S2S VPN problems - FWX_E_OUTBOUND_PATH_THROUGH_DROPPE D

I am getting a few strange errors with Site to Site VPN connections.

One of our external vendors is quite upset and wants to ship a router, mostly because "No one has heard of TMG and it's not Industry Standard".

Now, the problem seems to affect another Site to Site VPN we have, I thought it was isolated to Vendor #1.

The main problem is that we get "FWX_E_OUTBOUND_PATH_THROUGH_DROPPED"

Doing a 'tracert' through the firewall shows that there is no route to the external IP for the Site to Site VPN, which is quite weird. If I remove all network objects, after a while the TMG server will either connect, or give me a valid route to the external site.

In other words, I add a site to site network.

The Remote VPN gateway IP address I can "ping".

Once I add this, it doesn't connect. Contacted Client #1. They said that our packets aren't even hitting their Cisco.

I do a tracert, and get errors in the TMG logging that say FWX_E_OUTBOUND_PATH_THROUGH_DROPPED.

In TMG logging, I get an error that says ": A packet generated on the local host was rejected because its
source IP address is assigned to one network adapter and its destination IP
address is reachable through another network adapter.
"

Our external partner says that no packets hit their VPN concentrator, which makes sense if they can't route out.

All routing tables make sense, internal IP's on the inside, external IP's on the external interfaces, and don't have any exclusions just for the VPN gateway.

However, after serveral hours with no other changes on TMG, it will suddenly start working and connect.

Also in the event log, I will occasionally see these errors:

Description: Forefront TMG detected a proxy server
loop. There may be a problem in the configuration of the Forefront TMG Web
chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and
there are intermittent interruptions of intra-array connectivity, array member A
may forward a request to array member B according to the CARP algorithm, and
array member B may forward the request to array member A in an endless loop.

However, I double checked the times and the above error doesn't always correspond to the times that the VPN thinks it doesn't have a route to the external site (although on occasion the above happens within a minute of the VPN not connecting).

I have no Proxy servers installed other than the 1 TMG server. It *used* to be a member of a cluster with itself (long story) but I fixed that issue. (I had exported rules from "Fwall-2" and imported 'all' setup into 'Fwall-4" and then it got somewhat confused. I have eventually removed any mention of Fwall-2 and TMG now things it is a stand alone server, not an array).

The above errors happen and 'un happen' with NO CHANGES to the TMG setup. It's spontaneous.

Our partner wants us to buy a unit that they will reconfigure, but I'm worried I'll have the same problems setting this up, as I'd have to somehow change the simple edge network into a perimeter network, and then we may still have the same routing issue.

Any ideas? I'll open a formal ticket if we need to.

April 16th, 2015 7:45pm

Hi,

Here is a similar thread. Please check the solutions in Marc.Grote's and Benjamin's replies.

TMG detected loop ?

https://social.technet.microsoft.com/Forums/forefront/en-US/977f7adb-c2cd-418b-b202-70d40acab22f/tmg-detected-loop-?forum=Forefrontedgegeneral

Best Regards,

Joyce

Free Windows Admin Tool Kit Click here and download it now
April 19th, 2015 10:31pm

I shouldn't have mentioned the loop. Again, checking the logs, the times I get the warnings for the proxy-chain loop don't correspond to the times the VPN has problems.

So, what's the fix for the VPN?

== John ==

April 19th, 2015 11:43pm

Joyce/All:

I tried that solution, but after unchecking the box, our VPN has not started working.

Anyone have any ideas for the VPN problem?

Free Windows Admin Tool Kit Click here and download it now
April 22nd, 2015 8:27pm

Based on the error that your getting I have to think that the routing tables are all messed up or possibly the networks that are defined in TMG.

https://msdn.microsoft.com/en-us/library/ms812624.aspx

Site to site VPN are one of the more tricky scenarios to work on because they almost always involve a 3rd party vendor on the other end. Usually once you get the settings right you are good to go.

I would recommend opening a support ticket with us because of the type and amount of data that will need to be gathered to properly diagnose exactly what is going on.

April 23rd, 2015 12:17pm

You might think that, but you might also be incorrect :) ... I already covered this in my first post. All of the routing tables are fine. Once I removed the VPN definitions and network definitions, PING to the VPN end point worked fine.

In fact, one of the two VPN's works fine most of the time - then sometimes it doesn't. No config changes.

Also, the Internet has been working flawlessly the entire time. It's only VPN's that seem to be messed up.

Understood on the ticket, will open, it's a good idea.


Free Windows Admin Tool Kit Click here and download it now
April 23rd, 2015 1:35pm

You might think that, but you might also be incorrect :) ... I already covered this in my first post. All of the routing tables are fine. Once I removed the VPN definitions and network definitions, PING to the VPN end point worked fine.

In fact, one of the two VPN's works fine most of the time - then sometimes it doesn't. No config changes.

Also, the Internet has been working flawlessly the entire time. It's only VPN's that seem to be messed up.

Understood on the ticket, will open, it's a good idea.


April 23rd, 2015 5:34pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics