Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2120
Views
0
Helpful
5
Replies

Windows 2000 domain Authentication over PIX VPN tunnel

skombathula
Level 1
Level 1

‎05-01-2002 07:07 PM - edited ‎02-21-2020 09:59 AM

Hi,

I set up a IPSEC VPN tunnel between corporate network using checkpoint NG FP1 and a branch office running PIX 501(6.1 Ver). The client machines behind PIX are not natted when passing through the tunnel but natted when accessing the internet. The tunnel seems to work fine except for users trying to authenticate from win2k pro machines which are behind PIX 501 to domain controillers which are behind checkpoint firewall. When I try to login form one of the win2k client machines it takes for ever for me to login. I checked on the domain controller secuity event logs and it shows that my login was validated.

I tried disconnecting PIX and try accessing the servers and domain authentication is working fine.

Any suggestions in this regard is greatly appreciated

thanks

KSK

Labels:
0 Helpful
5 Replies 5

mike.scaggs
Level 1
Level 1

‎05-01-2002 08:52 PM

One thing to check is that you letting protocol 50 (esp) through the PIX.. Just a thought

access-list acl_out permit 50 any any

or what ever your rules are.

Scaggs

0 Helpful

skombathula
Level 1
Level 1
In response to mike.scaggs

‎05-01-2002 09:40 PM

I have no ACL on the outside to allow ESP protocol. I followed the cisco documentation and it does not mention anything about letting ESP protocol on the outside interface.

0 Helpful

jeff
Level 1
Level 1

‎05-02-2002 12:01 PM

You may need ESP. It's probably taking so long because it's cycling through all possible protocols till it tries ESP:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q254949

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q248694

http://support.microsoft.com/default.aspx?scid=kb;EN-US;q274438

0 Helpful

skombathula
Level 1
Level 1

‎05-03-2002 08:08 PM

Windows Authentication is done by kerberos as the PC's are in a trusted domain. Is there a way not to encrypt kerberos traffic in PIX to checkpoint Ipsec tunnel so that authentication is done much quicker way than the way it is happening now.

All suggestions are welcome

0 Helpful

thult
Level 1
Level 1
In response to skombathula

‎05-22-2002 01:14 PM

I had a customer with a similar problem. The users in his AD with lots of rights and/or that was members of lots of groups did not authenticate correctly over VPN. The reason for this was that the Kerberos packet became to big and had to get fragmented.

As Kerberos by default use UDP there can be problems when fragmenting the packets, all routers and other devices between the client and the server may no allow UDP fragmentation.

I got a tip from Microsoft to use TCP for Kerberos authentication instead. This was done by the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Value Name: MaxPacketSize

Data Type: REG_DWORD

Value: 1

A similar change has to be done on the client, but I do not have that key (MS probably do...)

Pls let me know if this worked as my customer did not try the tip from Microsoft...:(

//Tomas

0 Helpful
Customers Also Viewed These Support Documents