VPN Authentication Problem (Full Version)

All Forums >> [ISA 2006 Firewall] >> VPN



Message

itsallwright -> VPN Authentication Problem (23.Jul.2008 1:50:21 PM)

I have 2 NLB ISA 2006 Ent servers in an array running Windows Server 2003 R2 SP2 and joined to the domain.  When I try to VPN in, authentication takes a really long time if it works at all (sometimes it times out).

VPN configuration:
- VPN is enabled
- Assigned a domain group with vpn users as members.
- Both PPTP and L2TP are selected for Protocols.
- User Mapping is unchecked.

- External network selected under access networks.
- Address Assignment is set to Static Pool.
- Authentication is set as MS-CHAPv2.
- No RADIUS selected.

In the System log on the ISA server that handled the request, I see several of the following events.

Event Type: Warning
Event Source: RemoteAccess
Event Category: None
Event ID: 20189
Date:  7/23/2008
Time:  12:33:57 PM
User:  N/A
Computer: ISAServer
Description:
The user <Domain>\<UserName> connected from x.x.x.x but failed an authentication attempt due to the following reason: Authentication was not successful because an unknown user name or incorrect password was used.


In the Security log of the Domain Controller (Server 2008 x64), I see several of these events.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/23/2008 12:34:12 PM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: <UserName>
Source Workstation: 
Error Code: 0xc000006a

I researched the error code listed above and it means:
0xC000006A - The value provided as the current password is not correct

The previous events are followed by the following single event upon success (if it doesn't time out).

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          7/23/2008 12:34:12 PM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      DC.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: <UserName>
Source Workstation: 
Error Code: 0x0


If I use a local account on the ISA server, it works almost instantly as expected.

Any suggestions to a solution would be greatly appreciated.

Thanks,
Jay



itsallwright -> RE: VPN Authentication Problem (24.Jul.2008 7:49:59 PM)

OK, more info... I just discovered that VPN authentication works instantly as expected when I go to the primary external IP of either ISA server.  It only shows these symptoms when I go to the load balanced IP.

I tried disabling network load balancing integration and it still worked to the external IP (obviously not to the NLB IP) on both servers.  I then enabled NLB again and still have the same symptom I started with.

Any idea what might be wrong with NLB?

Thanks,
Jay



itsallwright -> RE: VPN Authentication Problem (8.Aug.2008 9:56:39 AM)

Does anyone have any suggestions to help me figure this out?  I am at a loss.  The only thing I can think to do now is to rebuild both ISA servers in the array.  I really don't want to do this.

Let me know if I can provide any more details to help troubleshoot this problem.

Thank you,
Jay



itsallwright -> RE: VPN Authentication Problem (15.Sep.2008 10:48:11 AM)

So, I did eventually rebuild both ISA servers in the array and that made no difference at all. 

Recently, I noticed that whenever data was transferred into the network from outside via the public ISA load balanced IP, my outer switch would practically go down (heavy packet loss) and the transfer speed into the network was very slow.

I suspected this was do to switch flooding which I have read is a common issue with network load balancing.  One of the solutions to switch flooding is to put the load balanced servers in their own vlan.  I did that and my switch flooding issue was resolved.  Consequently, this also resolved my wierd VPN authentication issue.

I hope this can help someone else.

Jay



Page: [1]