Remove From My Forums

Cisco VPN though TMG

Question
0

Sign in to vote

Hello

My setup is this:

XP SecureNAT client with Cisco VPN client -> 2 node TMG NLB cluster -> Switch - > Router -> Internet

I am having trouble getting Cisco VPN though the TMG firewall. The Cisco client actually connects flowlesly and my connection is setup ok. But I am not able to get any data though the tunnel.

In the Cisco Client statistics the "Bytes Sent" counts up but the "Bytes received" stays at zero. I cannot ping any devices on the other end of the tunnel

I dont see any errors in the TMG log and the monitoring logs does not show any denied connections.

I have tried making a protocol rule that allows all outbound IP traffic and then i have made a protocol definition that allows UDP send-receive 1-65535 and TCP Send 1-65535.

Today I put a Linksys NAT router on the external switch (outside the TMG) and put the client behind the Linksys router. The client was assigned the same IP address as it would have if it was located internally to the TMG. This setup word just fine - I can receive data though the tunnel. This must mean that the TMG is my problem - now I just need to solve it.

I am a bit lost on how to troubleshoot next... Anyone able to help?

Kind regards

Soren

Thursday, November 4, 2010 4:03 PM

Answers

0

Sign in to vote
Hello Marc

No, all the steps in that article has been completed.

During troubleshooting I have tried theese steps:

- MTU size lowered
- All intrution detection, flood mitigation, IDS, etc. disabled
- Test protocol rules spanning port 1-65535 created on UDP Send-Receive and TCP Send

Still, I cannot get any data through my tunnel. The VPN tunnel is created just fine and Sent Bytes is counting, but Received Bytes stays at zero.

I tried to put the VPN client behind a Linksys NAT router on the external network. The client was given the same internal IP adress 10.20.x.x as it would have had on the internal network behind the TMG. When placed like this, external from the TMG, the VPN connection works fine.

Kind regards

Soren
- Marked as answer by Keith AlabasterModerator Sunday, June 26, 2011 6:28 AM
Wednesday, November 10, 2010 4:07 PM

All replies

1

Sign in to vote
Hi,

does this help?
http://www.elmajdal.net/isaserver/How_To_Allow_Cisco_VPN_Client_To_Connect_Through_ISA_Server.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
- Proposed as answer by Ahmet Abdagic Thursday, December 30, 2010 9:04 AM
Thursday, November 4, 2010 4:33 PM
1

Sign in to vote
Hi Soren,

Do you have any update about this issue? If you use VPN scenario as site to site, please read this article: http://blogs.technet.com/b/yuridiogenes/archive/2010/04/14/forefront-tmg-2010-hotfix-for-integrated-nlb-issues-on-an-array-based-scenario.aspx

Regards,

Nick Gu - MSFT
- Proposed as answer by Ahmet Abdagic Thursday, December 30, 2010 9:04 AM
Wednesday, November 10, 2010 5:38 AM

Moderator
0

Sign in to vote
Hello Marc

No, all the steps in that article has been completed.

During troubleshooting I have tried theese steps:

- MTU size lowered
- All intrution detection, flood mitigation, IDS, etc. disabled
- Test protocol rules spanning port 1-65535 created on UDP Send-Receive and TCP Send

Still, I cannot get any data through my tunnel. The VPN tunnel is created just fine and Sent Bytes is counting, but Received Bytes stays at zero.

I tried to put the VPN client behind a Linksys NAT router on the external network. The client was given the same internal IP adress 10.20.x.x as it would have had on the internal network behind the TMG. When placed like this, external from the TMG, the VPN connection works fine.

Kind regards

Soren
- Marked as answer by Keith AlabasterModerator Sunday, June 26, 2011 6:28 AM
Wednesday, November 10, 2010 4:07 PM
0

Sign in to vote

Hello Nick

Update is in my other post. This is not a site-to-site scenario - its a Cisco tunnel goingt through a 2 node TMG NLB cluster.

Kind regards

Soren

Wednesday, November 10, 2010 4:09 PM
0

Sign in to vote

No updates since 2010 so closed out
Keith Alabaster - MVP/Forum Moderator

Sunday, June 26, 2011 6:30 AM

Moderator

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Cisco VPN though TMG

Question

Answers

All replies