• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Remote VPN clients not receiving DHCP options

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Remote VPN clients not receiving DHCP options Page: <<   < prev  1 [2] 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 5:32:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I tested it with the rules I posted on my site, and it still doesn't work. The VPN connection succeeds, but it seems that the ISA firewall is convinced that the VPN client's DHCP request is a spoofed packet and drops it. I'm going to disable IP spoof detection on the firewall and see if it works after I do that.

By the way, I just want to say that you are doing a great job in your writing and also answering questions in your forums here. Conversing with you is a real pleasure. Best wishes on the book!

Bill

(in reply to AbqBill)
Post #: 21
RE: Remote VPN clients not receiving DHCP options - 1.Oct.2004 6:27:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I have updated my problem page with a bit more detail:

http://www.cybermesa.com/~bstewart/isa/dhcpproblem.html

Disabling IP spoof detection did not fix the problem. I'm starting to suspect a bug.

Thanks!

Bill

[ January 05, 2005, 12:28 AM: Message edited by: Bill Stewart ]

(in reply to AbqBill)
Post #: 22
RE: Remote VPN clients not receiving DHCP options - 2.Oct.2004 12:07:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Bill Stewart:
Hi Tom,

I tested it with the rules I posted on my site, and it still doesn't work. The VPN connection succeeds, but it seems that the ISA firewall is convinced that the VPN client's DHCP request is a spoofed packet and drops it. I'm going to disable IP spoof detection on the firewall and see if it works after I do that.

By the way, I just want to say that you are doing a great job in your writing and also answering questions in your forums here. Conversing with you is a real pleasure. Best wishes on the book!

Bill

Hi Bill,

Thanks! [Big Grin]

What I'm going to do tonight is try to figure out why its detected as a spoof. ISA sees a spoof when a packet reaches an interface which is not directly reachable by that interface.

So, questions I would ask is:

1. What network is the DHCP Inform packet coming from? The DHCP relay should be on the local host network, but the VPN client is on the VPN client's network. However, the source IP address, IIRC, is the VPN client's address, even though the relay is "routing" the connection.

2. What is the destination network interface detecting the spoof? I figure it must be the local host network, but maybe its the internal network?

It'll be interesting to see if this is figurable outable [Smile]

Thanks!
Tom

(in reply to AbqBill)
Post #: 23
RE: Remote VPN clients not receiving DHCP options - 2.Oct.2004 12:09:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Bill Stewart:
Hi Tom,

I have updated my problem page with a bit more detail:

http://home.comcast.net/~stewartb/isa/dhcpproblem.html

Disabling IP spoof detection did not fix the problem. I'm starting to suspect a bug.

Thanks!

Bill

Hi Bill,

Just an idea here -- what IP address is the DHCP service bound to?

Thanks!
Tom

(in reply to AbqBill)
Post #: 24
RE: Remote VPN clients not receiving DHCP options - 2.Oct.2004 12:14:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

The DHCP server service is bound to the ISA server's internal interface (see picture).

Thanks!

Bill

[ January 07, 2005, 04:52 PM: Message edited by: Bill Stewart ]

(in reply to AbqBill)
Post #: 25
RE: Remote VPN clients not receiving DHCP options - 2.Oct.2004 12:26:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
quote:
1. What network is the DHCP Inform packet coming from? The DHCP relay should be on the local host network, but the VPN client is on the VPN client's network. However, the source IP address, IIRC, is the VPN client's address, even though the relay is "routing" the connection.

2. What is the destination network interface detecting the spoof? I figure it must be the local host network, but maybe its the internal network?

Hi Tom,

In my test, the log tells me that the source network is VPN Clients and the destination network is Local Host.

Thanks!

Bill

(in reply to AbqBill)
Post #: 26
RE: Remote VPN clients not receiving DHCP options - 2.Oct.2004 7:34:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

So far, no workie with or without ISA in the mix. No problems when another machine is a DHCP server. I'll keep trying.

Tom

(in reply to AbqBill)
Post #: 27
RE: Remote VPN clients not receiving DHCP options - 3.Oct.2004 1:40:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

For a while there, I was starting to think I was nuts! [Smile] Thanks for looking at this. I am starting to suspect a bug somewhere.

Thanks!

Bill

(in reply to AbqBill)
Post #: 28
RE: Remote VPN clients not receiving DHCP options - 4.Oct.2004 6:25:00 AM   
Andy2Long

 

Posts: 16
Joined: 7.Oct.2003
From: Torrance, CA
Status: offline
If you change things for ISA VPN that affect to RRAS, like the number of PPTP or L2TP connections, perform the following to force RRAS to find the changes. This also applies to changes in DCHP if your have configured RRAS for DHCP Relay.

1> Click Start, point to Programs, point to Administrative Tools and click on Routing and Remote Access.
2> In the Routing and Remote Access console, right click on the server name in the left pane of the console. Point to All Tasks and click on Restart.

This will cause the RRAS server to obtain IP addresses and refresh the DCHP leases.

(in reply to AbqBill)
Post #: 29
RE: Remote VPN clients not receiving DHCP options - 4.Oct.2004 4:05:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Andy,

The problem we are describing in this thread is as follows:

1. Run the DHCP service on the ISA/VPN server
2. Configure the DHCP Relay Agent on the ISA/VPN server to relay DHCP messages to itself
3. Remote VPN clients do not receive the DHCP options (LAN clients behind ISA work fine)

HTH,

Bill

(in reply to AbqBill)
Post #: 30
RE: Remote VPN clients not receiving DHCP options - 5.Oct.2004 12:52:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Have you been able to get it to work yet?

