locked
VPN with Cisco Router RRS feed

  • Question

  • We've been trying to get a VPN connection to work through a Cisco Router to a Windows Server 2008 with Symantec End Point Protection Manager on it.  We've set up everything on the Cisco Router and openned all the necessary ports with the End Point Protection manager.  Each time we try to connect we get an error message stating that the Radius Server rejected the connection.  We've checked and re-checked the Radius Server settings and the NPS settings.  Still we get the same error.  Can anyone help?
    David Kellett
    Tuesday, December 8, 2009 7:10 PM

Answers

  • Hi,

    The log files that are being discussed should be located in this directory: %winroot%\Windows\System32\Logfiles. Please note that these logs are difficult to read unless you parse them. See http://technet.microsoft.com/en-us/library/cc771748(WS.10).aspx

    I'm pretty sure the event you have listed above about being unable to load the MSSHA is because you enabled the nap agent service on a server. Servers do have nap agent, but they do not have the Windows SHA (MSSHA aka WSHA).

    If you bypass the Cisco router entirely, does the VPN connection work? In other words, are you sure the VPN connection itself is configured correctly on both the server and client side?

    When you say the RADIUS server rejected the connection, do you mean that you are seeing event 6273 or 6274 under Event Viewer > Custom Views > Server Roles > Network Policy and Access Services?

    Are you using NAT to create a translated public IP address on the router that forwards requests to the VPN server?

    -Greg

    Saturday, March 20, 2010 9:03 AM

All replies

  • Hi David,

    What events are you seeing in the event log on the NPS server?

    Donny
    Wednesday, December 9, 2009 8:28 AM
  • Hello,

     

    Thank you for your post here.

     

    From the description, you cannot establish the VPN connection to a Windows Server 2008 server with Symantec End Point Protection Manager behind a Cisco router.

     

    1. Where is you RADIUS server installed? Is it a Windows Server 2008 NPS server?

    2. For further investigation, please help to collect the IAS log on the RADIUS server.

     

    You may refer to the following article about how to decode entries recorded in IAS format log files:

     

    Interpret IAS Format Log Files                             

    http://technet.microsoft.com/en-us/library/dd197432(WS.10).aspx

     

     

    3To isolate the issue from 3rd party software, please check how it works if you disable the Symantec End Point Protection Manager.

     

    If you have any questions or concerns, please do not hesitate to let me know.

     

    • Edited by Miles Li Wednesday, December 16, 2009 6:41 AM
    Wednesday, December 9, 2009 10:44 AM
  • Okay, The Radius Server sits right behind the router.  It is a Windows Server 2008 Standard Server using NPS.  Where do I look for the ISA Log, we don't have an ISA Server installed.  We did disable the Symantec EPPM and still got the same results.  The following are a list of events we found in the event logs:

    The certificates bound to the HTTPS listener for IPv4 and IPv6 do not match. For SSTP connections, certificates should be configured for 0.0.0.0:Port for IPv4, and [::]:Port for IPv6. The port is the listener port configured to be used with SSTP. The default listener port is 443.

     

     

    Failed to start Radius Server.The radius port may be used by another process.


    David Kellett
    Wednesday, December 9, 2009 5:25 PM
  • Hi David,

    If I understand correctly, you installed Symantec EPPM and NPS Radius server on the same server.
    As listed in this thread, Symantec recommends not to do that, as they both listen to the same port (1812).
    You can either:
    1. Change the port used by either EPPM or NPS, as suggested here (link taken from the above thread).
    or
    2. Install NPS as a Radius server on a different machine. If the radius requests have to pass through the machine with the EPPM, or originates from it (I don't know much of EPPM, so I don't know if that's the case), you can configure on it NPS role as a Radius proxy to forward the requests to the NPS Radius server. Here is explanation about NPS Radius proxy, and a configuration checklist.

    Anyhow, what Miles meant to say was IAS log, not ISA log (small typo).
    NPS logs are called IAS logs, as IAS is a previous version of NPS (was part of Windows Server 2003), and since the logs format is basically the same. To enable logging and/or seeing where the logs are - read about NPS accounting.

