• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site-to-Site VPN problem. Offices can't ping and so on each other

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Site-to-Site VPN problem. Offices can't ping and so on each other Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site-to-Site VPN problem. Offices can't ping and so on ... - 21.Jan.2009 8:28:57 PM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Hello,
 
I have got a really strange issue, spent a few days for that but without any success.

There are 2 offices, connected through VPN to each other.
Example:

 
Office1                                    Internet                         Office2
PC1 -----------ISA1-------------------------vpn---------------------------ISA2-------PC2

ISA servers both with ISA 2006 SP1 Standard Edition are freshly installed on Windows server 2003
That what i have done on both ISA servers:
1. Installed ISA 2006 with SP1
2. Configure Address Assignment Method (DHCP enabled)
3. Enable VPN Client Access (Enable, Protocols LT2P/IPSEC, user mappings for domain enabled)
4. Remote sites - Create VPN Site-to-Site Connection through L2TP

 
VPN is successfully connected on both servers.
Rule "Allow ALL outbound traffic between Office1 and Office2" has been created on both servers. Actually this is the only rule I created.

 
RESULT: PC1 can't ping PC2 and vice versa.
 
When I try to PING PC2 from PC1
ISA1 says: PING, Initiated connection, rule - "Allow ALL outbound traffic between Office1 and Office2"
ISA2 says: PING, Denied connection, rule is empty.

All other traffice doesn't work too.

Do I need to configure something else to enable traffic between offices?
 
Thanks.
 




< Message edited by voha -- 21.Jan.2009 9:33:31 PM >
Post #: 1
RE: Site-to-Site VPN problem. Offices can't ping and so... - 21.Jan.2009 8:40:43 PM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Forgot to add.
Both ISA servers are connected to the same domain.
Office1 : 10.64.0.0/255.255.252.0

Office2 : 10.64.4.0/255.255.255.0


(in reply to voha)
Post #: 2
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 6:14:00 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

how are configured your network rules? Does your client PCs pointing to respective ISA internal IP as default gateway? Paste here details of how are configured your access rules.

Regards,
Paulo Oliveira.

(in reply to voha)
Post #: 3
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 8:38:40 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
-

< Message edited by voha -- 22.Jan.2009 9:02:33 AM >

(in reply to voha)
Post #: 4
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 9:03:07 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Hello,
 
ON PC1 default gateway is Internal interface of ISA1
ON PC2 default gateway is Internal interface of ISA2

On ISA1 server i have an access rule:

Allow all outgoing traffic from (Internal, Office2) to (Internal,Office2) for all users

On ISA2 server i have an access rule:
Allow all outgoing traffic from (Internal, Office1) to (Internal,Office1) for all users
 
Actually, this rule was created by wizard when i did site-to-site VPN
 
Network rule on both servers created for

Internal - Office1 or Office 2 - Route

 
When I ping PC2 from PC1 requests reach server ISA2 and ISA2 just blocking without any reason, PING, Denied connection, rule is empty


Thanks.

(in reply to paulo.oliveira)
Post #: 5
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 9:08:24 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

are your Internal Network and Office1/Office2 (VPN s2s) definitions configured with the apropriate ranges?

Are you ping on the IP address?

Regards,
Paulo Oliveira.

(in reply to voha)
Post #: 6
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 10:25:07 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
HI,

ISA 1 configuration:
Internal network:
10.64.0.0-10.64.3.255
10.255.255.255

Office 2:
10.64.4.0-10.64.4.255

 
ISA2 configuration:
Internal network:
10.64.4.0-10.64.4.255
10.255.255.255
Office 2:
10.64.0.0-10.64.3.255


PC1 - 10.64.1.222
PC2 - 10.64.4.99

Yes, I ping on the IP.

Thanks.




(in reply to paulo.oliveira)
Post #: 7
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 11:48:50 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
One more thing.

When I try to ping PC1 from PC2:

 
Office1                                    Internet                                                                  Office2
PC1 ----<<<-------ISA1--------<<<----------vpn------------<<<---------------ISA2<<<<-------PC2


ISA2 logging says: (this one looks like ok)
Destination IP: PC1
Destination port: 0
Protocol: PING

Action: Initiated connection
Rule: Allow access between Office1 and Internal

Client IP: PC2
Source network: Internal
Destination network: Office1

ISA1 logging says: (this one is really strange, it is blocking it and doesn't say why)
Destination IP: PC2
Destination port: 0
Protocol: PING

Action: Denied connection
Rule:                                                     (why it is empty??????)

