VPN Clients May Not Work on ISA Server Perimeter Networks (303530)


The information in this article applies to:

  • Microsoft Internet Security and Acceleration Server 2000
This article was previously published under Q303530

SYMPTOMS

From a client on an Internet Security and Acceleration (ISA) Server perimeter network, you may be unable to create a virtual private networking (VPN) connection to a server on the external network. The connection does not work using either PPTP and L2TP.

When you try to make a connection, you see the Verifying Username and Password dialog box. However, the connection attempt eventually generates the error message "Error 628: The Connection was closed."

VPN connections from the internal network to a VPN server on the Internet work correctly.

CAUSE

This issue is caused by an incompatibility between the ISA Server Packet filter and the Windows 2000 Network Address Translation (NAT) editor.

RESOLUTION

To resolve this problem, obtain the latest service pack for ISA Server 2000. For additional information about the latest service pack, click the article number below to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server 2000 Service Pack

WORKAROUND

To work around this issue, create a perimeter or DMZ network by using two ISA Server computers:

Internet --- ISA1 --- DMZ --- ISA2 --- private network

This will allow VPN connections to be created successfully from a client in the DMZ to an Internet VPN server.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.

This problem was corrected in ISA Server 2000 SP1.

MORE INFORMATION

A network trace shows that TCP packets on port 1723 are forwarded correctly by ISA Server. However, GRE packets (IP protocol 47) never make it through ISA Server. GRE packets are dropped even though the Packet Filter log states that the GRE packets are "Allowed."

Note that perimeter networks are found on triple-homed ISA Servers computers. This is also referred to as a DMZ. The perimeter network is reachable by using a public IP address, but it is protected by the ISA Server firewall. See the ISA Help for additional information.
Modification Type:MajorLast Reviewed:10/16/2002
Keywords:kbenv kbISAServ2000sp1fix kbprb kbQFE KB303530
©2002 Microsoft Corporation. All rights reserved.