V
Vincent Xu [MSFT]
Hi,
From the description, I understand that you are building an IPSEC/L2TP VPN
connection on the ISA Server 2004. One windows 2000 client has problem in
establishing the VPN connection
Based on my research, since the problem only occurs on a specific client,
the problem could be probably related to the client OS. To isolate the
issue, please help to gather the following information:
1. Are all the clients located in the same place when establishing the VPN
connection to the ISA Server? Are the problematic workstations located
behind any firewall?
2. Have you configured both your ISA Server and hardware router to allow
UDP port 500 and 4500?
3. Please try disabling the Windows Firewall on the 2000 client. Please
also make sure the firewall client is not enabled on the windows 2000 .
4. Please disable any AV software on the 2000 client, and then perform a
Clean Boot on the problematic workstation. A Clean Boot will allow us to
isolate any device drivers or programs that are loading at startup that may
be causing a conflict with other device drivers or programs that are
installed in your computer.
A. Click Start, click Run, type "msconfig" (without the quotation marks)
and click OK.
B. Select "Selective Startup" and remove the check box for "Load Startup
Items".
C. On the "Services" tab, click Enable All.
D. Check "Hide all Microsoft Services", click Disable All and clear "Hide
all Microsoft Services".
E. Click the OK button and then Click Yes to restart your computer.
Note: Please copy msconfig.exe from windows xp client to windows 2000
client to finish this step.
5. Please try using the domain admin account (grant him the remote access
permission) to establish the VPN connection, does the problem persists? You
can also create a new user account to perform the test.
In addition, we may also need to gather some logs in order to isolate the
problem:
1. Activate Oakley Logging on the ISA server:
257225 Basic IPSec troubleshooting in Microsoft Windows 2000 Server
http://support.microsoft.com/?id=257225
Use Registry Editor to locate the following key in the registry, and if it
does not exist, pleas create it:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Add a REG_DWORD value named EnableLogging with a value of 1 to this key.
The Oakley.log file is created in the %systemroot%\debug folder.
2. Activate RRAS tracing on the server. To do so, we can run the following
command:
netsh ras set tracing * enabled
816110 HOW TO: Configure Routing and Remote Access Tracing in Windows Server
http://support.microsoft.com/?id=816110
By default, Routing and Remote Access activity is in the
%SystemRoot%\Tracing folder.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------
From the description, I understand that you are building an IPSEC/L2TP VPN
connection on the ISA Server 2004. One windows 2000 client has problem in
establishing the VPN connection
Based on my research, since the problem only occurs on a specific client,
the problem could be probably related to the client OS. To isolate the
issue, please help to gather the following information:
1. Are all the clients located in the same place when establishing the VPN
connection to the ISA Server? Are the problematic workstations located
behind any firewall?
2. Have you configured both your ISA Server and hardware router to allow
UDP port 500 and 4500?
3. Please try disabling the Windows Firewall on the 2000 client. Please
also make sure the firewall client is not enabled on the windows 2000 .
4. Please disable any AV software on the 2000 client, and then perform a
Clean Boot on the problematic workstation. A Clean Boot will allow us to
isolate any device drivers or programs that are loading at startup that may
be causing a conflict with other device drivers or programs that are
installed in your computer.
A. Click Start, click Run, type "msconfig" (without the quotation marks)
and click OK.
B. Select "Selective Startup" and remove the check box for "Load Startup
Items".
C. On the "Services" tab, click Enable All.
D. Check "Hide all Microsoft Services", click Disable All and clear "Hide
all Microsoft Services".
E. Click the OK button and then Click Yes to restart your computer.
Note: Please copy msconfig.exe from windows xp client to windows 2000
client to finish this step.
5. Please try using the domain admin account (grant him the remote access
permission) to establish the VPN connection, does the problem persists? You
can also create a new user account to perform the test.
In addition, we may also need to gather some logs in order to isolate the
problem:
1. Activate Oakley Logging on the ISA server:
257225 Basic IPSec troubleshooting in Microsoft Windows 2000 Server
http://support.microsoft.com/?id=257225
Use Registry Editor to locate the following key in the registry, and if it
does not exist, pleas create it:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent\Oakley
Add a REG_DWORD value named EnableLogging with a value of 1 to this key.
The Oakley.log file is created in the %systemroot%\debug folder.
2. Activate RRAS tracing on the server. To do so, we can run the following
command:
netsh ras set tracing * enabled
816110 HOW TO: Configure Routing and Remote Access Tracing in Windows Server
http://support.microsoft.com/?id=816110
By default, Routing and Remote Access activity is in the
%SystemRoot%\Tracing folder.
Thanks.
Best regards,
Vincent Xu
Microsoft Online Partner Support
======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================
--------------------