Client IP: PC2
Source network: Office1

Destination network: Internal
 

(in reply to paulo.oliveira)
Post #: 8
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 12:46:04 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

Yes, I ping on the IP.

So this means the VPN is up!

The problem is name resolution. You need to configure your DNS servers to properly resolve the name of your head/branch office machines.

About the rule being empty, check the "Result Code" on the ISA monitoring log and see what is showing to you.

Regards,
Paulo Oliveira.

(in reply to voha)
Post #: 9
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 1:21:19 PM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Sorry....

I meant that i am trying to ping by IP, not by name BUT I don't get respond...

VPN is definetely UP becase ping request from Office2 reach ISA1 server in Office1.

 
I can ping and see everything in Office1 from ISA2 If I will create a rule on ISA1 like "Allow all traffic from VPN clients to Internal".
In that case ISA1 shows:
Source network: VPN client
Destination network: Internal

When i do ping from PC at Office2 to PC at Office1 ISA1 shows:
Source network: Office2
Destination network: Internal

and bloking all ping requests.....




(in reply to paulo.oliveira)
Post #: 10
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 1:54:41 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

make a tracert and use a network sniffer to see whats going on.

Did you checked the result code field?
quote:

I can ping and see everything in Office1 from ISA2 If I will create a rule on ISA1 like "Allow all traffic from VPN clients to Internal".
In that case ISA1 shows:
Source network: VPN client
Destination network: Internal

Remark: It is not the VPN Clients network you have to allow, but the network from Office1.

Regards,
Paulo Oliveira.

(in reply to voha)
Post #: 11
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 3:09:34 PM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
When i do tracert from PC2 to PC1:
1. reply from ISA2
2. * * * request time out

Where do i need to run sniffer? On PC2?

quote:


Remark: It is not the VPN Clients network you have to allow, but the network from Office1


I allowed VPN clients network just for test.

I am just trying to explain:
When I ping from ISA2 to PC1, ISA1 shows that request comes from VPN client (and i am able to ping)
When I ping from PC2 to PC1, ISA1 shows that request comes from Office2 network (and access denied)

(in reply to paulo.oliveira)
Post #: 12
RE: Site-to-Site VPN problem. Offices can't ping and so... - 22.Jan.2009 11:10:40 PM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Issue has been resolved with assistance from Microsoft.

VPN site-to-site link name should be the same on ISA1 and ISA2.

I had it as Office1_VPN and Office2_VPN.

I changed it to InterOffice_VPN on both servers and it fixed a problem

Sounds weird, but working


(in reply to voha)
Post #: 13
RE: Site-to-Site VPN problem. Offices can't ping and so... - 23.Jan.2009 12:07:39 AM   
nanaik

 

Posts: 97
Joined: 11.Dec.2008
Status: offline
1: The site name and the usere created on the remote site should be same(to authenticate site).
2: Internal Ip range and VPN range should be different.
3: Protocol defined on both the site should be same.
4: Site should be perfectly created.

If above mention point are ok and allow all traffic then it should be ping .

Neel Naik
Network Engineer

(in reply to voha)
Post #: 14
RE: Site-to-Site VPN problem. Offices can't ping and so... - 23.Jan.2009 12:19:35 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Everything was correct, exactly as you are saying, but it didn't work
 
It is started working after user name and vpn connection name were changed to the same on both sites.
 
Thanks.

(in reply to nanaik)
Post #: 15
RE: Site-to-Site VPN problem. Offices can't ping and so... - 23.Jan.2009 10:11:47 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

it makes no sense... My VPN s2s is using different names on head and branch office and it works perfectly.
The only thing it should be exactly the same is the name of the local VPN network and the remote dial user name.

But.... Im glad your configuration is working now.

Regards,
Paulo Oliveira.

(in reply to voha)
Post #: 16
RE: Site-to-Site VPN problem. Offices can't ping and so... - 24.Jan.2009 3:14:55 AM   
voha

 

Posts: 11
Joined: 21.Jan.2009
Status: offline
Thanks Paulo.

Agree, it makes no sense to me either...
But I think microsoft knows about it, because it was the first what he asked me do.


(in reply to paulo.oliveira)
Post #: 17

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Site-to-Site VPN problem. Offices can't ping and so on each other Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts