Computer build lists Cisco Comcast FCC Intel Microsoft Network Management Network Neutrality Security Verizon
Written by: Justin James 5/29/2008 12:49 AM
So, after literally dozens of man-hours trying to get the VPN working in ISA Server 2006, the end culprit turned out to be... my fat fingers. When I entered the IP address for the domain controller in a "Computer" network entity (which I later added to the network groups used by access rulles), I typed it in wrong. As a result, traffic to/from the docmain controller didn't go through in the cases where the rules should have judged it based on that incorrectly typed IP address and not some other criteria. Nicely enough, a lot of other odd items in the event log and the ISA monitor are now cleared up too. Lesson re-learned once again: when things are mysteriously failing, check your typing before you go to Google. It's a royal pain to back out hours of effort to fix a problem that never existed, but the fix itself could cause other issues. J.Ja
So, after literally dozens of man-hours trying to get the VPN working in ISA Server 2006, the end culprit turned out to be... my fat fingers. When I entered the IP address for the domain controller in a "Computer" network entity (which I later added to the network groups used by access rulles), I typed it in wrong. As a result, traffic to/from the docmain controller didn't go through in the cases where the rules should have judged it based on that incorrectly typed IP address and not some other criteria.
Nicely enough, a lot of other odd items in the event log and the ISA monitor are now cleared up too. Lesson re-learned once again: when things are mysteriously failing, check your typing before you go to Google. It's a royal pain to back out hours of effort to fix a problem that never existed, but the fix itself could cause other issues.
J.Ja
4 comments so far...
Was this for site-to-site VPN or client-to-server VPN? nt
Was this for site-to-site VPN or client-to-server VPN?
nt
Re: Watch your fat fingers Client-to-server VPN. The problem turned out to have nothing to do with the VPN configuration (which is easy enough), but the ISA Server's communication with the domain controller, due to me typing its IP address in wrong. It wasn't able to send RPC traffic properly, and as a result, VPN would not work right. I am *not* passing the VPN traffic *through* ISA to the domain controller; the ISA Server *is* the VPN termination point. But ISA Server itself did need to do some RPC for things like authentication and such, and that is what was failing.It's all better now, except I need to find out why the VPN clients are getting 255.255.255.255 as a subnet mask, which prevents them from communicating with the LAN properly...J.Ja
Re: Watch your fat fingers
Client-to-server VPN. The problem turned out to have nothing to do with the VPN configuration (which is easy enough), but the ISA Server's communication with the domain controller, due to me typing its IP address in wrong. It wasn't able to send RPC traffic properly, and as a result, VPN would not work right. I am *not* passing the VPN traffic *through* ISA to the domain controller; the ISA Server *is* the VPN termination point. But ISA Server itself did need to do some RPC for things like authentication and such, and that is what was failing.It's all better now, except I need to find out why the VPN clients are getting 255.255.255.255 as a subnet mask, which prevents them from communicating with the LAN properly...J.Ja
Multi-homed configurations are a bit more complex to configure Multi-homed configurations are a bit more complex to configure on the VPN server. Did you ask the doctor of ISA?
Multi-homed configurations are a bit more complex to configure
Multi-homed configurations are a bit more complex to configure on the VPN server. Did you ask the doctor of ISA?
Re: Watch your fat fingers Nope, I haven't had time to mess with it. I spent about 10 minutes trying to figure out why it wasn't working, saw that I was subnetted wrong, and then got the information I needed on my top priority project. This isn't *that* important at the moment, but it will be soon, and then the storage. I need to VPN so when I get the storage up I can start getting everything working right.J.Ja
Nope, I haven't had time to mess with it. I spent about 10 minutes trying to figure out why it wasn't working, saw that I was subnetted wrong, and then got the information I needed on my top priority project. This isn't *that* important at the moment, but it will be soon, and then the storage. I need to VPN so when I get the storage up I can start getting everything working right.J.Ja
Adrian's PC Doctor blog Deb Shinder's blog Deb Shinder on Vista Dietrich T. Schmit on Linux Erratasec blog - Security Ed Bott on Microsoft Jason Hiner's blog John Carroll Justin James' developer blog Matt Sherman's blog Martin McKeay Paul Mah, Tech at play Richard Bennett's blog Sunbelt Blog - Security Tom Shinder on ISA Tom Shinder on security ZDNet - Zero day Rich Tehrani - VoIP