Hello all,

First post to the list (for years) and it is rather long but I hope that
someone can help. I have been through the Cisco site and Google but to
no avail.

At Strathclyde University, Glasgow, UK, we have a Cisco 3030 VPN
concentrator which users connect to using the v4.6.04.0043 ( and older)
Cisco VPN client. They connect successfully with most using the tunnel
for 'full client' i.e. Outlook 2003 MAPI access, to Exchange 2003 mail
boxes and for web browsing on and off the Uni LAN using IE. No problems
with this.

I have been testing a new VPN client, v4.8.01.03000 (because some
security advice advises upgrading to the new one).

Testing (very) Environment:

Windows XP SP2 machines.
Antivirus turned off during installation (and testing).
Win XP firewall off during testing.
No other personal firewalls involved.
Outlook 2003.
Testing performed on different machines.
Tested on the LAN and also through a dialup connection.

Installation:
Software installs smoothly, VPN client runs and creates tunnel fine. IE
browsing works.

Now the problems.

Logging on, using an Outlook MAPI connection, to test account mailboxes,
using those accounts' credentials, works.

But attempting the same operation using 'real' accounts/mailboxes fails.

The test accounts are in the same Active Directory OU as the real
accounts, so account location would not seem relevant.

One thought I had is that for some (bizarre) reason the problem relates
to the verification of the real users' AD credentials when attempting a
MAPI connection to their mailboxes using the new VPN client.

I have noted failed logon attempts in the Exchange server's Security
Event log at the time of the connection attempts. BUT the attempts
appear to be logon attempts from the workstation/PC being used, using
the account under which the logon to that machine was made; not an AD
user logon attempt. Why an attempt with those credentials should be made
is odd but it would make sense for it to fail. If anyone has thoughts on
why such a logon attempt is being made it could provide clues as to what
is going wrong.

Also, on the client machine, Outlook indicates during the logon attempt
that it HAS connected to the Exchange server but that it has failed to
connect to a Domain Controller, (which it presumably needs to do for the
credentials to be authenticated). This information is provided in
Outlook by the following procedure: Right clicking on the Outlook icon
in the task bar, while holding down the Ctrl key, then selecting the
Connection Status item on the menu revealed.

An IMAP connection using Outlook by real users to their mailboxes works
fine using the new VPN client. So user credentials over the VPN per se
do not seem to be the problem (but they are possibly problematic when a
MAPI/RPC connection attempt is made).

Any insight into any of the above (or even better, the solution :-)
would be greatly appreciated.

Alastair

p.s. Out of desperation I have also experimented with modifying the MTU
on the VPN client but that does nothing useful.

------------------------------
alastair.morrison@strath.ac.uk
Strathclyde University
Glasgow UK
_______________________________________________
VPN mailing list
VPN@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn