I have a ISA 550 and I have everything I could imagine working over the IPSEC VPN but being able to sync outlook to an Exchange 2007 server. Accessing shared folders works, other client server programs work as well. I can ping the Exchange server over the VPN and address resolution for the server name or FQDN wasn't working so I added an entry in the windows host file to make sure it was resolving correctly to the IP. I've experimented with adding entries for both the server name and FQDN to the hosts and/or lmhost file in every combination without success. Every port between the VPN and LAN is open so it can't be a port issue. I've tried setting the MTU value to 1100, 576, and a few other suggestions all without success. I've read every forum topic on similar problems I could find (up to googles top 50 results) and tried every suggestions I could find all without success. Since I'm about to be out of options I thought I would ask if anyone has had similar issues? Below is a checklist to provide more info and background.
1. The ip assigned to VPN users is on the same subnet as the exchange server. I.e. user = 192.168.1.XXX and exchange server 192.168.1.XXX.
2. Assignable VPN user ips are reserved on the DHCP server.
3. Users can access network resources like shared folders and are successfully authenticated against a LDAP (active directory) server to log in.
4. Users can use other client server programs I.e. access to an SQL server works great.
Thanks in advance for any assistance
is this a remote access VPN? Are you using TCP or UDP as the transport on the client, I would use UDP if you can. This is normally an MTU issue. Also make sure you are not blocking ICMP messages so that Path MTU discovery can work correctly.
It is a remote access IPSEC VPN with clients configured to use IPSEC over UDP. I went throught the troubleshooting article here http://networkadminkb.com/KB/a62/troubleshooting-mtu-path-discovery-issues-over-a-vpn-tunnel.aspx and found that the maximum packet size when pinging the server is 1072 so MTU is 1100. I receive the "packet needs to be fragmented but DF set." message when pinging over 1072 so I believe that means ICMP and path MTU discovery are working correctly. I checked that the MTU was set to 1100 on all interfaces and surprisingly the server asked for login credentials when first opening outlook but it still will not sync. I.e. "trying to connect to microsoft exchange" and then "disconnected".
One quick suggestion: Can you try setting the vpn address pool to a different network? It's best practice to use a unique network for the vpn address pool.
Also, can you gather packet captures from the client (vpn adapter) and also from the server at the same time? That will provide more information on what's going on with the communication.