Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

VPN Clients May Not Work on ISA Server Perimeter Networks


View products that this article applies to.

This article was previously published under Q303530

↑ Back to the top


Symptoms

From a client on an Internet Security and Acceleration (ISA) Server perimeter network, you may be unable to create a virtual private networking (VPN) connection to a server on the external network. The connection does not work using either PPTP and L2TP.

When you try to make a connection, you see the Verifying Username and Password dialog box. However, the connection attempt eventually generates the error message "Error 628: The Connection was closed."

VPN connections from the internal network to a VPN server on the Internet work correctly.

↑ Back to the top


Cause

This issue is caused by an incompatibility between the ISA Server Packet filter and the Windows 2000 Network Address Translation (NAT) editor.

↑ Back to the top


Resolution

To resolve this problem, obtain the latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:
313139� How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

↑ Back to the top


Workaround

To work around this issue, create a perimeter or DMZ network by using two ISA Server computers:
Internet --- ISA1 --- DMZ --- ISA2 --- private network
This will allow VPN connections to be created successfully from a client in the DMZ to an Internet VPN server.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in ISA Server 2000 SP1.

↑ Back to the top


More information

A network trace shows that TCP packets on port 1723 are forwarded correctly by ISA Server. However, GRE packets (IP protocol 47) never make it through ISA Server. GRE packets are dropped even though the Packet Filter log states that the GRE packets are "Allowed."

Note that perimeter networks are found on triple-homed ISA Servers computers. This is also referred to as a DMZ. The perimeter network is reachable by using a public IP address, but it is protected by the ISA Server firewall. See the ISA Help for additional information.

↑ Back to the top


Keywords: KB303530, kbqfe, kbprb, kbenv, kbproductlink

↑ Back to the top

Article Info
Article ID : 303530
Revision : 4
Created on : 10/29/2007
Published on : 10/29/2007
Exists online : False
Views : 352