Troubleshooting Virtual Private Networking

This troubleshooting guide describes common issues encountered when deploying, configuring, or maintaining a virtual private network (VPN) for Microsoft Internet Security and Acceleration (ISA) Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition. It also details actions you can take to resolve these issues.

This document is divided into these sections:

• Common VPN issues
• VPN client issues
• Remote site network issues
• Remote site network and Internet Protocol security (IPsec) issues

This document will be updated frequently with new troubleshooting tips. If you have a suggestion for a troubleshooting tip, contact ISA Server Documentation Feedback at Microsoft.

Common VPN Issues

Issue: Client Cannot Connect

VPN Client Issues

Issue: VPN Clients Cannot Connect

Remote Site Network Issues

Issue: Remote Site Client Cannot Connect

Remote Site Network and IPsec Issues

Issue: Remote Site Networks Cannot Connect

Additional Information

Common VPN Issues

This section describes issues commonly encountered when remote VPN clients or a remote site network attempt to connect to a network protected by ISA Server.

Issue: Client Cannot Connect

Problem:

VPN client cannot connect. This may happen for any of the following reasons:

• User permissions are not configured properly.
• VPN settings were configured using Routing and Remote Access.
• The ISA Server computer was not restarted after a VPN was configured.
• A VPN is not enabled for the specified network.
• There is no connectivity from the VPN client.
• The Dynamic Host Configuration Protocol (DHCP) server is not configured properly.

Possible solutions for this issue are described in the following sections.

Cause: User Permissions Not Configured Properly

The VPN clients may not be able to connect, because the user permissions were not properly configured.

Solution:

Check that the user exists and is properly configured:

1. Verify that the user is actually defined on a Microsoft Windows Server 2003 or Windows 2000 Server domain controller or on the Remote Authentication Dial-In User Service (RADIUS) server (as a RADIUS user).
2. Validate that the user is allowed to dial in. When Windows authentication is used, on the domain controller, do the following:
   • On the ISA Server computer, click Start, point to Administrative Tools, and then click Computer Management.
   • In Computer Management, click Computer Management, click System Tools, click Local Users and Groups, and then click Users.
   • In the details pane, right-click the applicable user, and then click Properties.
   • On the Dial-in tab, under Remote Access Permission (Dial-in or VPN), select Allow access.
3. Validate that user credentials are valid.
4. When Password Authentication (PAP) or Shiva Password Authentication Protocol (SPAP) authentication methods are used, and the ISA Server computer is a domain member, the VPN client cannot connect as a local user (on the ISA Server computer). This is because authentication with PAP and SPAP is done using only user name and password.

Cause: VPN Settings Configured Using Routing and Remote Access

The VPN clients cannot connect, because the VPN settings were configured using Routing and Remote Access, and not using ISA Server Management.

Solution:

Check that you use ISA Server Management to configure the VPN settings, and not Routing and Remote Access. The following Routing and Remote Access settings are overridden by ISA Server:

• Global configuration:
  • Authentication methods, such as Microsoft Challenge Handshake Authentication Protocol MS-CHAPv2
  • Address assignment, such as DHCP, Domain Name System (DNS), or Windows Internet Name Service (WINS) configuration
  • Layer Two Tunneling Protocol (L2TP) preshared key
  • Authentication and accounting providers
  • RADIUS servers list
• VPN client configuration:
  • Tunneling protocol configuration
  • Maximum number of Point-to-Point Tunneling Protocol (PPTP) or L2TP VPN client simultaneous connections

Cause: Restart Required

The ISA Server computer was not restarted after VPN settings were configured.

Solution:

Review the alerts issued by ISA Server and review system events (in Event Viewer). Check if there is an alert that indicates that ISA Server was not restarted after VPN client access was enabled or after a protocol was configured, and then restart the ISA Server computer.

Cause: VPN Disabled for the Network

The network is not enabled for VPN access.

Solution:

Verify that the network from which the client is attempting to connect is VPN-enabled.

Cause: No Connectivity from the VPN Client

There is no connectivity between the VPN client computer and the ISA Server computer.

