I have just been working with Microsoft on a similar problem. Do you have a NAT ADSL or other broadband router providing your connection to the Internet?
If you do it may not be handling the PPTP Call ID properly and if so ISA will just drop the connection. I am working on either replacing all my routers or getting the vendor to resolve it through firmware.
That's the theory being put forward by Microsoft. To confirm this I need to do some tracing for them which I will be doing soon. I have also asked the supplier to comment.
The routers play happily with other routers and firewalls, just not ISA. I also have other (non PPTP) VPN issues with a user getting disconnections and errors about Routing tables changing, not sure if it is related as I currently am not using the NAT routers and PPTP works ok but the other VPN problem persist.
I have done the traces and am waiting for Microsoft to get back to me.
I have also contacted the manufacturer and supplier of the router and they are looking into it for me. I found that this particular router can only support a single VPN pass through connection at any one time, so this might limit my use of this model anyway.
There are other routers from SnapGear and Draytek that might be a better solution, guess I will have to persist and try them all.
Thanks for the update! I know that the Windows RRAS and ISA both support multiple outbound PPTP connections as I've tested that scenario. Maybe you can put a Windows RRAS NAT in front of the ISA Firewall :)
It seems MS suspicions were correct... so now I need to try a firmware patch and then if that doesn't work buy a new router to test (any recommnedations on good dual wan routers with ability to do failover as well as protocol binding?) this is the response I got from them:
Frame 1531, Local VPN client (192.168.x.y) tried to set the Caller ID to 512 Frame 1540, remote VPN server accepted the original Caller ID and initiated a new Caller ID 51136 Frame 1542, Local VPN client accepted the new Caller ID 51136 and tried to "set link info" Frame 1580, remote VPN response with "set link info" and the original Caller ID is suddenly changed to 53380
From this frame, we clearly know that it is your router which change the original Caller ID, so ISA reject the session and drop the packet.
This is actually not an ISA defect but a security enhancement on ISA server.
The ISA server needs to map and translate these PPTP packets and pass them on to the inside network. For this we use the 'Call ID' and remote IP address as out NAT mapping key. However, the hardware router ignore the Caller ID sent by remote VPN server and replace with its own Caller ID, (according to the netmon traces), the ISA server is unable to find the correct NAT mapping and the packet is dropped by the NAT/PPTP module.
Actually, in the PPTP traffic, Caller ID is important to identify the network host and transfer the data. Matching the correct Caller ID is important to ensure the security of PPTP traffic.
Furthermore, checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack. So, the only solution currently for you is to change a hardware router.
Hi Money Penney, I know that it is late now but if you have posted the traces here(of course if you could do this) we would answered to this for free with pretty much the same answer.
quote:
checking the Caller ID is hard code based security feature of ISA server, we cannot simply disable it by registry hack.
this would be plain stupid because it will break RFC2637. It is an old wish of mine to explain bit by bit the operations of PPTP and L2TP/IPSec in context of ISA and put it on the Internet and actually I have wrote something on this. Maybe in a month I will be able to finish it. Best Regards!
Thanks for that, luckily I don't have to pay for this type of support from Microsoft. Also as there is a lot of information that can be gleaned from the trace logs (I did not have time to sterilise them or just filter the relevant bits) it was a safer bet to secure FTP them to Microsoft.
Would be keen to see that article, I have to admit VPN and WAN is not my strong point when I have to go outside of what I do day to day (but always keen to gain knowledge).
A firmware update from the manufacturer to specifically solve this problem was sent to me and so far it is working well. I have to say that they worked quickly to help me resolve this once I got their attention. I since learned that this router only supports a single VPN pass through connection at a time (in either direction) so this creates another issue for me, even though this PPTP pass through problem has been resolved.
So now I need to find an alternative that has similar functions.
Yes but using a Windows 2003 RRAS box would be several orders of magnitude more expensive, require much more administration overhead, be more complex to manage and I am not sure it would handle Protocol binding as well as load balancing and failover and some of the other features that a more dedicated router would provide.
I have found some other devices that provide dual WAN and multiple VPN pass through, however they don't quite have the same feature set.
I think you might be surprised. I have a couple of customers who decided to go with that decision when Win2k was in beta in 1999 and have been using it since then, along with NLB support. I never touch the boxes, they just update themselves and all is well. Same disk drives, same RAM same everything for 8 years. And if I ever do need to change the drives, no problem -- its a totally vanilla install, just reinstall Windows, update, configure RRAS and install certificate and bam :)
Not something many people would want to do, but these customers swear by its reliability and performance.