Guest -> RE: VPN to third-party firewall problems (23.Apr.2005 5:51:00 PM)
quote:When I looked over the real time monitoring, as well as looking at the linksys log, the ISA monitor would show the external IP of ISA "initiating connection" to the linksys IP. The linksys log would reflect this as well.
Originally posted by ClintD:
How did you determine that ISA was rekeying the SA?
quote:Main Mode, afaik. I would get a lot of 547 errors in the security event log, with this at the bottom;
Was Main Mode or Quick Mode being re-keyed?
IKE SA deleted before establishment completed
quote:Sorry, I should have also put in brackets 6 minutes to confirm, but no, 360 seconds was not a typo, that is actually how frequently IKE was being initiated by ISA.
Is the 360 seconds above a typo? Did you mean 3600?
quote:Okay, I have a bit more for you if it helps. Whereas the vast majority of the time IKE is initiated every 360 seconds (6 minutes) there are the odd times (key lifetime settings notwithstanding) that IKE will be initiated every 480 seconds (8 minutes) after a pipe is connected, though this is rare.
If you meant 360, it corresponds to Windows IPSec reaper process - the reaper comes through every 5-6 minutes and cleans up any un-used SAs
quote:Actually, the only Windows 2003 SP1/ISA 2004 SP1 in my testing has only been one machine, pretty much a virgin install of the OS, upgraded to SP1, then ISA 2004 added, the SP1 for 2004 (I know, I know, shouldn't install 2004 on a SP1 machine, should install 2004 then SP1 for Windows, right? Read something about this after the fact). The ISA server is then connected to a remote linksys befsx41 vpn endpoint.
As for the Win2003 SP1 oddities - are your test "clients" Win2003 SP1?
I must add though that under this setup (windows 2003 sp1/ISA sp1) I could connect via PPTP to a windows 2000/ISA 2000 machine and it worked fine. I don't have a computer running windows 2003sp1/ISA2004 sp1 to test the IPSEC between them, just the linksys and iogear routers, the linksys being a bit more configureable for IPSEC, however both work. I would have liked to test IPSEC between two windows firewalls of the same setup before opening my mouth, but when I read cnytech's post, I couldn't resist posting my findings to date.
quote:Your expertise on this subject is an invaluable addition to this forum, thanks for taking the time to hang around.
There was a regression in Win2003 SP1 such that it disregards ICMP Destination Unreachable messages. This also occurs after installing the patch for MS05-019 on both Win2000 WinXP. A fix for this is forthcoming (I work in MS' PSS).
quote:I will be doing a wipe and reload of the ISA server in question (made a lot of quick changes to the server during troubleshooting, as well I am not a big fan of removing service packs and still using the machine, would rather start fresh) likely without sp1 for windows.
I said that it could be correlated to the 360 second rekey as the packets would get dropped before IPSec could send them resulting in the SA going idle. This is just conjecture on my part right now - I'd have to set it up for testing.
If you had a suggestion for installation path (eg, install windows, install ISA 2004, upgrade to sp1 on ISA 2004, or even upgrade to sp1 on windows) I would be happy to follow it and repost my reults.
Thanks again Clint, and sorry cnytech if it looks I hijacked your post.