Solution:

Verify that the VPN client computer can connect to the ISA Server computer. If there is no connectivity, do the following:

1. Check that the routing table is configured correctly, both on the client computer and on the ISA Server computer. Check that the default gateway is properly configured.
2. For PPTP connections, check that the network address translation (NAT) device between ISA Server and the Internet or between the VPN client and the Internet supports PPTP.

Cause: DHCP Server Configuration

The DHCP server is not configured properly.

Solution:

If DHCP is used for address assignments, check the following:

1. Check that the DHCP server is properly functioning. If not, use a static pool of addresses instead.
2. Check that the DHCP system policy rules are configured properly. For more information, see ISA Server Help.
3. Verify that the DHCP server does not have a reservation for the IP address of the ISA Server computer. Instead, configure a static IP address for the ISA Server computer, and exclude this address from the DHCP scope.

Issue: L2TP Connections Fail

Problem:

L2TP connections fail. This may happen for any of the following reasons:

• The preshared key is not properly configured.
• Certificates are not properly configured.
• The connection settings are not properly configured.

Possible solutions for this issue are described in the following sections.

Cause: Preshared Key Configuration

The preshared key is not properly configured.

Solution:

Check the configuration of the L2TP or IPsec preshared key. Validate that it is properly specified.

Cause: Certificate Configuration

The certificates are not properly configured.

Solution:

Check that the root certificate is properly configured. Check the following:

• The certificate is trusted on the VPN client computer and on the ISA Server computer.
• Neither the client certificate nor the ISA Server computer certificate is an RSA certificate or a computer certificate.
• The client certificate is not stored in the local computer certificate store.
• The certificate is still valid (and has not been expired or revoked).

Cause: Connection Setting Configuration

The connection settings are not properly configured.

Solution:

Check that the following connection settings are properly configured:

1. The authentication methods configured on ISA Server match the authentication credentials presented by the VPN client.
2. The VPN tunneling protocols on ISA Server (PPTP or L2TP) match the tunneling protocol used by the VPN client.

Issue: Routing and Remote Access Does Not Start

Problem:

Routing and Remote Access does not start after a configuration change. No alert is generated in the Application event log. However, a Remote Access alert will be written to the system log.

This may occur when the ports are not properly configured on ISA Server. The following section details the issue.

Cause: ISA Server Port Configuration

ISA Server is not listening on port 1812 for RADIUS authentication requests, or on port 1813 for RADIUS accounting requests.

Solution:

When you configure RADIUS authentication, configure ISA Server to listen on port 1812 for RADIUS authentication and on port 1813 for RADIUS accounting. Do the following:

1. Verify that Routing and Remote Access is running.
2. Check that the relevant services are configured on the RADIUS server.

VPN Client Issues

This section describes issues encountered specifically when remote VPN clients attempt to connect to a network protected by ISA Server.

Issue: VPN Clients Cannot Connect

Problem:

VPN clients fail to establish a PPTP or L2TP connection to the ISA Server computer. This may happen for any of the following reasons:

• The specified network is not enabled for VPN access.
• Too many connections were established.
• The tunneling protocol is not configured properly.
• ISA Server cannot connect to the RADIUS server.
• Windows authentication is not configured properly.
• User mapping is not configured properly.
• The RADIUS server is running on the ISA Server computer.
• Quarantine is not configured properly.

More details and possible solutions for this issue are described in the following sections.

Cause: VPN Disabled for the Network

The network is not enabled for VPN access.

Solution:

Verify that the network from which the client is attempting to connect is VPN-enabled.

Cause: Maximum Connections Exceeded

Maximum number of VPN client connections was reached.

Solution:

Determine if the maximum number of simultaneous remote client connections was exceeded. Check the Sessions view, to determine the number of active VPN client sessions. Increase the maximum number of VPN client connections allowed to the ISA Server computer. Do the following:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the console tree of ISA Server Management, click Virtual Private Networks (VPN)
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. In the details pane, click the VPN Clients tab.
   2. On the Tasks tab, click Configure VPN Client Access.
   3. In Maximum number of VPN clients allowed, type the maximum number of VPN clients that can connect simultaneously.

