Forefront TMG cannot VPN using Cisco client

Home Forums Security General Security Forefront TMG cannot VPN using Cisco client

Viewing 1 post (of 1 total)
  • Author
    Posts
  • Avatar
    crowntech
    Member
    #154885

    Greetings!

    Hello everyone, I hope someone can help me out with this issue I’ve had for about a week now. Background info: I need to allow a few of our users to use a Cisco VPN client to connect to one of our customer’s corporate network. We currently have Forefront TMG as our gateway for all of our users and I have added new rules to allow the traffic to pass through. However, the Cisco VPN client will constantly attempt to connect until it times out and when I look through the logs on the firewall, here is what I see:

    Client IP: 192.168.x.x
    Destination IP: 170.x.x.x
    Action: Initiated Connection
    Protocol: IKE Client
    Destination port: 500
    Result Code: 0x0 ERROR_SUCCESS
    Source Network: Internal
    Destination Network: External

    Client IP: 192.168.x.x
    Destination IP: 170.x.x.x
    Action: Initiated Connection
    Protocol: IPsec NAT-T Client
    Destination port: 4500
    Result Code: 0x0 ERROR_SUCCESS
    Source Network: Internal
    Destination Network: External

    Client IP: 69.x.x.x (our outward facing IP)
    Destination IP: 170.x.x.x
    Action: Denied Connection
    Protocol: IPsec NAT-T Client
    Destination port: 4500
    Result Code: 0xc004003e FWX_E_FW_IPSEC_DROPPED
    Source Network: Local host
    Destination Network: External

    The interesting thing to note is that when client IP shows our internal address (192.168.x.x), it will show an action of “Initiated Connection” but eventually gets closed as it times out. I’ve looked into this and found the result code means: “A packet was dropped due to periodic inconsistency between the IPsec policy and the Forefront TMG’s snapshot of the IPSsec policy.”

    Here are the resolutions that I’ve attempted:
    * Removed from registry: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesRemoteAccessRouterManagersIpv6 (did nothing so I restored original keys)
    * Ran command: netsh tmg set global name=BlockSecuredInDefaultState value=0 persistent (command not recognized, TMG 2010 only?)
    * Added local host to the list of source networks on the access list
    * Asked nicely for it to work

    I tested the VPN connection without the firewall in place and it DOES work, there must be some setting that I’m missing. If it helps, we’re using TMG version 6. Your help is greatly appreciated!

Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.