VPN Server routing and mail delivery problem (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> VPN



Message

nathan -> VPN Server routing and mail delivery problem (4.Jul.2002 6:12:00 AM)

Hi,

We have remote sites that don't have a backup link. So, we installed RRAS and PPTP on the remote sites server so it could connect to our VPN server (ISA/RRAS) and then the rest of the remote network connects through the server and they continue to work as if nothing has happened.

There is a little manual labour required if the link goes down but that is OK.

The problem is that after we create the VPN server connection using the "Set Up Local ISA VPN Server" Wizard, our Internet email seems to stop
working.

I can only guess, as I am no network wizard, that it is looping looking for the right place to go. A kind of routing problem.

We are using the SMTP filter and IIS SMTP (on a different machine which is published) to forward mail to our Domino server which in turn delivers the mail to the right person.

Why does the mail stop being delivered when the interfaces are created RRAS?

TIA

Nathan Simpson
nathan@awh.com.au



tshinder -> RE: VPN Server routing and mail delivery problem (4.Jul.2002 4:46:00 PM)

Hi Nathan,

That is indeed very strange that SMTP should stop working after RRAS is started. Could it be that you're running a DDNS and somehow an errant address was added to the DDNS? Check it out.

If that happened to me, I would run network montior on the ISA Server interfaces and also at the mail server. Then I would send an email to the from an external network client, and observe the traffic pattern.

Another thing to check it the packet filter and Firewall service logs. If you turn on Rule#1 and Rule#2 for the Firewall service log, you will see what rule denied the request, if indeed the request was actually denied.

HTH,
Tom



nathan -> RE: VPN Server routing and mail delivery problem (5.Jul.2002 12:17:00 AM)

Tom,

I may not have described the situation correctly.

RRAS was already running on our ISA Server and has been running successfully for quite some time.

VPN works fine without any problems.

We have a site that use the 192.168.60.x address range. They connect to us via our FrameRelay WAN.

If that site goes down I want them to connect to us using VPN. We connect a modem to the server and dialup to VPN server and network is back on-line.

If I create a VPN connection using the 'Set Up Local ISA VPN Server' wizard and use the addresses 192.68.60.1 - 192.168.60.254 in the wizard so it can create the Static Routes in RRAS could this cause conflicts?

Even when the site isn't down I wanted to have these interfaces created in RRAS and have them disabled so they could just be enabled if it was necessary to use them.

So problems are arising when the backup VPN interface is enabled or disabled.

I hope that explains it a little better.

Nathan
nathan@awh.com.au



tshinder -> RE: VPN Server routing and mail delivery problem (7.Jul.2002 8:28:00 PM)

Hi Nathan,

Why do you need to add a modem to the ISA Server to accept VPN connections? You should be able to accept VPN connections on the existing internet connection.

Thanks!

Tom



nathan -> RE: VPN Server routing and mail delivery problem (8.Jul.2002 12:13:00 AM)

Tom,

The modem is connected to the Remote NT Server and it connects to the ISA Server through the Internet.

The connection is made but then mail seems to stop being delivered.

Thanks,

Nathan



tshinder -> RE: VPN Server routing and mail delivery problem (10.Jul.2002 8:12:00 PM)

Hi Nathan,

OK, that makes sense. But could you possibly use another machine to attach the modem to? I can see how dynamically adding a new interface and routing table entry to the ISA Server (whenever the modem answers a call) might cause some interesting things, esp. when you already have an external interface.

Not that this can't work. I just don't have the facilities to test out this kind of connection, so I can't give you any cogent details on what the problems might be and how to fix them, other than recommending that you separate the services.

HTH,
Tom



Page: [1]