Cause: Tunneling Protocol Configuration

ISA Server is not configured for the tunneling protocol (L2TP or PPTP) used by the client.

Solution:

Configure ISA Server to use the appropriate tunneling protocol. Do the following:

1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.
2. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. On the details pane, click the VPN Clients tab.
   2. On the Tasks tab, click Configure VPN Client Access.
   3. On the Protocols tab, select one or more of the following:
   • Enable PPTP
   • Enable L2TP/IPsec
   1. Restart the ISA Server computer.

Cause: Connection to RADIUS Server

ISA Server cannot connect to the RADIUS server.

Solution:

Configure connectivity between ISA Server and the Internet Authentication Service (IAS). Perform the following steps:

1. In the console tree of ISA Server Management, click Firewall Policy:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
   1. On the Tasks tab, click Edit System Policy.
   2. In Configuration Groups, in the Authentication Services configuration group, select RADIUS.
   3. On the General tab, click Enable.
   4. On the To tab, click Add.
   5. In Add Network Entities, select the RADIUS server computer. Click Add, and then click Close.

Solution:

Verify connectivity between ISA Server and the IAS server.

Solution:

Check that ISA Server is configured properly on the IAS server.

Solution:

Check that the IAS server is configured properly in ISA Server Management. Perform the following steps:

1. In the console tree of ISA Server Management, click General:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, click Configuration, and then click General.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, click Configuration, and then click General.
   1. In the details pane, click Define RADIUS Servers.
   2. On the RADIUS Servers tab, click Edit.
   3. In Server name, verify that the name of the RADIUS server to use for authentication is specified correctly.
   4. Click Change, and in New secret and Confirm new secret, type the shared secret that is used for secure communications between ISA Server and the RADIUS server, and then click OK. You must configure the same shared secret on both ISA Server and the RADIUS server for successful RADIUS communications to occur.
   5. If the IAS server always uses a message authenticator based on the shared secret sent with each RADIUS message, select Always use message authenticator.

Cause: Windows Authentication Configuration

Windows authentication is not configured properly.

Solution:

Check that rules allowing connectivity between the domain controller and ISA Server are properly configured. Perform the following steps:

1. In the console tree of ISA Server Management, click Firewall Policy:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
   1. On the Tasks tab, click Edit System Policy.
   2. In Configuration Groups, in the Authentication Services configuration group, select Active Directory.
   3. On the General tab, click Enable.
   4. On the To tab, click Add.
   5. In Add Network Entities, select all the domain controllers that perform authentication. Click Add, and then click Close.

Solution:

Check that there is trust between the domain of the ISA Server computer and the user domain. As necessary, create rules allowing connectivity between the domain controller and ISA Server.

Cause: User Mapping Configuration

User mapping is not configured properly.

Solution:

If user mapping is enabled for RADIUS authentication, and if you configure MS-CHAPv2, MS-CHAP, or CHAP authentication methods, verify that the RADIUS server and the ISA Server computer are in the same domain.

Solution:

Check that MS-CHAPv2, MS-CHAP, or CHAP authentication methods are not configured, if you configure user mapping with mirrored accounts.

Solution:

Verify that you create mirrored users (users with the same user name) in the following scenarios:

• If you configure PAP or SPAP users.
• If ISA Server is a domain member (mirrored users should exist in the ISA Server domain).
• If ISA Server is in workgroup (mirrored users should exist in local users and computers on the ISA Server computer).

Cause: RADIUS Server Running

IAS is running on the ISA Server computer (Windows 2000 Server only).

Solution:

This scenario is not supported. Uninstall IAS.

Cause: Quarantine Disabled on ISA Server

Quarantine is enabled on RADIUS or Routing and Remote Access policies and disabled on ISA Server (Windows Server 2003 only).

Solution:

Clear these quarantine attributes on RADIUS or Routing and Remote Access:

• MS-Quarantine-Session-Timeout
• MS-Quarantine-IPFilter.

Alternatively, on the ISA Server computer, enable quarantine mode. Perform the following steps:

1. In the console tree of ISA Server Management, click Networks:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, click Configuration, and then click Networks.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, click Configuration, and then click Networks.
   1. In the details pane, select the Networks tab, and then select the Quarantined VPN Clients network.
   2. On the Tasks tab, click Edit Selected Network.
   3. On the Quarantine tab, select Enable Quarantine Control.

For more information about configuring quarantine, see the VPN Roaming Clients and Quarantine Control in ISA Server 2004 Enterprise Edition document on the VPN page at the Microsoft Windows Server System Web site (https://www.microsoft.com).

Issue: VPN Client Immediately Disconnects

Problem:

VPN client connection succeeded, but immediately disconnected.

This may occur when quarantine is enabled with a time-out. The following section details the issue.

Cause: Quarantine Enabled with Time-out

Quarantine is enabled with time-out.

Solution:

Increase the quarantine time-out. Perform the following steps:

1. In the console tree of ISA Server Management, click Networks:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, click Configuration, and then click Networks.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, click Configuration, and then click Networks.
   1. In the details pane, select the Networks tab, and then select the Quarantined VPN Clients network.
   2. On the Tasks tab, click Edit Selected Network.
   3. If quarantined clients should be disconnected after a specified time, on the Quarantine tab, select Disconnect quarantine users after (seconds) and type the number of seconds that will pass before a client will be removed from the Quarantined VPN Clients network and disconnected from ISA Server.

Solution:

If quarantine is enabled according to RADIUS servers policy, increase quarantine time-out on RADIUS server policies. For example, if you are using IAS, configure the MS-Quarantine-Session-Timeout attribute.

Issue: Clients Cannot Send Traffic

Problem:

VPN client connection succeeded, but client cannot send traffic. This may happen for any of the following reasons:

• The firewall policy is not configured properly.
• Routing is not configured properly.
• The VPN client addresses are not configured properly.
• The specified user or group is not allowed access.
• Quarantine is not configured properly.
• Firewall Client is installed on the VPN client computer.

More detail and possible solutions for this issue are described in the following sections.

Cause: Firewall Policy Configuration

Firewall policy is not configured appropriately.

Solution:

Verify that an access rule allows VPN clients access to the specific network.

Solution:

When publishing a server on the VPN Clients network, configure ISA Server to listen for requests on both the Internal and VPN Clients networks. Perform the following steps:

1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. On the Tasks tab, click Select Access Networks.
   2. On the Access Networks tab, verify that the VPN Clients and Internal networks are selected.

Solution:

Check that appropriate network rules are configured, defining a route or NAT relationship between the VPN Clients network and the specific network. Otherwise, perform the following steps to edit the applicable rule:

1. In the console tree of ISA Server Management, click Networks:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, click Configuration, and then click Networks.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, click Configuration, and then click Networks.
   1. In the details pane, select the Network Rules tab, and then select the applicable rule.
   2. On the Tasks tab, click Edit Selected Network Rule.
   3. On the Source Networks tab, next to This rule applies to traffic from these sources, click Add. Then, in Add Network Entities, expand Networks, select the VPN Clients network, and then click Add. Then, click Close.
   4. On the Destination Networks tab, next to This rule applies to traffic sent to these destinations, click Add. Then, in Add Network Entities, select a network object, and then click Add. Then, click Close.
   5. On the Network Relationships tab, select either Network Address Translation (NAT) or Route.

Cause: Routing Configuration

Routing is not configured appropriately.

Solution:

If the address assignment is configured to use static addresses, configure the routing entry on the target server to the specified range of static addresses.

Solution:

If the address assignment is configured to use DHCP address assignment, verify that the target server has appropriate routes or a default gateway to the network hosted by DHCP.

Cause: VPN Client Address Configuration

VPN Clients network addresses are not properly configured.

Solution:

Check that the static pool configured for VPN clients does not overlap IP addresses on the target network.

Cause: User Access Not Allowed

User or group is not allowed access.

