Getting Error (Urgent) (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN



Message

create_share -> Getting Error (Urgent) (7.Aug.2007 10:56:01 AM)

I was able to connect to my ISA Server from Internet through VPN. But i don't know what is changed and i have started getting this error:

"Error 800: Unable to establish the VPN connection. The VPN server may be unreachable, or security parameters may not be configured properly for this connection".


My ISA Server is joined to domain. I am using MSCHAP-v2 Encryption method with PPTP.

Thankx!



spouseele -> RE: Getting Error (Urgent) (7.Aug.2007 2:29:58 PM)

Hi create_share ,

is the PPTP control port reachable? You can test it easily with the command 'telnet VPN_Server 1723'. The connection should succeed.

HTH,
Stefaan



create_share -> RE: Getting Error (Urgent) (7.Aug.2007 3:48:46 PM)

yes it is reachable but still can't connect VPN.

thankx!



spouseele -> RE: Getting Error (Urgent) (7.Aug.2007 4:16:19 PM)

Hi create_share,

two suggestions:

1. if possible test from a workstation directly connected to the same segment as the ISA external interface. That should exclude all external dependencies.

2. take a network monitor trace to find out how far the PPTP call setup goes. Check out my blog Multiple PPTP VPN clients behind a NAT device for some tips to interpret that trace.

HTH,
Stefaan



create_share -> RE: Getting Error (Urgent) (8.Aug.2007 2:37:10 AM)

Yes! i connected the external interface directly to my Notebook computer and checked the vpn. It is giving same error. Can it be because of authentication. My isa is joined to domain.

Thankx!



spouseele -> RE: Getting Error (Urgent) (8.Aug.2007 3:13:31 PM)

Hi create_share,

what about my second suggestion?

HTH,
Stefaan



create_share -> RE: Getting Error (Urgent) (9.Aug.2007 1:09:38 PM)

I have noticed one thing before i go for the trace. I dialed the VPN Connection and checked the log of ISA where i found an entry of


"PPTP Initiated Connection with Rule Name of "[System] Allow VPN Client traffic to ISA Server, Source Network (External) " with my Dial-Up connection IP Address that i am getting from my ISP".

This means that it is reaching there but after that it is being rejected due to some reason.

Thankx!



spouseele -> RE: Getting Error (Urgent) (9.Aug.2007 3:15:00 PM)

Hi create_share,

don't you have a static IP on your ISA external interface?

HTH,
Stefaan



rino01 -> RE: Getting Error (Urgent) (9.Aug.2007 4:24:57 PM)

Have you installed Windows 2003 SP2? If you have read Tom's blog articel about it.

http://blogs.isaserver.org/shinder/2007/03/23/warning-windows-server-2003-sp2-may-destroy-your-isa-firewall-without-warning/





spouseele -> RE: Getting Error (Urgent) (9.Aug.2007 5:14:47 PM)

Hi Rickard,

you are very right! I make always sure that Receive Side Scaling and TCP Offload Support are disabled per KB article http://support.microsoft.com/kb/936594.

However the create_share didn't mention that the problem started after an update. So... [;)]

HTH,
Stefaan



rino01 -> RE: Getting Error (Urgent) (10.Aug.2007 2:54:45 AM)

Hello Steefan

I got a hold of a document from a guy that called Micrsoft Support about the SP2 problem and VPN connection (among other things ofcource :-) )

Here is what Microsoft recommended:

After the installation of SP2 we must check the following steps:
· Changed the following registry key:
a) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
EnableRSS >>> change it to 0.
EnableTCPA >>> change it to 0.
b) HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
In the right pane, make sure that the DisableTaskOffload registry entry exists.
If this entry does not exist, follow these steps to add the entry:
On the Edit menu, point to New, and then click DWORD Value, and then type DisableTaskOffload.  Double-Click DisableTaskOffload, type 1, and then click OK.
Exit Registry Editor.
· Rebooted the ISA Server.
· Enabled the RPC filter and restarted the ISA Services.
· Tried connecting to VPN.

The B option is the first time i see and i can't really tell if that have anything to do with VPN or not, vould be worth a shoot if he have installed SP2.



create_share -> RE: Getting Error (Urgent) (10.Aug.2007 9:32:04 AM)

Dear All,

Spouseele is also right but you know i was able to connect to it from the beginining becuase i installed sp-2 when i prepared the server. Now i have disabled these things and after restarting it started working.


Thankx Everybody.

I am going to publish my Exchange Server 2007 and i am sure i will face problems with SP-2. What do u think?

Thankx!



rino01 -> RE: Getting Error (Urgent) (11.Aug.2007 3:39:17 AM)

Glad to be of service.

I don't think you will face any big problems with SP2 and Exchange 2007. The biggest problem was the one you have taken care of. I recomend you to read Tom's article about publishing Exchange 2007 with ISA 2007 that will help you on your way.



spouseele -> RE: Getting Error (Urgent) (12.Aug.2007 6:25:09 AM)

Hey guys,

I've contacted Jim Harrison from the ISA Sustained Engineering team at Microsoft and here is what he says about ISA and Windows 2003 SP2:
quote:


EnableTCPA = 0x0 and EnableRSS = 0x0 are absolutely recommended.
 
DisableTaskoffload is NIC driver-specific.
Some folks have had to disable it; others haven't.
The same is true for EnableTCPChimney = 0x0.


I consider this an authorative answer! [8D]

HTH,
Stefaan



Page: [1]