I have what is turning out to be a very frustrating problem. I have installed and configured ISA 2004 as per the instructions in the 2004 vpn deployment kit. Except that I have not enabled L2TP/IPSEC or radius authentication. So, at this point the machine is configured to accept PPTP only with windows authentication. ISA is configured with the edge firewall template and is a domain member. The only other service is dns in a caching only mode. Access rule for vpn clients to the internal network is configured and enabled. A number of server publishing rules are currently working correctly. Below is the error received during the logon process
Disconnected
Error 721: The remote computer did not respond. etc ..etc...
Any assitance provided will be greatly appreciated.
From the client, can you telnet to ISAs external address on 1723?
c:\telnet %ISAs_IP% 1723
If you get a blank screen, that's a good connection.
If it fails to connect, go into the ISA console and go to the VPN node. On the right, under General VPN Configuration, thee is an option for "Select Access Networks" - go in there and see if the "External" network is enabled for VPN connections.
Thanks for your response Clint...I get a telnet connection to the server...(press any key to continue)...so the port is open. Yes I have confirmed that the server is set to accept connections from the external network. I have found that I can connect to the server via vpn from an internal client using the internal interface. But fail using the external ip. I receive the verifying username and password dialog box...then after awhile the connection drops....Still investigating....this was easier with 2000...but can't go back now...lol
Ahh - if it is failing at "Verifying user name and password", that is typical of GRE (IP Protocol 47) being dropped somewhere.
Where is this client conencting from? Behind a NAT device? Live on the internet?
User credentials are sent over GRE so this is why you see the "Verifying user name and password".
Do you sometimes get the "Error 721: The remote computer did not respond..." from your first post, and other times get the verifying user name and password?
You know what Clint it is behind a Linksys cable/dsl router. I always get the verifying username and password dialog box. Maybe I will have to put the server directly onto the internet and bypass the router. Although I have the DMZ enabled and specified the IP of the isa server. I have found that with Nat disabled and RIPv2 enabled, I am unable to reach the server. Any thoughts on what configuration setup might work in this situation.
On another note, I am having another problem receiving and sending email. I have published the smtp server to an alternate port. The logs show a connection initiated at the server as per the rule. However, no mail is received at the server. Attempts to send mail, also fail. The exchange server reports.."The remote server did not respond to the connection attempt". I have smtp rules in place for outbound/inbound traffic to no avail.....I published the smtp server on the alternate port using the same method I used on the ISA 2000, which is still working perfectly at another location....I want to use 2004 because of the new features...so any help you can provide is appreciated muchly.
It sounds like the ISA Server is in a DMZ with a private IP - is this right?
To be honest, I'd put ISA directly on the internet - at least until you've verified the Server Publishing rule for SMTP is setup correctly.
So for now, the Linksys NATs it's public IP on port 25 to ISA which then translates it to some internal server on non-standard SMTP port - do I understand your configuration? Does ISA have 2 NICs?
Update, I have connected the ISA server directly to the cable modem. When I did this, I got as far as the registering computer on the network dialog before, there was a 736 error. I was able to fixed this problem by creating rules to allow DHCP traffic to and from the vpn client network. So, I happy to report that I am now able to connect via pptp. Thanks for letting me bounce Ideas of you Clint.
However, the smtp problem still persist. I can see the connection being initiated at the server. But then the logs report the connection denied, by the default rule. I find this odd since I have specifically created a protocol definition and published the server using this definition. Is there a step I am missing? The same can be said for port 25 the logs show the connection to the external IP but again the mail never actually leaves the exchange server. Again the exchange queqe reports the server did not respond to a connection attempt. This leads me to believe the acknowledgement from the external smtp server never reaches the internal smtp server. Is there a particular port or range of ports that this communication takes place over?
Oh sorry I didn't really ans your question. No ISA is not on a DMZ. It has two nics, a private IP and a public IP. The server is a domain member and the connection to the AD and Exchange servers are fine at this point.
Good question Clint and no worries about being blunt with me... I would have asked the same question. Well, the answer is that the ISP blocks the incoming port 25....and as a hunch I figured they might be doing the same thing outbound. So, I configured the exchange server to use their server as a smarthost and lo and behold...the email is sent with no problem... It took awhile but now it works....now I will work on publishing the owa site....Hopefully, that goes smoothly. Thanks again... Oh and by the way ISA rocks.
Hello there. You seem to know what you're talking about here, any chance you can help me. I have recently set up SB Server 2003 without any prior knowledge and have been stuck for a bit. Finally got emails and the VPN working now. I am behind a NAT, with the router directing to the main servers internal IP. Had a problem getting off the VPN verifying username screen but sorted that out. Now it connects and on the client screen the network connection appears working in the system tray but I cant see either the server or client in My Network Places. Cant get to any files or folders at all. Can see the client in the servers Remote Access Clients list so I think I'm almost there. Any assistance would be greatly appreciated. Scott
Posts: 27
Joined: 27.Jan.2005
From: Quebec City, Canada
Status: offline
Hi Clint,
New installation and I have the same problem described above. I have the exact configuration as you depict: %Public_IP% ---------- Linksys ---------- %DMZ_IP%
%DMZ_IP% ---------- ISA Server ---------- %LAN_IP%
%LAN_IP% SMTP Server
And I do this as per reccomendation because I use darn pppoe dsl. Will this work? I receive "failed connection attempt" when I try to connect an smtp server to exchange even if I have the proper publishing rules. and get stock at Verifying username ans password when I try to vpn. I have also try to go direct with a pppoe dialup directly on the Isa Server but the connection was flaky....
I will revert back to the previous firewall which works for now but would really like to put this ISA in production (this is my third trial).
Posts: 4
Joined: 24.Feb.2004
From: Viet Nam
Status: offline
Dear all, I got the same error issue as terryb situation.
"Error 721: The remote computer did not respond. etc ..etc..."
I got a win03 and ISA2004 sp1. I haven't yet deployed L2TP, just PPTP protocol. the connection seemed ok when I typed the telnet command. c:\telnet %ISAs_IP% 1723 I got a blank screen which means the connection is ok.
As ClintD reply, if it is failing at "Verifying user name and password", that is typical of GRE (IP Protocol 47) being dropped somewhere.
I'm connecting behind a NAT?
Could you pls show me where I should check next? Any assistance would be greatly appreciated.
i have the same problem with m.... "I have what is turning out to be a very frustrating problem. I have installed and configured ISA 2004 as per the instructions in the 2004 vpn deployment kit. Except that I have not enabled L2TP/IPSEC or radius authentication. So, at this point the machine is configured to accept PPTP only with windows authentication. ISA is configured with the edge firewall template and is a domain member. The only other service is dns in a caching only mode. Access rule for vpn clients to the internal network is configured and enabled. A number of server publishing rules are currently working correctly. Below is the error received during the logon process" error : " Error 691 access was denied because the username and/or password was invalid on the Domain" But i check very clearly username with "allow acess dial in" and password. that user can logon to my domain. I was check telnet port 1723 and successful. But i can not init the conection client to gateway. Please help me.
I have the same problem with mr Terryb "I have what is turning out to be a very frustrating problem. I have installed and configured ISA 2004 as per the instructions in the 2004 vpn deployment kit. Except that I have not enabled L2TP/IPSEC or radius authentication. So, at this point the machine is configured to accept PPTP only with windows authentication. ISA is configured with the edge firewall template and is a domain member. The only other service is dns in a caching only mode. Access rule for vpn clients to the internal network is configured and enabled. A number of server publishing rules are currently working correctly. Below is the error received during the logon process" error : " Error 691 access was denied because the username and/or password was invalid on the Domain" But i check very clearly username with "allow acess dial in" and password. that user can logon to my domain. I was check telnet port 1723 and successful. But i can not init the conection client to gateway. Please help me.
Hi ClintD, I was doing like you show and this is content of IASSAM log file: " [1088] 06-09 13:30:38:323: NT-SAM Names handler received request with user identity test@MYDOMAIN.com. [1088] 06-09 13:30:38:448: DsCrackNames failed: The remote procedure call failed and did not execute. [1088] 06-09 13:30:38:448: Caught COM exception: The system cannot open the file. [1088] 06-09 13:30:38:448: Invoking AuthorizationDLLs [1088] 06-09 13:30:38:448: Invoking extension vpnplgin.dll [1088] 06-09 13:30:38:479: RadiusExtensionProcess2 returned 0 [1088] 06-09 13:30:38:479: Invoking extension vpnplgin.dll [1088] 06-09 13:30:38:479: RadiusExtensionProcess2 returned 0 [1088] 06-09 13:30:43:151: NT-SAM Names handler received request with user identity test@MYDOMAIN.com. [1088] 06-09 13:30:43:167: DsCrackNames failed: The remote procedure call failed and did not execute. [1088] 06-09 13:30:43:167: Caught COM exception: The system cannot open the file. [1088] 06-09 13:30:43:167: Invoking AuthorizationDLLs [1088] 06-09 13:30:43:167: Invoking extension vpnplgin.dll [1088] 06-09 13:30:43:167: RadiusExtensionProcess2 returned 0 [1088] 06-09 13:30:43:167: Invoking extension vpnplgin.dll [1088] 06-09 13:30:43:167: RadiusExtensionProcess2 returned 0"
i did not understand what it say and still can not conect VPN. Please help me. Thanks ClintD so much, Because i'm from Viet Nam so that my language was Limit, please hepl me.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> vpn authentication problem 
vpn authentication problem - 
![[Frown]](/image/smiles/frown.gif)
RE: vpn authentication problem - 
RE: vpn authentication problem - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread