|
rolandl -> Unexpected solution to VPN error 721 and 619 (21.Jun.2008 10:49:53 AM)
|
HI
After working for some days fighting with a pptp vpn into our ISA 2004 protected LAN I had an unexpected victory.
We have a working vpn into out LAN which I wanted to clone to another ISA proxy. Migrating was difficult, but its another story.
The key thing was the error codes (which are less than useful).
The config looks like this
Client --> :internet:--> Cisco 501 pix --> Isa2004 --> LAN
I deployed ISA 2004 pptp incoming vpn with instructions from Tom Shinders book, and the articles here.
On initial connnection I got the 721 errors, and after research twigged that that happened last time. Open the Cisco Pix for GRE packets (protocol 47) to come in from the internet.
Attempt to log in via vpn (pptp)
Hello, the vpn opens , it sits on "verifying username and password" then times out with an error code of 619.
Looking in the ISA logs ( query acitvity from your client external IP) You can see the connection opens then closes, with a few bytes exchanged (~1400)
What is happening?
Well after some thinking and investigation I twigged, GRE packets are not like TCP/IP they dont establish a connection pair of ports, so a successful connection request does not automatically create a return path. (any network engineer who wants to step in here and comment /clarify is welcome.)
In order to get a successfull pptp tunel, you HAVE to allow GRE packets OUT to the internet from the ISA server with an equivalent rule on the cisco PIX (or whatever router you may have), because ISA server needs a return path for all that encrypted traffic.
After discovering the solution, (that isnt explained anywhere) I was so chuffed [:)]
I decided to post this to help some other frustrated IT admins who share my burden of providing capacity for 'work from home' staff.
I hope this is found to be of some value
Rocky
|
|
|
|