Cisco Support Community
Community Member

PPTP VPN over ASA involving Microsoft NLB


I did not manage to find any useful info online regarding a problem at a customer site, so hopefully, someone here can point me in the right direction.

The issue is with establishing an PPTP VPN session to a Microsoft TMG NLB interface when the traffic is passing through the ASA5520.

The network setup is as follows:

1) MS TMG has an NLB interface with 2 physical servers in the cluster

   - all IP addresses are located in the public address space

2) TMG serves as a PPTP server for incoming VPN connections

3) Cisco ASA has its' outside interface in the same public address space as TMG

4) PPTP VPN clients are located behind a DMZ interface on the ASA

    - when clients establish VPN connestions to TMG; packets go from AS DMZ interface to ASA outside interface and then to TMG located in the same subnet

The problem is the following:

When a client from the DMZ tries to establish a PPTP session to the NLB interface, it fails.

Sometimes (1 out of 10 times) the connection is successfully established, but breaks after 3-10 seconds.

When the client tries to establish a session with the physical interface which is a part of the NLB, it works.

Any other type of communication from the DMZ to the NLB interface works, whether it's ping, mail services, web etc, only PPTP is problematic.

Also, if a client tries to establish connection to NLB interface from the internet, it works.

Because of this, I suspect I am missing something on the ASA.

ACLs are not an issue, because the traffic is allowed.

Also, PPTP inspect has been enabled on the ASA (otherwise, PPTP to physical addresses wouldn't work).

Am I missing something on the ASA or is there possibly an issue on the TMG that is worth looking into?

CreatePlease to create content