| Author |
Message |
Dwayne
Guest
|
 Posted:
Tue Jan 18, 2005 8:08 pm Post subject:
Problem with HIS relay thru VPN Tunnel? |
|
|
I'm able to relay from one HIS2000 server to another HIS 2000 server when
the PC's are next to each other. When I take the relay out to the client
site where I have a VPN tunnel I cannot get the two to talk anymore. Is
there a problem sending the IP relay traffic across a VPN tunnel? Or what
could be the possible problem, I see the machine trying to talk in the logs
of my firewall.
Thanks |
|
| Back to top |
|
 |
Neil Pike
Guest
|
| Posted:
Wed Jan 19, 2005 1:45 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Dwayne,
I don't understand the "relay" term. Are you using a distributed link service
on one server from the other server?
In any event, there's nothing magic/strange about VPN's or HIS that would stop
HIS working over a VPN. There will be a routing, firewall or VPN config issue
causing the problem.
You say the firewall log shows you "trying" to talk - does it show the traffic
being encrypted, tunneled and passed? Does the firewall at the other end show
the traffic being decrypted and passed on?
Could it be a routing issue? Check static routes on the servers at either
end, any routers they go through and the firewalls.
With a VPN it could also be an encryption domain issue. i.e. both VPN devices
need to know what's local and what's remote in order the encrypt/tunnel the
traffic appropriately.
Ultimately the answer is to do a network trace on both servers to see what
traffic is actually being sent, what nic it comes out of, what router it's
being sent to, what packets actually make it to the other side etc.
Use a network trace tool such as NetMon (MS), Ethereal (free), CommView etc.
With the right tools in place it should be possible to debug the problem in a
matter of minutes. (But then I have done thousands of network traces/debugs!)
| Quote: | I'm able to relay from one HIS2000 server to another HIS 2000 server when
the PC's are next to each other. When I take the relay out to the client
site where I have a VPN tunnel I cannot get the two to talk anymore. Is
there a problem sending the IP relay traffic across a VPN tunnel? Or what
could be the possible problem, I see the machine trying to talk in the logs
of my firewall.
Thanks
|
Neil Pike. Protech Computing Ltd |
|
| Back to top |
|
|
Dwayne
Guest
|
| Posted:
Wed Jan 19, 2005 2:24 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Using a distributed link service, I get on the firewall log that the
connection comes in the VPN tunnel and 00.00.01 later the connection get
torn down by the PIX.
"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.00006299.11e5ece5@compuserve.com...
| Quote: | Dwayne,
I don't understand the "relay" term. Are you using a distributed link
service
on one server from the other server?
In any event, there's nothing magic/strange about VPN's or HIS that would
stop
HIS working over a VPN. There will be a routing, firewall or VPN config
issue
causing the problem.
You say the firewall log shows you "trying" to talk - does it show the
traffic
being encrypted, tunneled and passed? Does the firewall at the other end
show
the traffic being decrypted and passed on?
Could it be a routing issue? Check static routes on the servers at either
end, any routers they go through and the firewalls.
With a VPN it could also be an encryption domain issue. i.e. both VPN
devices
need to know what's local and what's remote in order the encrypt/tunnel
the
traffic appropriately.
Ultimately the answer is to do a network trace on both servers to see what
traffic is actually being sent, what nic it comes out of, what router it's
being sent to, what packets actually make it to the other side etc.
Use a network trace tool such as NetMon (MS), Ethereal (free), CommView
etc.
With the right tools in place it should be possible to debug the problem
in a
matter of minutes. (But then I have done thousands of network
traces/debugs!)
I'm able to relay from one HIS2000 server to another HIS 2000 server
when
the PC's are next to each other. When I take the relay out to the client
site where I have a VPN tunnel I cannot get the two to talk anymore. Is
there a problem sending the IP relay traffic across a VPN tunnel? Or
what
could be the possible problem, I see the machine trying to talk in the
logs
of my firewall.
Thanks
Neil Pike. Protech Computing Ltd
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Wed Jan 19, 2005 2:18 pm Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Dwayne,
Replying on newsgroups as I don't check that email account any more often than
the newsgroups.
I've not needed to put SNA client/dls through NAT yet, so I've not tried. For
client connections SNA/HIS does return IP addresses inside the data portion of
the frame, so NAT can/would affect that.
Can you not add a rule to the inbound access-list on the PIX to allow through
the UDP frames? Obviously UDP isn't stateful, and not part of a tcp session,
so the PIX would have to be specifically told to allow it - unless the PIX
"knew" about how the dls stuff worked, and I'd be very surprised if it did!!!
If you have a network trace of the issue you can zip it and email it to me if
you like. Or stick it on a server I can get at. Note that I can't guarantee a
timely response as I'm working long hours for client(s) - and the paying jobs
have to come first obviously!
One potential way around the issue, which I've used in other circumstances
where NAT/firewalls were incompatible with the way an app worked, is to use
IPSEC. If you put an IPSEC policy on both ends to say "all traffic to the
other end, encrypt and tunnel", then all the pix will see is the ipsec traffic,
which you can easily allow through.
| Quote: | Using a distributed link service, I get on the firewall log that the
connection comes in the VPN tunnel and 00.00.01 later the connection get
torn down by the PIX.
|
Would NAT screw with the connection
between the HIS using distributed link service and the HIS using the DLC
protocol? It would seem to me the PIX does not understand the UDP traffic
coming back to the PIX from the DLC HIS server.
Did you ever pass thru a PIX firewall?
Neil Pike. Protech Computing Ltd |
|
| Back to top |
|
|
Aaron Grady [MSFT]
Guest
|
| Posted:
Thu Jan 20, 2005 1:37 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Dwayne-
For DLS connections where a firewall is involved, I would recommend looking
at the following KB articles as well:
164590 Branch Servers Using DLS Cannot Communicate Through Firewalls
http://support.microsoft.com/?id=164590
224303 SNA Server allows range of IP ports with distributed link service
http://support.microsoft.com/?id=224303
HTH,
--
Aaron Grady
MCSE + Internet, MCDBA, MCSD
SNA Server/Host Integration Server 2000
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.0000629e.1496aaf5@compuserve.com...
| Quote: | Dwayne,
Replying on newsgroups as I don't check that email account any more often
than
the newsgroups.
I've not needed to put SNA client/dls through NAT yet, so I've not tried.
For
client connections SNA/HIS does return IP addresses inside the data
portion of
the frame, so NAT can/would affect that.
Can you not add a rule to the inbound access-list on the PIX to allow
through
the UDP frames? Obviously UDP isn't stateful, and not part of a tcp
session,
so the PIX would have to be specifically told to allow it - unless the PIX
"knew" about how the dls stuff worked, and I'd be very surprised if it
did!!!
If you have a network trace of the issue you can zip it and email it to
me if
you like. Or stick it on a server I can get at. Note that I can't
guarantee a
timely response as I'm working long hours for client(s) - and the paying
jobs
have to come first obviously!
One potential way around the issue, which I've used in other
circumstances
where NAT/firewalls were incompatible with the way an app worked, is to
use
IPSEC. If you put an IPSEC policy on both ends to say "all traffic to the
other end, encrypt and tunnel", then all the pix will see is the ipsec
traffic,
which you can easily allow through.
Using a distributed link service, I get on the firewall log that the
connection comes in the VPN tunnel and 00.00.01 later the connection get
torn down by the PIX.
Would NAT screw with the connection
between the HIS using distributed link service and the HIS using the DLC
protocol? It would seem to me the PIX does not understand the UDP traffic
coming back to the PIX from the DLC HIS server.
Did you ever pass thru a PIX firewall?
Neil Pike. Protech Computing Ltd
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Thu Jan 20, 2005 5:07 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Aaron - the latter Kb doesn't appear to be either public or partner
available...
Neil Pike. Protech Computing Ltd |
|
| Back to top |
|
|
Aaron Grady [MSFT]
Guest
|
| Posted:
Thu Jan 20, 2005 6:49 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Yep, you're right. Looks like that one has been archived. I should have
referenced this one instead:
276446 Branch servers that use DLS use dynamic port for SnaBase connection
http://support.microsoft.com/?id=276446
--
Aaron Grady
MCSE + Internet, MCDBA, MCSD
SNA Server/Host Integration Server 2000
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.0000629f.17c4aef6@compuserve.com...
| Quote: | Aaron - the latter Kb doesn't appear to be either public or partner
available...
Neil Pike. Protech Computing Ltd
|
|
|
| Back to top |
|
|
Neil Pike
Guest
|
| Posted:
Sun Jan 23, 2005 5:05 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
Aaron - not many of these articles (if any) have HIS 2004 specifically
referenced in them yet. Is someone going to sweep through adding a tag for
HIS2004 to all the relevant ones at some point?
| Quote: | Yep, you're right. Looks like that one has been archived. I should have
referenced this one instead:
276446 Branch servers that use DLS use dynamic port for SnaBase connection
http://support.microsoft.com/?id=276446
|
Neil Pike. Protech Computing Ltd |
|
| Back to top |
|
|
Aaron Grady [MSFT]
Guest
|
| Posted:
Tue Jan 25, 2005 6:43 am Post subject:
Re: Problem with HIS relay thru VPN Tunnel? |
|
|
I believe that should happen at some point as KB sweeps do happen on some
regular interval. I just don't know what that interval is exactly.
--
Aaron Grady
MCSE + Internet, MCDBA, MCSD
SNA Server/Host Integration Server 2000
Microsoft
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of any included samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Neil Pike" <neilpike@compuserve.com> wrote in message
news:VA.000062a0.27366610@compuserve.com...
| Quote: | Aaron - not many of these articles (if any) have HIS 2004 specifically
referenced in them yet. Is someone going to sweep through adding a tag
for
HIS2004 to all the relevant ones at some point?
Yep, you're right. Looks like that one has been archived. I should have
referenced this one instead:
276446 Branch servers that use DLS use dynamic port for SnaBase
connection
http://support.microsoft.com/?id=276446
Neil Pike. Protech Computing Ltd
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in