I've seen multiple reports but no clear answers. We have a site to site VPN using IPSEC going between 2 ISA 2004 Servers.
We actually have this setup working for 4 offices.. However our new office is not co-operating. All the same setup has been involved, however the new office can not RDP to any machines at any of the remote sites over VPN
the Remote Desktop Connects and we get a grey or black screen and it hangs before we get the login prompt. It's also very slow to authenticate or for active directory to do it's work. The sites ping fine and other protocols seem to be working.
We tried adjusting MTU size on both the cisco DSL router to match a lowered ISA server MTU on external nic to no avail.
interesting thing is, if a client computer behind the new troublesome ISA does a windows PPTP VPN to a remote office, we can remote desktop no problem. IT just doesn't want to work via the IPSEC
From: Kalgoorlie, Western Austrlia
I've had the same issue as well.
From the limited testing I was able to do, I narrowed it down to having a different MTU at each end, ie, Box A is connected via Ethernet to the internet with a default MTU of 1500 bytes, and Box B is connected via DSL with an MTU of 1492bytes, in this configuration ipsec site-to-site just wouldnt work for me. If I dropped the MTU on Box A that connects with 1500bytes to 1400bytes, it started to work.
Systems that connect with the same MTU at each end dont seem to show this problem.
I have the exact same issue. It's been driving me nuts for months now. Personally, I think it is something where ICMP packets are discarded within the tunnel so PTMU Discovery is broken.
I have a site in a colo facility with a dedicated network drop. This MTU is 1500. In a remote office, I have a PPPoE connection so the MTU is 1492. However, when I ping servers from one side of the tunnel to the other, the maximum MTU between the servers is 1422. I was faced with the choice of touching every computer in the remote office and adjusting the MTU on each machine, or adjusting something on the ISA Server. Now I didn't want to touch the one in the colo facility because it's also hosting a lot of web sites and media servers. I need this MTU to be optimal. So I had to do something with the remote ISA server. I set the MTU on this server to 1422 in the NDISWAN interface. This is the PPPoE interface. The is a KB article on doing this for XP, it's the same for 2003. After that it started working. Still not happy with this since it's supposed to happen automatically.
In another site, I have a d-link DI-804HV connected to a PPPoE line and I've created an IPSec VPN to the same ISA server at the colo. Even adjusting the MTU on the WAN interface on that device does nothing. It's gotta be something in the ISA or Windows side at the colo that is blocking ICMP within the tunnel because I have tried everything, including creating an "Allow All" rule for all protocols on the ISA side, and still nothing. I've verified and tested. All routers between the remote office and the colo are not black-hole routers. They all process ICMP messages correctly and adjust the MTU accordingly. But once you get inside the tunnel, things break.
I'm also having a problem re: RDP through a VPN (L2TP/IPSec) connection. 2 users can make the VPN connection but cannot RDP in (gets the black screen w/RDP tab at top, but no prompt for authentication and the pithy error "This computer can't connect to the remote computer. The connection was lost due to a network error. Try connecting ..."). I can RDP over VPN fine from home, so I took the machine of one of the "problem" users home and tried it, worked fine for me, used his credentials even. We use the same ISP (cablemodem). So maybe it's their cablemodem router MTU settings (the only piece of gear different between our 2 setups).
I thought also it might be that Path MTU discovery was broken, but I've little info on this subject, and I'm loath to make changes when (1) I don't understand what's gone wrong and (2) most users are not seeing this problem.
RedSunshine: have you looked into editing the system policy rule for ICMP traffic to the ISA? When I "Show System Policy Rules" it is Rule 10 "Allow ICMP (PING) requests from selected computers to ISA server". Just a guess.
< Message edited by rkapila -- 5.Apr.2007 12:09:24 PM >