Weird site to site issue... ?


David P

have a weird issue.

Scenario is single Windows 2003 domain with 2 sites. each site has a domain
controller that connects over the internet through RRAS dial on demand
gateway to gateway vpn links. Both sites are part of the same windows 2003
domain and replication works fine between remote and hub domain controllers.

Each VPN gateway at each site is running ISA 2000 SP2.

The vpn's work fine and I can access resources on the remote sites.
The issue I am having is that only one site can connect to the internet
through their local ISA server at any one time.

If I am on site A and the gateway to gateway is up only site B can connect
to web pages through ISA. If I disconnect the VPN gateway on site A. site A
can then connect to web pages through ISA but site B then cannot
connect to web pages through ISA and so on !!!!! The gateway to gateway
vpn is a persistent connection too.

I can resolve web sites to IP address's on the local ISA server's no problem
at all times.

What am I doing wrong ??? I have to implement another 2 additional sites
next week so would like this bottomed.

Thanks in anticipation

Bill Grant

Apart from being an obvious routing problem, it is hard to say exactly
what is wrong. Here is what should happen.

When the VPN is not active, each server should have its default route
set to point out to the Internet. When the VPN connects, this should not
change. The only real change should be that each VPN server now has a route
to the IP subnet of the "other" site through the tunnel. The default route
should still be to the Internet. Check the routing table on both servers
before and after the VPN connects.

The default route only changes if you make a client-server type
connection rather than a router to router connection.

David P

Routing is not the issue because at each site when the gateway to gateway
VPN is up (persistent connection btw) I can ping and resolve web site
address's to ip address's at all times. This proves that the default route
is set to the external nic. ( The routing table also proves this with the route set for the external gateway.

Perhaps it's an ISA issue ?

Bill Grant

But does that default route change when the VPN connection comes up?

With a client-server type connection, the default route on the "client"
side changes. The current default route is inactivated (by increasing its
metric) and a new default route established to the "server".

David P

No it doesnt change, a new route to the hub/remote network is added on each
VPN server.
the default broadcast route does not alter from the external
interface card.


Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question