    Tomer
    ===================================================
    Sorry! Microsoft doesn't own any liability & responsibility for any of my posting.
    Thursday, December 10, 2009 11:29 PM
  • We had already tried the above.  It didn't work.  Below are the only log files I could find on any NPS errors.  Is there anything else we can do or any particular log files I can send along.  I didn't find any IAS logs anywhere, even after looking at the articles you mentioned.




    Log Name:      System
    Source:        RemoteAccess
    Date:          12/11/2009 1:46:21 PM
    Event ID:      20106
    Task Category: None
    Level:         Error
    Keywords:      Classic
    User:          N/A
    Computer:      QBee1.QueenBeeGardens.local
    Description:
    Unable to add the interface {5919B3F3-2E60-41B3-A072-C65379853BE7} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="RemoteAccess" />
        <EventID Qualifiers="0">20106</EventID>
        <Level>2</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2009-12-11T20:46:21.000Z" />
        <EventRecordID>93322</EventRecordID>
        <Channel>System</Channel>
        <Computer>QBee1.QueenBeeGardens.local</Computer>
        <Security />
      </System>
      <EventData>
        <Data>{5919B3F3-2E60-41B3-A072-C65379853BE7}</Data>
        <Data>IPV6</Data>
        <Data>Cannot complete this function.
    </Data>
        <Binary>EB030000</Binary>
      </EventData>
    </Event>


    Log Name:      Microsoft-Windows-NetworkAccessProtection/Operational
    Source:        Microsoft-Windows-NetworkAccessProtection
    Date:          12/11/2009 1:42:57 PM
    Event ID:      13
    Task Category: None
    Level:         Error
    Keywords:     
    User:          NETWORK SERVICE
    Computer:      QBee1.QueenBeeGardens.local
    Description:
    The Network Access Protection Agent failed to load the peripheral component MSSHA. The error code was 2147942526.
     See the administrator for more information.

    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-NetworkAccessProtection" Guid="{4ef850d8-bf30-4e64-a917-ee21b9be1f0a}" />
        <EventID>13</EventID>
        <Version>0</Version>
        <Level>2</Level>
        <Task>0</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2009-12-11T20:42:57.882Z" />
        <EventRecordID>26</EventRecordID>
        <Correlation />
        <Execution ProcessID="1332" ThreadID="2408" />
        <Channel>Microsoft-Windows-NetworkAccessProtection/Operational</Channel>
        <Computer>QBee1.QueenBeeGardens.local</Computer>
        <Security UserID="S-1-5-20" />
      </System>
      <UserData>
        <NapEvent xmlns:auto-ns2="http://schemas.microsoft.com/win/2004/08/events" xmlns="myNs">
          <PeripheralName>MSSHA</PeripheralName>
          <FunctionName>2147942526</FunctionName>
        </NapEvent>
      </UserData>
    </Event>


    David Kellett
    Saturday, December 19, 2009 5:47 PM
  • Hi,

    This question is still not answered but has fallen off the first page of the forum so it may not be getting the attention needed.

    Please let me know if there is any further information about this issue. I will also try to summarize the current question and get an answer if possible, or move the question to another forum if it is not appropriate for the NAP forum.

    Greg Lindsay

    Friday, March 19, 2010 8:49 PM
  • Hi,

    The log files that are being discussed should be located in this directory: %winroot%\Windows\System32\Logfiles. Please note that these logs are difficult to read unless you parse them. See http://technet.microsoft.com/en-us/library/cc771748(WS.10).aspx

    I'm pretty sure the event you have listed above about being unable to load the MSSHA is because you enabled the nap agent service on a server. Servers do have nap agent, but they do not have the Windows SHA (MSSHA aka WSHA).

    If you bypass the Cisco router entirely, does the VPN connection work? In other words, are you sure the VPN connection itself is configured correctly on both the server and client side?

    When you say the RADIUS server rejected the connection, do you mean that you are seeing event 6273 or 6274 under Event Viewer > Custom Views > Server Roles > Network Policy and Access Services?

    Are you using NAT to create a translated public IP address on the router that forwards requests to the VPN server?

    -Greg

    Saturday, March 20, 2010 9:03 AM