04-26-2010 11:11 AM
We are using a 3005 Concentrator and everything was working just dandy up until last week. VPN clients were connecting and authenticating using Kerberos/AD and they were able to access all resources on our connected networks. All client related connectivity stopped working a few days ago. Authentication, connection, etc. I first thought that it was authentication issue so I set up RADIUS authentication on my DC and that fixed the lack of authentication. However, now my clients can no longer connect to any resources on our networks. There's no error message on the client or the concentrator (that I can tell) and everything else is in place (Network lists are correct, route print on the client PC shows all the correct routes to our network). I can ping internal network resources from the concentrator so I don't think it's a firewall issue.
Here's what's in the log when a client connects:
152 04/25/2010 09:09:28.250 SEV=5 IKEDBG/64 RPT=1 209.X.X.177
IKE Peer included IKE fragmentation capability flags:
Main Mode: True
Aggressive Mode: False
154 04/25/2010 09:09:58.960 SEV=4 IKE/52 RPT=1 209.X.X.177
Group [Boston] User [BenRadlinski]
User (BenRadlinski) authenticated.
155 04/25/2010 09:09:59.000 SEV=4 IKE/131 RPT=1 209.X.X.177
Group [Boston] User [BenRadlinski]
Received unknown transaction mode attribute: 28684
157 04/25/2010 09:09:59.000 SEV=5 IKE/184 RPT=1 209.X.X.177
Group [Boston] User [BenRadlinski]
Client Type: WinNT
Client Application Version: 5.0.06.0160
159 04/25/2010 09:10:00.940 SEV=5 IKE/233 RPT=1
Filter added for IPSec/UDP - address 66.X.X.6, port 10000
160 04/25/2010 09:10:00.940 SEV=4 AUTH/22 RPT=3 209.X.X.177
User [BenRadlinski] Group [Boston] connected, Session Type: IPSec
161 04/25/2010 09:10:00.940 SEV=4 IKE/119 RPT=3 209.X.X.177
Group [Boston] User [BenRadlinski]
PHASE 1 COMPLETED
162 04/25/2010 09:10:00.960 SEV=5 IKE/25 RPT=1 209.X.X.177
Group [Boston] User [BenRadlinski]
Received remote Proxy Host data in ID Payload:
Address 192.168.105.50, Protocol 0, Port 0
165 04/25/2010 09:10:00.960 SEV=5 IKE/34 RPT=2 209.X.X.177
Group [Boston] User [BenRadlinski]
Received local IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
168 04/25/2010 09:10:00.960 SEV=5 IKE/66 RPT=2 209.X.X.177
Group [Boston] User [BenRadlinski]
IKE Remote Peer configured for SA: ESP-3DES-MD5
170 04/25/2010 09:10:00.960 SEV=5 IKE/75 RPT=2 209.X.X.177
Group [Boston] User [BenRadlinski]
Overriding Initiator's IPSec rekeying duration from 2147483 to 28800 seconds
172 04/25/2010 09:10:00.990 SEV=4 IKE/49 RPT=12 209.X.X.177
Group [Boston] User [BenRadlinski]
Security negotiation complete for User (BenRadlinski)
Responder, Inbound SPI = 0x71d4c8c6, Outbound SPI = 0x06065ed8
175 04/25/2010 09:10:01.010 SEV=4 IKE/120 RPT=12 209.X.X.177
Group [Boston] User [BenRadlinski]
PHASE 2 COMPLETED (msgid=6bca78b0)
176 04/25/2010 09:10:01.010 SEV=4 NAC/27 RPT=1
NAC is disabled for peer - PUB_IP:209.X.X.177, PRV_IP:192.168.105.50
Any help would be appreciated.
Thanks.
04-27-2010 11:17 AM
This seems to be isolated to Windows 7 clients now. I recall seeing something about this elsewhere in the forum, so I'll search around.
Thanks,
Ben
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide