• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 3rd party ipsec site to site and ad domain repl traffic - solution found

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 3rd party ipsec site to site and ad domain repl traffic - solution found Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 3rd party ipsec site to site and ad domain repl tra... - 9.May2005 4:23:00 PM   
rgransbury

 

Posts: 11
Joined: 11.Jun.2001
From: Altoona PA USA
Status: offline
I have experienced the following problem and would like for some of the great input that others put forth on this message board.

After upgrading from ISA 2000 and windows 2000 to ISA 2004 sp1 and windows 2003 sp1 we found that a remote location that connected to our main location via a snapgear appliance using pptp could no longer connect. Our other isa 2000 machines had no problems connecting. After some troubleshooting I could not get the snapgear to connect. As a temporary solution to the problem I initiated a pptp connection from a w2000 dc at the remote site, through the snapgear. After changing some routing all was well.
During this same time we were testing 3rd party ispsec site to site with sonicwall tz150s. After some successful testing with the ipsec, we decided to replace the snapgear with a sonicwall tz 150 and use ipsec.
I setup as per the white paper from Microsoft.
I added the ipsec remote site to a network set I have called [site to site vpns] which has network and firewall rules pre-setup. We have 5 pptp vpns that are setup and use these rules.
The setup of the sonicwall went smooth and in under an hour we had the 3rd party ipsec gateway to isa 2004 working. We could ping the servers at our main location. RDP, mail, telnet all worked. But soon we noticed a problem with active directory replication. The remote location has a dc for a child domain. KCC events began appearing on dcs in event logs on both sides of the vpn. The child domain at the remote site could not be replied to. I did some troubleshooting and would get a LDAP 31 error when running dcdiag connectivity test from the main site to the remote site. A connectivity test from the remote site to the dcs at the main site would pass.

I began troubleshooting the ldap 31 error. There is quite a lot of info related to this on the internet. After trying every thing I could find I began to wonder if this was not a windows error but something related to ipsec.
I called Microsoft and dloaded the new w2003 icmp mtu messaging patch. No luck.
To confirm suspicions that ipsec was causing the problem, I resetup the adhoc pptp from the dc at the remote site. After deleting the ipsec site to site and setting and setting up the new for pptp. Changing routing. Active directory repl traffic resumed.

No amount of logging using ISA 2004 new great logging tool reported a problem. I would see connection information for the active directory traffic (ie connection successful) but would still receive the ldap error

Because after the major variable change the vpn transport - the problem dissolved it seems something with the ipsec caused the AD repl to fail.

Here is some tech info for the above setups.
Main site:
Domain:
rootdomain.com
Subnets:
10.10.0.0 / 255.255.0.0
10.21.0.0 / 255.255.0.0
ISA server:
W2003 sp1
ISA 2004 sp1
2 network interfaces names public and private
Supports incoming vpns with the following:
No change to the system policy to support incoming vpn traffic on
public interface
network set called site to site vpns
network rule [site to site vpns] routed relationship to [internal]
firewall rule [site to site vpns] [all outbound] [internal]
[internal] [all outbound] [site to site vpns]
LDAP 31 error on dcdiag connectivity test to remote site

Remote location:
Domain:
child.rootdomain.com
subnet:
10.23.0.0 / 255.255.0.0
No ISA server
Connects to main via vpn appliance
Dcdiag test pass

IPSEC setup
3des
Sha1
Group2
28800 / 3600 key renew rates

[ May 10, 2005, 02:45 PM: Message edited by: rgransbury ]
Post #: 1
RE: ISA 3rd party ipsec site to site and ad domain repl... - 9.May2005 10:53:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
You'll probably have to break out NetMon on this and see what is getting dropped.

How about a basic Black Hole Router test? Start at 1472 and see where it starts failing. <ping %RemoteDC% -f -l 1472>. I don't know if it's the Sonic Wall or Windows dropping the packets, but this will be where you have to start. I understand you have the newer ICMP hotfix, but one side might not be sending the ICMP Destination Unreachable messages.

As a test, you might consider setting EnablePMTUBHDetect on one of the DCs on the ISA side and see if things improve.

EnablePMTUBHDetect Info

This is only a temporary test though - you definitely don't want to keep this entry. [Big Grin]

Additionally, you might set the MaxPacketSize registry entry for Kerberos to force it to use TCP - there might be some fragmentation issues with UDP across the IPSec tunnel - Win2003 IPSec Tunnel Mode has a bit more intelligence for IP Fragments, but I'm not sure if Sonic Wall does the same.

MaxpacketSize Info

PPTP and L2TP both have their own Fragmentation protection so it might explain why it works with PPTP but not with vanilla IPSec.

[ May 09, 2005, 11:00 PM: Message edited by: ClintD ]

(in reply to rgransbury)
Post #: 2
RE: ISA 3rd party ipsec site to site and ad domain repl... - 10.May2005 2:44:00 PM   
rgransbury

 

Posts: 11
Joined: 11.Jun.2001
From: Altoona PA USA
Status: offline
I had previously tested for black hole routes and did not find an issue there.

But I did try the last Item you had listed - forcing kerberos to use tcp. This worked.

Thank you very much for your input!

(in reply to rgransbury)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> VPN >> ISA 3rd party ipsec site to site and ad domain repl traffic - solution found Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts