Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
troubleshooting vpn between isa 2006 and netvanta 3448
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
troubleshooting vpn between isa 2006 and netvanta 3448 - 20.Jul.2007 11:33:21 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
I configured vpn between ISA Server 2006 and netvanta 3448 using IPSec (pre shared key), I am still not able to ping either side of network. In the ISA log I can see entry for vpn between main and branch office. Connection initiated and right away there is entry connection closed.
How can I troubleshoot this issue? I called netvanta tech support and I was on phone with them for 2 hours and they did not see anything wrong with vpn configuration on router.
any help to find out what's wrong with vpn connection?
< Message edited by bhavin78 -- 23.Jul.2007 11:24:50 PM >
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 23.Jul.2007 11:34:39 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Techsupport from netvanta called me back after they reviewed debug file on netventa router and they told me that ISA server is rejecting ID (which is IP of netvanta)
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 25.Jul.2007 1:10:53 AM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
This is what I have from eventviewer on ISA Server:
IKE security association established.
Mode:
Key Exchange Mode (Main Mode)
Peer Identity:
Preshared key ID.
Peer IP Address: 64.136.240.146
Filter:
Source IP Address 209.187.235.21
Source IP Address Mask 255.255.255.255
Destination IP Address 64.136.240.146
Destination IP Address Mask 255.255.255.255
Protocol 0
Source Port 0
Destination Port 0
IKE Local Addr 209.187.235.21
IKE Peer Addr 64.136.240.146
IKE Source Port 500
IKE Destination Port 500
Peer Private Addr
Parameters:
ESP Algorithm Triple DES CBC
HMAC Algorithm MD5
Lifetime (sec) 28800
MM delta time (sec) 0
MainMode/Statistic from IPSecMonitor:
Active Acquire:1
Negotiation Faliures:388
Total Acquire:14
Total Get SPI:23
Get SPI Faliure:1
ISADB List Size:1
IKE Main Mode: 21
Invalid Packet received:71
Everything else is 0
Quick Mode / Sttistic Everything is 0
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 9.Aug.2007 6:54:26 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Hi steefan,
I did capture logs using MS network monitoring tools but I dont have any server on ther internet to copy those logs . can u email me at bhavin78@gmail.com and send the logs via email
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 10.Aug.2007 2:23:10 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bhavin78,
will do...
HTH,
Stefaan
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 11.Aug.2007 12:23:50 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bhavin78,
if you look at the netmon trace you can conclude three important things:
- there is no NAT along the path.
- the IKE main mode negotiation succeeds because we see IKE quick mode packets.
- the IKE quick mode doesn't seems to go well because we don't see ESP packets.
Because a netmon trace is only useful in debugging the IKE main mode negotiation, we have to look at the IKE logging and hopefully we find there what is going wrong.
The IKE logging confirms that the main mode negotiation completes successfully: quote:
8-09: 17:36:28:170:ffc AUTH: Phase I authentication accepted
8-09: 17:36:28:170:ffc ClearFragList
8-09: 17:36:28:170:ffc MM established. SA: 00102F40
Next we see the start of an IKE quick mode negotiation for the communication between 64.136.240.146/32 and 192.168.100.0/24. However, the remote VPN box responds with an 'ISAKMP Informational Exchange' message.
quote:
8-09: 17:36:28:232:ffc Receive: (get) SA = 0x00102f40 from 64.136.240.146.500
8-09: 17:36:28:232:ffc ISAKMP Header: (V1.0), len = 76
8-09: 17:36:28:232:ffc I-COOKIE 05fa0766964e8e48
8-09: 17:36:28:232:ffc R-COOKIE e155f4686c55fa38
8-09: 17:36:28:232:ffc exchange: ISAKMP Informational Exchange
8-09: 17:36:28:232:ffc flags: 1 ( encrypted )
8-09: 17:36:28:232:ffc next payload: HASH
8-09: 17:36:28:232:ffc message ID: b27acf23
8-09: 17:36:28:232:ffc processing HASH (Notify/Delete)
8-09: 17:36:28:232:ffc processing payload NOTIFY
8-09: 17:36:28:232:ffc Unknown Notify Message 24578
That indicates that the remote site doesn't agree with the quick mode proposal offered by the ISA. We can't determine the exact cause because the notify message is unknown to the ISA server. Thereafter, ISA retransmit several times the proposal and finally give up.
So, I think you should double check the settings of the Remote Site on the ISA and compare them with what is defined in the remote VPN gateway.
HTH,
Stefaan
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 12.Aug.2007 6:12:46 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
quote:
check the settings of the Remote Site on the ISA and compare them with what is defined in the remote VPN gateway
I will check and post the settings on both ISA and netvanta .
Thanks a lot for your help!
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 14.Aug.2007 3:22:10 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bhavin78,
I can't comment on the Netvanta configuration because I don't know anything about that device. However, what happens if you remove the VPN endpoints itself from the remote internal network definitions (in your case 64.136.... from the addresses tab in ISA) ?
HTH,
Stefaan
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 15.Aug.2007 9:45:51 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
did u find any thing from the logs or the configuration.
If I remove remote address from the address tab this is the message I get.
The remote gateway IP Address (64.136...)is currently not included in the network address ranges of the remote site network. To allow NAT to be applied to traffic from the local site to the remote vpn site, and support for all protocols, remove this IP address from the network it is currently included in, and then add it to network address ranges of this network.
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 16.Aug.2007 3:17:28 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi bhavin78,
we are just trying to simplify as much as possible the configuration in order to catch the root cause. By removing that IP address from the remote internal network definition, we are lowering the number of IPSec filters needed and therefore the number of quick mode negotiations needed.
BTW --- the remote gateways IP is only needed when traffic *within* the tunnel is sourced from or destined for that IP address. For more info, check out Troubleshooting IPSec Tunnel Mode Scenarios .
HTH,
Stefaan
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 17.Aug.2007 9:44:57 AM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
Here's what I did?On netvanta I changed remote ID IP from ISA ext IP to ISA int IP. ( ISA dont have remote ID parameters)On netvanta I changed Response Mode from Any to Main.I also removed remote IP from the address tab of ISA and now it's working. Thanks a lot for your help
|
|
|
|
|
RE: troubleshooting vpn between isa 2006 and netvanta 3448 - 9.Sep.2007 1:39:49 PM
|
|
|
bhavin78
Posts: 429
Joined: 18.Jul.2005
From: USA
Status: offline
|
VPN is between configured between Netvanta router and ISA, it's up and running fine but for some reason I am not able to connect outlook from remote office (with Netvanta router) to exchange server at main office with ISA Server.
Note:ISA server Default Gateway is not IP of ISA.
all outbound protocols are opened from remote office to main office.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
