Petri.com forums Home Forums Start Page Forums Frequently Asked Questions FAQ Member List Members List
Go Back   Petri IT Knowledgebase Forums > Security > General Security
Petri.com is happy to award RicklesP the title of Most Valuable Member !!!
Register Calendar Calendar Search Petri IT Knowledgebase Forums Search Todays Posts Today's Posts Mark Forums Read
Notices

Forefront TMG cannot VPN using Cisco client

Forefront TMG cannot VPN using Cisco client

this thread has 3 replies and has been viewed 5741 times

Closed Thread
 
Thread Tools Search this Thread Display Modes
  #1  
Old 1st June 2011, 22:19
crowntech crowntech is offline
Casual
It's not a coincidence
 
 Join Date: Jun 2011
  6 month star 12 month star
 Posts: 86
 Reputation: crowntech is on a distinguished road (13)
Default SOLVED: Forefront TMG cannot VPN using Cisco client

Greetings!

Hello everyone, I hope someone can help me out with this issue I've had for about a week now. Background info: I need to allow a few of our users to use a Cisco VPN client to connect to one of our customer's corporate network. We currently have Forefront TMG as our gateway for all of our users and I have added new rules to allow the traffic to pass through. However, the Cisco VPN client will constantly attempt to connect until it times out and when I look through the logs on the firewall, here is what I see:

Client IP: 192.168.x.x
Destination IP: 170.x.x.x
Action: Initiated Connection
Protocol: IKE Client
Destination port: 500
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: External

Client IP: 192.168.x.x
Destination IP: 170.x.x.x
Action: Initiated Connection
Protocol: IPsec NAT-T Client
Destination port: 4500
Result Code: 0x0 ERROR_SUCCESS
Source Network: Internal
Destination Network: External

Client IP: 69.x.x.x (our outward facing IP)
Destination IP: 170.x.x.x
Action: Denied Connection
Protocol: IPsec NAT-T Client
Destination port: 4500
Result Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED
Source Network: Local host
Destination Network: External

The interesting thing to note is that when client IP shows our internal address (192.168.x.x), it will show an action of "Initiated Connection" but eventually gets closed as it times out. I've looked into this and found the result code means: "A packet was dropped due to periodic inconsistency between the IPsec policy and the Forefront TMG's snapshot of the IPSsec policy."

Here are the resolutions that I've attempted:
* Removed from registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\RemoteAccess\RouterManagers\Ipv6 (did nothing so I restored original keys)
* Ran command: netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent (command not recognized, TMG 2010 only?)
* Added local host to the list of source networks on the access list
* Asked nicely for it to work

I tested the VPN connection without the firewall in place and it DOES work, there must be some setting that I'm missing. If it helps, we're using TMG version 6. Your help is greatly appreciated!

Last edited by crowntech; 7th June 2011 at 01:14.. Reason: Problem solved
  #2  
Old 2nd June 2011, 23:50
cruachan's Avatar
MVM cruachan cruachan is offline
Senior Member
MVM
 
 Join Date: Jun 2008
  6 month star 12 month star
 Location: Hamilton, Scotland
 Posts: 2,132
 Reputation: cruachan is just really nicecruachan is just really nicecruachan is just really nicecruachan is just really nicecruachan is just really nice (441)
Default Re: Forefront TMG cannot VPN using Cisco client

For ISA 2004/6 from our own elmajdal, but should have the info you need.

http://elmajdal.net/isaserver/How_To...SA_Server.aspx
__________________
BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS

Cruachan's Blog
  #3  
Old 3rd June 2011, 00:11
crowntech crowntech is offline
Casual
It's not a coincidence
 
 Join Date: Jun 2011
  6 month star 12 month star
 Posts: 86
 Reputation: crowntech is on a distinguished road (13)
Default Re: Forefront TMG cannot VPN using Cisco client

Thank you for your reply. I have already taken the steps outlined in the link provided and I am still not able to get through. The result code I am receiving mentions something about the policy on Forefront not matching the existing IPSec policy. I've looked around but still no luck.
  #4  
Old 7th June 2011, 01:14
crowntech crowntech is offline
Casual
It's not a coincidence
 
 Join Date: Jun 2011
  6 month star 12 month star
 Posts: 86
 Reputation: crowntech is on a distinguished road (13)
Default Re: Forefront TMG cannot VPN using Cisco client

I got it! After a week and a half of banging my head on this I finally got it to work thanks to a suggestion from another forum. Here is the solution to the problem:

Created a site-to-site VPN connection to a dummy site. First configured with actual target VPN endpoint then changed address to one of our own static IP addresses. Confirmed this does work when checking firewall logs and able to get a username/password dialog box. Creating this site-to-site connection allows TMG to create an IPSec rule which by default is undefined (and anything undefined is denied). Once the connection is created, the rule is also created which allows IPSec traffic to pass through.

Here are the steps followed: Opened Forefront TMG Management, select Virtual Private Networks, under the remote sites tab select "Create VPN site-to-site connection". Steps from here are pretty straightforward as ficitious IP addresses can be entered. The main goal is to create the rule so that IPSec traffic can pass. Hope this helps someone else!
Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Microsoft Forefront TMG ramihax General Networking 1 15th March 2011 15:54
Circumvent (or "ease") ForeFront TMG proxy?? Also, VPN oddities! WorldBuilder General Security 19 23rd August 2010 01:51
E2K10, Forefront TMG and Certificates Ossian Exchange 2007 / 2010 / 2013 2 4th April 2010 10:50
ssl vpn in Forefront TMG mla General Security 3 3rd December 2009 01:11
Forefront TMG / ISA2006 tehcamel General Security 7 21st May 2009 03:53


All times are GMT +3. The time now is 12:09.

Steel Blue 3.5.4 vBulletin Style ©2006 vBEnhanced
Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
 

Valid XHTML 1.0!   Valid CSS!

Copyright 2005 Daniel Petri