Solution:

Verify that the specified user or group is allowed access. Perform the following steps:

1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. In the details pane, click the VPN Clients tab.
   2. On the Tasks tab, click Configure VPN Client Access.
   3. On the Groups tab, click Edit.
   4. Verify that the names of users or groups allowed remote access to the ISA Server computer are listed.

Cause: Quarantine Configuration

Client access may be denied to quarantined clients. If your corporate policy allows quarantined clients access, appropriate access rules must be configured.

Solution:

Verify that access rules also apply to the Quarantined VPN Clients network. Perform the following steps:

1. In the console tree of ISA Server Management, click Firewall Policy:
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Firewall Policy.
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Firewall Policy.
   1. In the details pane, click the applicable access rule.
   2. On the Tasks tab, click Edit Selected Rule.
   3. On the To tab, click Add.
   4. In Add Network Entities, expand Networks, select the Quarantined VPN Clients network, click Add, and then click Close.

For more information, see the Site-to-Site VPN in ISA Server 2004 Enterprise Edition document at the Microsoft TechNet Web site (https://www.microsoft.com) or the Site-to-Site VPN in ISA Server 2004 document at the Microsoft TechNet Web site (https://www.microsoft.com).

Cause: Firewall Client

VPN clients do not function properly when Firewall Client is installed. This is because Firewall Client credentials override VPN client credentials.

Solution:

Disable Firewall Client on the VPN client computer.

Remote Site Network Issues

This section describes issues encountered specifically when a remote site network attempts to connect to a network protected by ISA Server.

Issue: Remote Site Client Cannot Connect

Problem:

Remote site networks cannot connect. This may happen for any of the following reasons:

• The ISA Server computer was not restarted after a VPN configuration change.
• ISA Server was not used to create demand dial interfaces.
• The user name of the remote network was not configured properly.

Possible solutions for this issue are described in the following sections.

Cause: Restart Required

The ISA Server computer was not restarted after a configuration change to the remote site network.

Solution:

Restart the computer after enabling or disabling routing for PPTP or L2TP ports on the remote site network.

Cause: Demand Dial Interfaces

After installing ISA Server, you use Routing and Remote Access to create demand dial interfaces. ISA Server deletes these interfaces.

Solution:

Do not use demand dial interfaces on Routing and Remote Access. Instead, use ISA Server to create and configure site-to-site networks.

Cause: Remote Network User Name

The user name for the remote site network does not match the connection name.

Solution:

The user name and the name of the site-to-site network must be identical. For example, if on SiteA you create a site-to-site network representing SiteB, you must also create a user named SiteB. SiteB will connect to SiteA using the credentials of the user named SiteB.

Issue: Remote Site Network Traffic Failure

Problem:

Remote site networks cannot send or receive traffic. This may happen for any of the following reasons:

• The firewall policy was not configured properly.
• Routing was not configured properly.
• Addresses of the remote site network were not configured properly.

Possible solutions for this issue are described in the following sections.

Cause: Firewall Policy Configuration

Firewall policy is not configured appropriately.

Solution:

Verify that an access rule allows VPN clients access to the specific network. Also, check that appropriate network rules are configured, defining a route or NAT relationship between the remote site network and the specific network. Edit the applicable network and access rules, as appropriate.

Note: Do not configure a NAT relationship when configuring publishing rules between site-to-site networks.

Cause: Routing Configuration

Routing is not configured appropriately.

Solution:

Configure the default gateway on the target VPN server to the ISA Server computer.

Alternatively, set a routing entry to the IP addresses of the remote site network.

Cause: Address Configuration

Addresses for the remote site network are not properly configured.

Solution:

Check that the static pool configured for the remote site network does not overlap IP addresses on the target network.

Issue: Remote Gateway Traffic Denied

Problem:

Traffic originating from the IP address of the remote site gateway is denied. This may occur when the default gateway is not properly configured on the ISA Server computer. The following section details the issue.

Cause: Default Gateway Configuration

The ISA Server computer may not have a default gateway configured. When no default gateway is defined, a static route is not added between ISA Server and the remote site gateway. Because there is no route, traffic from the remote site gateway is perceived as spoofing—and the traffic is denied.

