Help! problems with VPN, concentrator 3005

Wichard20 · ‎01-12-2005

Hi all,

We are currently using a Concentrator 3005 VPN that our clients use to access terminal services/ftp/etc. We were on a 3.X firmware and just recently upgraded to 4.1.7.D. We upgraded because some clients, specifically XP clients could not FTP. The firmware upgrade has solved most of the FTP issues but now remote desktop/terminal services is not functioning. It was before the upgrade, the rule is still preserved after the upgrade. The VPN client we are using and recommend our clients to use is 4.0.5 (D) . Using 4.6.1 will let us connect but we cannot FTP with this client. The VPN box bypasses the firewall so the only security is the security we assign through the VPN box. Any help would be appreciated.

Thank you for your time,

Rich

ehirsel · ‎01-12-2005

What messages appear to the user when attempting a remote/desktop - term services application?

What messages appear in the 3005 log file?

Are you using the web-based RDP or is it the native term services client (which I believe connects on port 3389)?

Wichard20 · ‎01-12-2005

I will check the log file when I get back in, I dont believe anything shows ups, this is using the native term services, port 3389 is open on the VPN. A generic message appears that says something like "the server you are connecting to is too busy to accept your requests, this could be because too many users are logged in, or the server could not be found"

Wichard20 · ‎01-14-2005

Ok, so I checked the log file it show nothing, I established a connection with my laptop, attempted to remote desktop while watching the log file on the VPN, nothing shows up. Any ideas? while I am vpn in, I cannot ping anything, but I can FTP.

Thanks,

Rich

ehirsel · ‎01-14-2005

On the vpn concentrator, find out what rules are active and post them here. I am wondering if the defined rule set and the active rule set are not similar.

Has there been any internal routing changes made recently? You noted that the vpn connections bypass the firewall, so I assume that the fw and the vpn 3000 are in parallel in the topology? Is that correct?

Wichard20 · ‎01-17-2005

ehirsel I appreciate all the help you have been providing me, yes the vpn3000 and the fw is in parallel in our network topology.

Here is our rule list, how do you check the active rule set? Here are our rules from the config file.

http://members.cox.net/rgawthrop/ruleset.txt

ehirsel · ‎01-20-2005

Go to Configuration | Interfaces | Ethernet x where x is 1, or 2 (or 3 depending upon the concentrator model that you have). From there you go to the General tab (if you use web mgmt) or select the General menu selection (for telnet mgmt).

This will tell you what filters are applied to each interface.

In examining your rules I have one question:

Rule #s 60 and 61 are the term services rules, but #61 has the same sport and dport values that #60 has. Shouldn't they outbound ports be reversed from the inbound ones? Or are those rules applied to different filters that are on different interfaces?

Do you have the concentrator push filters to the vpn clients as well? The filter would be specified under the group section of the 3000 config?

Wichard20 · ‎01-21-2005

That fixed it, the firmware must of changed my default filter, after I reapplied my filter remote desktop worked. Thanks for the help.