Cisco Router - ISA 2004 VPN connection

j.goertzen · ‎08-26-2009

Hello there, I've recently connected a Cisco 871 router to a ISA 2004 server (site to site VPN). The connection details are listed in this Microsoft article:

http://technet.microsoft.com/en-us/libr ... 02442.aspx

The tunnel works, but it tends to disconnect once every week. Additionally we can't write backups to a server at the remote end (we only get a 1 kb file, the rest doesn't get transfered). The same goes for files that are sent by a scanner to the server.

A article detailed that mismatched MTU values might be the cause of this. I've adapted the ISA to negotiate the MTU (by setting the EnablePMTUDiscovery to 1), but this didn't solve the problem. A additional problem is that the tunnel won't form after a restart when IKE fragmentation is enabled.

Has anybody got any tips to solve these problems?

s.jankowski · ‎09-01-2009

Cisco VPN Client users might receive this error when they attempt the connection with the head end VPN device.

"Attempted to assign network or broadcast IP address, removing (x.x.x.x) from pool" or "VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by tier. Reason 433."

Solution

The problem might be with the IP pool assignment either through ASA/PIX or Radius server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also, verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the proper IP addresses to the clients.