Solution:

Add a default gateway. You can specify a dummy default gateway, if necessary.

Issue: Quick Policy Mode Negotiation Failure

Problem:

An event was logged in the system event log, which indicates that quick policy mode negotiation failed with a "No policy configured" error.

This may occur when a remote site network that actually comprises two different networks is configured. The following section details the issue.

Cause: Remote Site Networks with Multiple Physical Networks

If you configure a remote site network, which actually comprises two different networks with adjacent IP address ranges in the same subnet, connections cannot be initiated to either network.

Solution:

Create two remote site networks, one for each physical network. Then, configure network and access rules as appropriate, for each network.

For example, suppose you have three networks:

• Network A with address range 10.1.0.0/24
• Network B with address range 10.1.1.0/24
• Network C with address range 10.1.2.0/24.

To configure remote site network connectivity from Network C to Network A and Network B, you must define two distinct remote networks (one for Network A and one for Network B). Do not combine the address ranges.

Remote Site Network and IPsec Issues

This section describes issues encountered specifically when a remote site network configured for IPsec fails to connect to a network protected by ISA Server.

Issue: Remote Site Networks Cannot Connect

Problem:

Remote site-to-site connection cannot be established. There are many reasons that a remote site-to-site connection cannot be established, including:

• The authentication negotiation failed, due to the default gateway configuration.
• The address range for the remote site network is not configured properly.
• Routing for IPsec is not configured properly.
• Identical subnets are not defined on both sites.
• The ISA Server computer was not restarted.

As a first step, review the ISA Server alerts and the system events (in Event Viewer) carefully.

On Windows Server 2003, to view IPsec failure events in Event Viewer, perform the following:

1. Click Start, point to All Programs, point to Administrative Tools, and then click Local Security Policy.
2. In the details pane, click Security Settings, click Local Policies, and then click Audit Policy.
3. In the details pane, right-click Audit logon events and then click Properties.
4. Select Success and Failure.

Review logon events carefully, because they may contain helpful hints on why a connection was terminated.

Then, review the causes and solutions described in the following sections.

Cause: Default Gateway Configuration

Authentication negotiation fails.

Solution:

If the cause seems to be related to authentication negotiation, check if any of the following Internet Key Exchange (IKE) events occurred:

• Event 541 (success). Recorded when IKE successfully negotiates either a main mode security association (SA) or an IPsec SA. The SA parameters are noted in the text of the event.
• Event 542 (success). Recorded when IKE successfully deletes an IPsec SA. An IPsec SA might be deleted because the SA lifetime expired, a new SA was generated during quick mode rekey, the IPsec peer sent a delete message, the IPsec policy changed, or the IPsec service was stopped.
• Event 543 (success). Recorded when IKE successfully deletes a main mode SA. An IKE main mode SA might be deleted because the SA lifetime expired, the IPsec peer sent a delete message, the IPsec policy changed, or the IPsec service was stopped.
• Event 544 (failure). Recorded when the IKE negotiation is terminated due to a certificate trust failure and subsequent authentication failure. This failure might occur because a valid certificate chain could not be found on the IPsec peer, or the certificate chain that was found could not be sent to a trusted root certification authority (CA).
• Event 545 (failure). Recorded when the IKE negotiation is terminated due to the validation failure of a computer certificate signature. This event is rare because it indicates that the computer certificate on the IPsec peer has a mismatched RSA type public/private key pair.
• Event 546 (failure). Recorded when an SA cannot be established due to an invalid IKE proposal from the IPsec peer. This error typically occurs when an IPsec policy is incorrectly configured.
• Event 547 (failure). Recorded when the IKE negotiation fails. The causes of the failure are noted in the text of the event.

Cause: Address Configuration

The address range for the remote site network is not configured properly—either on the remote site gateway or in ISA Server.

Solution:

If the cause seems to be related to improper configuration of the network address changes, check the configuration. Perform the following:

1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. In the details pane, click the Remote Sites tab.
   2. In the details pane, select the applicable remote site network.
   3. On the Tasks tab, click Configure Remote Site.
   4. On the Addresses tab, click Add Range.
   5. Type the first address of the network address range in Start Address.
   6. Type the last address of the network address range in End address.

Cause: Routing Configuration

Routing is not properly configured for IPsec.

Solution:

For IPsec networks, the IP address range of the remote site network must be routable on the local site. The remote site network must have an explicit route, or a default gateway through the network adapter used to connect that remote site. In most scenarios, it should be sufficient to configure a default gateway on the external network adapter.

Cause: Subnets Not Defined

Identical subnets are not defined on both sites.

Solution:

IPsec applies to subnets (and not only to ranges of IP addresses), with a filter definition for each IPsec policy. In a simple scenario, the VPN networks are configured to have identical IP address ranges. In this way, both VPN networks have identical IPsec policies. In more complex configurations, where the VPN networks are on different subnets, the connection may fail. If possible, configure the same subnets for both remote VPN networks.

The IPsec summary for the network object lists the subnets that the remote site should define. To view the IPsec summary, perform the following steps:

1. In the console tree of ISA Server Management, click Virtual Private Networks (VPN):
   • For ISA Server 2004 Enterprise Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Arrays, expand Array_Name, and then click Virtual Private Networks (VPN).
   • For ISA Server 2004 Standard Edition, expand Microsoft Internet Security and Acceleration Server 2004, expand Server_Name, and then click Virtual Private Networks (VPN).
   1. In the details pane, click the Remote Sites tab.
   2. In the details pane, select the applicable IPsec remote site network.
   3. On the Tasks tab, click View IPsec policy.

Cause: Restart Required

The ISA Server computer was not restarted (ISA Server 2004 Standard Edition and Windows 2000 Server only).

Solution:

You must restart the computer running Windows 2000 Server after making any IPsec changes.

Issue: New IPsec Connections Fail

Problem:

Existing IPsec connections are broken and new IPsec connections cannot be established. This may occur when the IPsec network is disabled. The following section details the issue.

Cause: IPsec Network Disabled

The IPsec network is disabled. When an IPsec site-to-site network is disabled, IPsec policy for the network is disabled, an established tunnel will be torn down, existing client connections will terminate, and new connections cannot be made.

Solution:

If you want to allow new IPsec connections, enable the IPsec network.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page at the Microsoft Windows Server System Web site (https://www.microsoft.com).

Also, refer to the following Knowledge Base (KB) articles:

• Third-party Routing and Remote Access management applications may interfere with VPN connections to ISA 2004 (https://www.microsoft.com), KB 886999
• VPN clients may be disconnected when you restart the IPsec Policy Agent service on a computer that is running ISA Server 2004 (https://www.microsoft.com), KB 884203
• After you change the network relationship type for an IPSec site-to-site network rule from Route to NAT and then back to Route, ICMP ping traffic does not pass through the ISA Server 2004 VPN connection for one minute (https://www.microsoft.com), KB 887002
• Routing and Remote Access stops responding in Windows Server 2003 (https://www.microsoft.com), KB 888090
• Clients cannot use a remote ISA Server 2004-based computer for a Web proxy over an ISA Server 2004 site-to-site VPN connection (https://www.microsoft.com), KB 891195
• Clients receive an "Error 792: The L2TP connection attempt failed because security negotiation timed out." error message when they try to complete a VPN connection to ISA Server 2004 (https://www.microsoft.com), KB 838438
• You cannot add some local built-in groups when you configure VPN client access in Internet Security and Acceleration Server 2004 (https://www.microsoft.com), KB 891240
• Redial attempts and Average redial interval settings are reset in Routing and Remote Access service (https://www.microsoft.com), KB 842639
• "The protocol specified cannot be used for publishing" error is logged when you try to publish an internal IPsec server by using the IPsec ESP Server protocol in Internet Security and Acceleration Server 2004 (https://www.microsoft.com), KB 891229
• An IPSec policy is not applied to internal translated network traffic when you use ISA Server 2004 (https://www.microsoft.com), KB 886995