I wonder if configuring the DHCP Relay Agent with the address 127.0.0.1 will work?

Thanks,

Bill

(in reply to AbqBill)
Post #: 31
RE: Remote VPN clients not receiving DHCP options - 5.Oct.2004 5:59:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

I messed with it for a couple of hours today, and I'm seeing the same thing. I think the problem is related to a bug in the "Internal" interface that RRAS uses and its interaction with a co-lo DHCP server/DHCP relay agent. I couldn't get it to work without the ISA firewall installed either.

If we had the option to bind the DHCP service to this "RRAS Internal" interface, it might work, but it isn't exposed in the DHCP UI -- maybe there's a Registry workaround?

I'll hit the KB and see what gives.

Thanks!
Tom

(in reply to AbqBill)
Post #: 32
RE: Remote VPN clients not receiving DHCP options - 5.Oct.2004 5:04:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

You are a gentleman and a scholar. I'll hit the KB too and post here if I find anything.

Thanks!

Bill

(in reply to AbqBill)
Post #: 33
RE: Remote VPN clients not receiving DHCP options - 5.Oct.2004 5:50:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Try the following commands at the command line:

code:
netsh routing ip relay show global
netsh routing ip relay show ifbinding
netsh routing ip relay show ifconfig
netsh routing ip relay show ifstats
netsh routing ip relay show interface

Here are my outputs:

From show global:
code:
DHCP Relay Global Configuration Information
------------------------------------------------------
Logging Level : Errors Only
Max Receive Queue Size : 1048576
Server Count : 1


DHCP Server Addresses
------------------------------------------------------
192.167.15.7

From show ifbinding:
code:
Error 57 retrieving information from the Routing and Remote Access service
The parameter is incorrect.

From show ifconfig:
code:
DHCP Relay Agent Interface Config for : Internal
--------------------------------------------------
State ENABLED
Relay Mode ENABLED
Max Hop Count 4
Minimum Seconds Since Boot 4

The parameter is incorrect.

From show ifstats:
code:
DHCP Relay Agent Interface Stats for :  Internal
--------------------------------------------------
State ENABLED
Send Failures 0
Receive Failures 0
ARP Update Failures 0
Requests Received 0
Requests Discarded 0
Replies Received 0
Replies Discarded 0

From show interface:
code:
DHCP Relay Agent Configuration for "Internal"
------------------------------------------------------
State : Disabled and Unbound
RelayMode : enable
Max Hop Count : 4
Min seconds since reboot : 4

Even when I enter:

code:
netsh routing ip relay set interface Internal enable 4 4

The netsh routing ip relay show interface command still shows "Disabled and unbound."

I also find it odd that the show ifbinding displays error 57, which to Win32 means "A network adapter hardware error occurred." I don't know if this is significant or not (seeing as Internal is not a physical adapter).

I'd be curious to see the outputs on your system.

Thanks!

Bill

(in reply to AbqBill)
Post #: 34
RE: Remote VPN clients not receiving DHCP options - 7.Oct.2004 4:24:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Clint had an obvious thought...

Why does the DHCP Relay Agent need to be installed if RRAS and the DHCP Server service are running on the same server?

I'm going to try removing the DHCP Relay Agent and see what happens. Curious to hear of your findings as well.

Thanks!

Bill

(in reply to AbqBill)
Post #: 35
RE: Remote VPN clients not receiving DHCP options - 8.Oct.2004 4:39:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Doesn't work without the DHCP Relay Agent either.

Thanks,

Bill

(in reply to AbqBill)
Post #: 36
RE: Remote VPN clients not receiving DHCP options - 8.Oct.2004 6:15:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

Nothing useful in the KB.

Maybe Clint can help us out with this?

I seem to recall hearing from someone last year that there was a bug either in RRAS that prevented this from working. Maybe its a feature, and not a bug? [Big Grin]

Tom

(in reply to AbqBill)
Post #: 37
RE: Remote VPN clients not receiving DHCP options - 8.Oct.2004 3:06:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

I didn't find anything useful in the KB either.

Clint said he'd take a look at it when he gets back into work next week.

Thanks!

Bill

(in reply to AbqBill)
Post #: 38
RE: Remote VPN clients not receiving DHCP options - 9.Oct.2004 7:27:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Bill,

That's great! If we could solve this problem it would be a great addition to the book. I'm writing the VPN chapter now.

Got anything else you'd like to see in that chapter?

Thanks!
Tom

(in reply to AbqBill)
Post #: 39
RE: Remote VPN clients not receiving DHCP options - 10.Oct.2004 1:18:00 AM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
Hi Tom,

Yes -- I hope we can get the DHCP issue resolved. That might turn into a problem in "appliance" scenarios. It'd be disappointing that you'd be able to do more with VPN on a PIX than an ISA Server appliance.

About the book: I'm sure you've got it covered! I do suggest separating the VPN chapter in half--one half covering remote client VPNs (including the CMAK), and the other covering site-to-site VPNs.

Regarding remote client VPNs, I'd suggest an explanation of the "Use default gateway on remote network" option, as a common question seems to be: "Why can't I [browse the web, access other local networks, etc.] when I connect to my VPN?"

Thanks!

Bill

(in reply to AbqBill)
Post #: 40

Page:   <<   < prev  1 [2] 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> RE: Remote VPN clients not receiving DHCP options Page: <<   < prev  1 [2] 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts