Post #: 17
RE: Windows XP Pro Service pack 2 fails to connect to I... - 2.May2005 12:43:00 PM   
Or Tsemah

 

Posts: 6
Joined: 2.May2005
From: Israel
Status: offline 		I have the same issue.

can access ISA 2004 VPN with my home winxp SP2 for some time, but all of a sudden i can't.

But i can access the vpn using a Win2000 server in our DMZ.

Can access with Winxp SP2 only after ISA server restart

(in reply to Howto)
Post #: 18

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> Windows XP Pro Service pack 2 fails to connect to ISA 2004 VPN Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts