Bizzare ISA2004 VPN Issues, Please help

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Z D - 22 Sep 2004 19:24 GMT

Hello,

I have some strange VPN behaviour with ISA2004.

I have configured ISA 2004 to allow 5 VPN connections. I've only allowed
PPTP and not L2P/IPSEC.

I have the necessary secuirty permissions for the client dialing in.

When the client tries to VPN in, I get Error 800. When I view the ISA2004
realtime logs, it says "Protocol: PPTP, Action: Failed Connection Attempt,
Rule: Allow VPN Traffic to ISA Server".

I couldn't figure out what was going on so I manually went into RRAS to
double check the settings that ISA2004 should have configured in it.
I noticed that there are only L2P ports available (WAN Miniport
(L2P)(VPN4-...) )!!! No PPTP ports are configured!!

So, I went back to ISA 2004 and I can see for sure that PPTP is selected and
L2P/IPSEC is NOT selected. SO, what is going on? Why isn't ISA putting the
correct info into RRAS? Is it a bug?

please advise, thanks!

-ZD

Reply to this Message

"Eric Sun [MSFT]" - 23 Sep 2004 11:03 GMT

Hi,

After testing, I cannot reproduce the problem, if 'Enable VPN Client' wizard was run, 5 PPTP ports should be created in RRAS
automatically.

I would suggest the following:

I. Disable VPN in ISA console.

1. Open ISA Manament.
2. Click VPN node
3. CLick 'Verify that VPN client is enabled'
4. Uncheck the 'Enable the VPN client access' option
5 CLick OK
6 CLick apply

II. Disable RRAS.

1. Open RRAS console
2. Right click Server and click All Task -> Stop

III. Enable VPN access with only PPTP.

1. Open ISA Manament.
2. Click VPN node
3. CLick 'Verify that VPN client is enabled'
4. Check the 'Enable the VPN client access' option
5. In the protocol tab, please check PPTP option and uncheck L2TP option
5 CLick OK
6 CLick apply

Are the ports created in RRAS? Could this issue be reproduced?

If the problem persists, let's get the application & System event logs, ISAINFO for ISA 2K4. to me at v-ericsu@microsoft.com

1) Download the file from the following URL: http://www.isatools.org/isainfo/ISAInfo.zip
2) Extract all files to a folder on ISA server
3) Double click Isainfo.js. This will generate 2 files ISAInfo2004-<computer-name>.log and ISAInfo2004-<computer-
name>.xml in the current folder.
4) Please send these files to me.

Hope that helps.

Best Regards,

Eric Sun,
MCSE2000 / MSCA / MCDBA
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------

| From: "Z D" <nospam@nospam.com>
| Subject: Bizzare ISA2004 VPN Issues, Please help
[quoted text clipped - 37 lines]
|
| -ZD

Reply to this Message

Z D - 23 Sep 2004 20:13 GMT

Hi Eric,

I've sent you all the info in an email earlier this morning. Hopefully you
will be able to make some sense of what's going on!

thanks
-ZD

> Hi,
>
[quoted text clipped - 107 lines]
> |
> | -ZD

Reply to this Message

"Eric Sun [MSFT]" - 24 Sep 2004 15:20 GMT

Hi Zane,

Thanks for your great information. Below is my research result and followed by action plan

1.    From the screenshot of port lists, we can see the PPTP are not listed and L2TP is listed as 'Used by' 'RAS/Routing'.
From the screenshot of port properties, we can the PPTP are 'used by' 'RAS' and L2TP are used by 'None' (which should not be
listed in the port list with 'None' .)

Action Plan: In the port properties, click PPTP and click configure button. Check the following two check box.

'Remote access connections (inbound only)'
'Demand-dial routing connections' (inbound and outbound)'

Click L2TP and click configure button. Then Uncheck the above two check box

Refresh the port list. What's the result now?

2.    If the problem persists, I think the RRAS service may have crashed. Please reinstall the RRAS service in the Add/Remove
program. Reconfigure the VPN. What's the result?

3.    After check your ISA information and configuration, I do not find evident errors. I suggest you to disable the ISA
service and directly use the RRAS service to serve as VPN. What's the result? We need to know that the RRAS service is good so
that we can concentrate on the ISA and continue the troubleshooting.

Thanks for your time and I look forward to your reply.

Best Regards,

Eric Sun,
MCSE2000 / MSCA / MCDBA
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------

| From: "Z D" <nospam@nospam.com>
| References: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl> <jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl>
[quoted text clipped - 132 lines]
| > |
| > | -ZD

Reply to this Message

Z D - 24 Sep 2004 16:34 GMT

Hello Eric,

I have discovered more info on the topic:

- I disabled VPN client access from within ISA2004.
- Rebooted the server.
- I then manually opened RRAS, configured it to accept PPTP VPN connections.
- This still DID NOT fix the problem, the PPTP ports did not show up.

- Then I went back to ISA2004 and remembered that I have a PPTP server
publishing rule. I'm doing this because I have yet another PPTP VPN server
inside my network that I'm publishing.
- I disabled this rule and rebooted the server.

- After the reboot, I went back into RRAS and configured it again as a PPTP
VPN server (since after the reboot the service was turned off, I'm assuming
ISA did this because it thought it should be disabled).

- Now when I configure the PPTP ports manually in RRAS they show up!!!

-Now I thought maybe if I can do it manually in RRAS then ISA can also do
it.
- So, I disabled RRAS
- Rebooted the server
- Opened ISA and tried to enable VPN client connections (but I still have
the VPN server publishing rule to the other server disabled)
- I rebooted the server
- The ports are visible!!!!!!! VPN Works!!!

SO, it seems as though there is a bug where ISA cannot be a PPTP VPN server
and also publish another PPTP VPN server inside the network.

What do you think? Are you able to reproduce this problem? Please let me
know what you think.

Thanks very much - maybe I found a bug!!
-ZD

> Thanks for your great information. Below is my research result and
> followed by action plan
[quoted text clipped - 189 lines]
> | > |
> | > | -ZD

Reply to this Message

"Eric Sun [MSFT]" - 27 Sep 2004 03:01 GMT

Hi Zane,

Thanks for your reply and information sharing. I am glad you resolved this issue.

Regarding this issue, it is a by design feature, but not a bug I think.

If you use the Server Publish rule to publish an internal PPTP server to the internet, a socket on TCP 1723 port of ISA external
NIC will be created. At this situation, you could still setup PPTP server on ISA and let it listen on TCP 1723. However, when an
external request comes, the request can never reach to listening application because it will be forwarded to internet PPTP server
by TCP socket on TCP 1723. I think this is the main difference between ISA 2000 and ISA 2004 design. Hope that information
helps.

Have a good day!

Best Regards,

Eric Sun,
MCSE2000 / MSCA / MCDBA
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------

| From: "Z D" <nospam@nospam.com>
| References: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl> <jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl>

<#yTToGaoEHA.324@TK2MSFTNGP11.phx.gbl> <SQWrpGkoEHA.3468@cpmsftngxa06.phx.gbl>

| Subject: Re: Bizzare ISA2004 VPN Issues, Please help
| Date: Fri, 24 Sep 2004 11:34:37 -0400
[quoted text clipped - 242 lines]
| > | > |
| > | > | -ZD

Reply to this Message

Thomas W Shinder [MVP] - 28 Sep 2004 04:49 GMT

Hi Eric,

You could NOT publish a PPTP VPN server with the 2000 ISA firewall.

HTH,

Signature

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

: Hi Zane,
:
[quoted text clipped - 41 lines]
: | NNTP-Posting-Host: cpe0006258c9fd4-cm000039948c5e.cpe.net.cable.rogers.com 69.196.101.145
: | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP11

.phx.gbl

: | Xref: cpmsftngxa06.phx.gbl microsoft.public.isa:50923
: | X-Tomcat-NG: microsoft.public.isa
[quoted text clipped - 230 lines]
: | > | > |
: | > | > | -ZD

Reply to this Message

Z D - 28 Sep 2004 19:17 GMT

Hi Eric,

Thank's for your reply. Sorry for my delay in response.

I'm wondering if there is some functionality missing in ISA2004.

My ISA2004 server's external NIC has multiple internet IP addresses assigned
to it. When I'm setting up server publishing rules, I can choose any of the
external IP's that I wish to listen on .

So, my question is: Why can't I choose which external IP ISA listen's on for
VPN connections when its acting as the the VPN server? This way, I could
have ISA's VPN server bound to one IP, and have the server publishing rule
for the other internal VPN server bound to the other external IP
address.......

Right now, it seems as though if I configure ISA2004 to be a VPN server, it
listens on ALL external IP addresses.

could this feature be on the wish list? Or is it possible and I just dont
know how to do it?

thanks
-ZD

> Hi Zane,
>
[quoted text clipped - 305 lines]
> | > | > |
> | > | > | -ZD

Reply to this Message

"Eric Sun [MSFT]" - 30 Sep 2004 09:08 GMT

Hi Zane,

Based on my test and research, if you want o to block VPN access for specific addresses in External network, you can
use either of the following ways to do that:

1st Allow VPN on empty network and create specific access rules for PPTP or L2TP

This is the easiest one.
? Create network named Empty and don't add addresses into it.
? Allow VPN access on this network only => this way System policy will contain empty network only!
? Create subnets as you wish and create allow / deny rules for PPTP or for L2TP (and IPSEC - see system policy
created for L2TP for all the protocols that should be allowed to local host)
o Destination will be Local Host

2nd Create 3 different network objects (not a subnets) for each adapter
? for each adapter create different network (use Add Adapter button)
? Select only desired networks in Allowed Networks under VPN properties page

Let's focus on the first method now:

1. Create network named Empty and don't add addresses into it.

System policy is checked first - so if you will have External network in Allowed VPN networks, users from External
will succeed to connect according to system rule (created and enabled by the 'Verify that VPN Client Access is
Enabled' option. Since the System policy will take precedence over all the user defined policy, if you disable the
'Allow VPN to ISA server' System policy rule, all the user defined 'All VPN' Firewall Access Rule will not take effect.
And that's the reason why I suggest create an empty 'Allow VPN' System policy rule.

1) Highlight the 'Firewall Policy' node, and then select 'Toolbox' in the right pane.
2) Select 'Network Objects', highlight 'Networks', and then click 'New', 'Network'.
3) Give it the name, such as 'Empty', it can be any kind of network (except VPN) with NO address ranges.
Network from type 'External' is fine.

2. Allow VPN access on this network only => this way System policy will contain empty network only!

You cannot modify the system rule for VPN - it is read-only. Also, the network wizard does not create or modify other
rules except the system one. You should click on "Select Access Networks" on the Tasks bar of VPN and deselect all
except Empty.

Note: Clicking on "Select Access Networks" under VPN and trying to remove all the networks will fail. This UI is
directly mapped to system rules for VPN (roaming access and PPTP/L2TP Site to Site). So you need to leave there
something - if you want to allow VPN only from specific subnet, you can't - the UI shows only networks there. The
trick is adding Empty network and select it there.

3. Create subnets as you wish and create allow / deny rules for PPTP or for L2TP.

1) Create the Subnet objects which contains your desired External IP ranges.

2) And then, create desired VPN access rules:

a) For VPN Clients access you should create access rule:

From: Any kind of network objects (subnets, computers , address ranges, etc ??) of allowed VPN clients
To: Local Host
Protocols:
o For PPTP, just add PPTP protocol
o For L2TP - add the following:
? L2TP Client
? IKE Client
? IPSEC ESP
? IPSEC NAT-T Client (in case that your VPN clients are behind NAT device/firewall

b) PPTP/L2TP Site to Site, you should create similar rule:
?
From: All possible S2S endpoints
To: Local Host
Protocols:
o For PPTP, just add PPTP protocol
o For L2TP - add the following:
? L2TP Client
? IKE Client
? IPSEC ESP
? IPSEC NAT-T Client (in case that your VPN clients are behind NAT device/firewall

Hope that helps.

Best Regards,

Eric Sun,
MCSE2000 / MSCA / MCDBA
Microsoft Online Partner Support

Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights
--------------------

| From: "Z D" <nospam@nospam.com>
| References: <ea6OWGNoEHA.1608@TK2MSFTNGP15.phx.gbl> <jMLshSVoEHA.2640@cpmsftngxa06.phx.gbl>

<#yTToGaoEHA.324@TK2MSFTNGP11.phx.gbl> <SQWrpGkoEHA.3468@cpmsftngxa06.phx.gbl> <#bf14wkoEHA.2948
@TK2MSFTNGP11.phx.gbl> <1np9hXDpEHA.1520@cpmsftngxa06.phx.gbl>

| Subject: Re: Bizzare ISA2004 VPN Issues, Please help
| Date: Tue, 28 Sep 2004 14:17:45 -0400
[quoted text clipped - 345 lines]
| > | > | > |
| > | > | > | -ZD

Reply to this Message

Thomas W Shinder [MVP] - 28 Sep 2004 04:52 GMT

Hi ZD,

On isaserver.org you didn't mention that you were already binding the PPTP
socket :-)

Yes, you can't publish a PPTP server and also terminate a PPTP connection on
the same machine, as the listener has already bound that socket. Just like
any other Server Publishing Rule.

HTH,

Signature

Tom
www.isaserver.org/shinder
Get the book!
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

: Hello Eric,
:
[quoted text clipped - 227 lines]
: > | > |
: > | > | -ZD

Reply to this Message

Z D - 28 Sep 2004 19:21 GMT

Hi Tom,

Thank's for your reply.

I only realized this was the issue after I made the post on ISAServer.org,
my apologies.

Anyways - my ISA2004 server has multiple internet IP's assigned to its
external IP address. I was wondering why I can't choose which external IP
address ISA2004 listen's on when it's acting as the VPN server?? This way,
the ISA VPN server could be bound to one IP, and the internal VPN server
could be bound/published on another IP address.

I can do this with all other types of server publishing... I just cant seem
to select which specific IP the ISA VPN server is bound to.

(maybe a wishlist feature? Or is there a way....?)

Thanks
-ZD

> Hi ZD,
>
[quoted text clipped - 259 lines]
> : > | > |
> : > | > | -ZD

Reply to this Message

Philipp - 23 Sep 2004 21:15 GMT

When I try configure the VPN through the ISA 2004 interface I get this error
message:

System Event ID: 14102
Source:Microsoft Firewall

Failed to save the Routing and Remote Access service configuration in the
registry. The registry key:
System\CurrentControlSet\Services\RemoteAccess\Parameters\Ip, registry value:
- could not be accessed for writing. The VPN configuration of the server is
incomplete.

ISA does not start the RRAS Service! Why can ISA not write updated to the
RRAS Registry settings?

Here is what I have tired to resolve the problem so far:

Is the ISA firewall a member of a domain?
Is group policy blocking the write?

>>> Removed ISA from the Win2k3 domain, but the problem still exists!

Try disabling RRAS completely, restart the firewall, and then log on again
and configure the VPN in the ISA management console.

>>> After removing the ISA from the domain, I set the RRAS service in the management console to "Disabled". Also "Disabled" VPN Service in ISA 2004 and rebooted. Then enabled VPN in ISA 2004 and got the same Error 14102 even though ISA is not part of a domain. In ISA under Monitoring > Services > it says “Remote Access Service” > Stopped. I stop the VPN Service again, reboot. Start the VPN Service again, reboot. Still same old problem.

Also, check the AD and see if the ISA firewall is registered in the IAS and
RAS Servers Group.

>>> I have no RAS Servers Group since I am not in AD anymore. My ISA Service called "Microsoft Firewall" is running under the local account "NT AUTHORITY\Network Service" while the RRAS Service is running under "Local System Account". Could that be the problem?