Sunday, October 21, 2012 12:14 PM
I have an ISA2004 server (not able to be replaced yet) at a remote site in the Philippines connecting back to head office in Melbourne where there is a Juniper SRX210. The VPN is up and Melbourne has full access to the Philippines network. The Philippines network has access back to Melbourne but the Philippines server does not. The server is a DC as well as running ISA 2004. It has two NIC's, the internal with no gateway and the external with ISA controlling access. This is resulting in the server being unable to replicate Active Directory between sites. Debugging logs shows the issue to be with ISA, not a rule in Melbourne on the Juniper. The error is:
Denied Connection 10/20/2012 6:25:37 PM
Log type: Firewall service
Status: A packet generated on the local host was rejected because its source IP address is assigned to one network adapter and its destination IP address is reachable through another network adapter.
Source: Local Host ( 192.168.79.1:137)
Destination: Melbourne ( 192.168.75.6:137)
Protocol: NetBios Name Service
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.79.1
The Networks, Network Sets, Network Rules and routes all appear fine. How else is one supposed to setup ISA to send traffic from itself to the VPN tunnel? A static route to either its own internal IP or the external gateway kills the VPN. ISA should be intercepting the traffic and directing it over the tunnel. It is for the Philippines LAN just not for the server itself. It is the firewall service itself, there is no rule to tweak.
This is causing me no end of grief, any assistance appreciated. I have been through http://technet.microsoft.com/library/bb794765.aspx and it has not helped. Everything from Melbourne to the Philippines is fine, it is just the Philippines Server (the ISA one) that cannot see the Melbourne network. It also seems to be still trying to initiate an IP Sec VPN after the Juniper initiated SA is up and running and the VPN is up.
Sunday, October 21, 2012 12:19 PM
PS, the Philippines server gets "Negotiating IP Security" when trying to ping any IP on the Melbourne subnet. The Melbourne GW has been added to the network definition. ISA BPA just tells me that the "no connectivity error alert" has been triggered and it cannot contact the primary DC.
Also it appears that the Melbourne Juniper itself cannot ping the Philippines network but I am not sure if this is related.
- Edited by Ben - A BIT of IT Sunday, October 21, 2012 12:23 PM
Thursday, October 25, 2012 6:31 AMModerator
Thank you for the post.
Please check this article for configure ISA site-to-site VPN: http://technet.microsoft.com/en-gb/library/cc302494.aspx. and to troubleshooting ipsec VPN, you may refer to this guide: http://blogs.isaserver.org/pouseele/2007/07/07/basic-troubleshooting-for-ipsec-based-vpns/
Nick Gu - MSFT
- Proposed As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Saturday, October 27, 2012 11:12 AM
Sunday, October 28, 2012 8:13 AM
It is not a VPN issue a such, the ipsec VPN is up and both LAN's can talk to each other. The issue is that the ISA server itself cannot use the VPN link that it terminates itself to talk to the remote LAN. AS the ISA server is the remote site DC as well, this means it cannot replicate AD. To replicate AD every few days we disable the IPSec VPN and the server itself dials in to RRAS via PPTP. This is not a long term solution.