I have ISA Server 2004 SP1 setup as a VPN and I am experiencing some weird issues. First, the VPN will work fine for days and then all of a sudden, nobody can connect to it. Using XPs VPN connection, it just sits there saying that it's trying to connect to the IP address. To fix, all it takes is a restart of the Routing and Remote Access service. There isn't really anything in the event log that corresponds to the time that the VPN stops working. They routing and remote access service doesn't even die, it still says running, but a restart is required to fix it. Is anyone else experiencing this issue?
I am also getting errors in the event log every time someone connects and then again when they disconnect. I have seen some post regarding these errors, but I'm not sure which solution is the proper way to fix it. We have two NICs, one for internal and the other for external. The event log message is:
ISA Server detected routes through adapter LAN that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 0.0.0.1-10.1.1.0;10.1.1.251-10.255.255.254;68.0.0.0-70.249.41.162;70.249.41.164-126.255.255.255;128.0.0.0-216.41.134.98;216.41.134.100-223.255.255.255;240.0.0.0-255.255.255.254;.
Then when the user disconnects they get the same error message with slightly different IP addresses as well as similar message from the external NIC. Initially, the Internal network was setup manually by adding the range of private IP addresses associated with our LAN. I have seen that a way around this error message is to go into the Networks setting in ISA and do "Add Adapter" on the Internal network, but if I do that, it essentially adds all public IP addresses to the Internal network. That seems like a bad idea to have all public IP addresses in the Internal network. In testing, I noticed that if I added all of the addresses of the internal network card It defeats the purpose of the firewall, doesn't it?
These error messages don't seem to cause any problem, but I am wondering if they are related to the VPN stopping out of nowhere.
Does anyone have any idea how to fix these issues? All replies are much appreciated.
Not sure what's causing your problems with VPN/RRAS, but its always good to eliminate any errors you can to have a cleaner space to troubleshoot in. A couple of questions to clear up the errors you described...Where does ISA sit in relation to the rest of your network? (Is it an edge, front, back firewall? Does it have a perimeter network?) What are the IP ranges for each of your defined networks? Are you using DHCP or static pool for VPN? What are the IP ranges for VPN?
I know how to get rid of the "ISA Server detected routes through adapter LAN that do not correlate...." errors. I just go to "Add adapter" and add the router table associated with the NIC and it goes away, but then almost all public IP addresses show up as my Internal network. That seems rather odd, since I don't want those addresses in the Internal network, just external. Wouldn't that defeat the purpose of the firewall to have all public IP's in the internal (trusted) network?
The ISA server sits on the edge of our network. It has two NICs: One for internal network and one with the public IP. We really only use it for our VPN. We have a firewall appliance for our firewall and gateway. We don't have a perimeter network, but as I look at the ISA settings, we are using the 3-Leg perimeter network template. I don't know if that would cause the problem, but I should probably change that anyway.
The IP addresses of our Internal network is 10.1.1.0 to 10.1.1.255. The perimeter network doesn't have any IPs configured. Should that be the IP of our NIC with the public address? We are using DHCP for the VPN clients. The IP ranges are 10.1.1.100 to 10.1.1.255.
Thanks for the suggestion. I found that also. I was going to install that, but it is included in ISA 2004 SP1 and that is already installed. That isn't exactly what's going on, but it is similar. It might be worth reinstalling SP1 though.
No, I still have the problem. My "solution" so far is to schedule a restart of the routing and remote access service with a batch file every night. That's not really a solution, but it will restart it if it breaks after I go home for the day.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN stops responding 
VPN stops responding - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread