|
| Previous Thread: Server 2003 VPN |
|
|
5/24/2006 1:07:10 AM Internal Clients can't VPN to External VPN Server(s) |
Bit of a strange one. Can't find anything anywhere to solve this.
We are a small company and do support for an application we sell.
We need to VPN (mostly PPTP) to a number of our customers networks to
do the support, but can't get internal VPN's to go thru the ISA server.
ISA 2004 Std SP1 running on Windows 2003 R2 SP1
Request 531R SHDSL router with Port forwarding and NAT
External VPN clients can connect with PPTP to the ISA server without
any problems.
Internal VPN clients from XP workstations can't connect to external
PPTP VPN servers via the ISA server, but can if they plug directly into
the router.
Surfing the internet, ftp etc from Internal clients to external, work
fine.
Web site publishing works fine from external to internal
So it appears that all connectivity is fine from External to Internal
and vice versa.
When attempting to connect, on the client I get an Error 619 A
connection to the remote computer could not be established etc.
I am wondering if you can't have ISA act as a VPN server and also have
VPN pass thru from internal to external at the same time.
I have tried using the pptpsrv & pptpclnt tools, but GRE doesn't show
up on the pptpsrv, but then it doesn't when I try it Windows XP client
to Windows XP server either, so not sure that there is actually a
problem with the ISA server. Logs for this are pasted below.
ISA monitoring for PPTP VPN internal to external attempt shows:
Original Client IP Server Name Transport Source Port Processing
Time Bytes Sent Bytes Received Result Code Cache Information Error
Information Log Record Type Log Time Destination IP Destination
Port Protocol Action Rule Client IP Client Username Source
Network Destination Network
192.168.10.210 ServerName TCP 2975 31 0 0 0x0
0x0 0x0 Firewall 24/05/2006 15:46 202.72.136.112 1723 PPTP Initiated
Connection Full Internet Access 192.168.10.210 Internal External
192.168.10.210 ServerName GRE 0 0 0 0 0x0 0x0 0x0 Firewall 24/05/2006
15:46 202.72.136.112 0 PPTP Initiated Connection Full Internet
Access 192.168.10.210 Internal External
192.168.10.210 ServerName TCP 2975 156 516 356 0x80074e24
0x0 0x0 Firewall 24/05/2006 15:46 202.72.136.112 1723 PPTP Closed
Connection Full Internet Access 192.168.10.210 Internal External
192.168.10.210 ServerName GRE 0 60172 309 284 0x80074e24
0x0 0x0 Firewall 24/05/2006 15:47 202.72.136.112 0 PPTP Closed
Connection Full Internet Access 192.168.10.210 Internal External
ISA monitoring for pptpsrv session:
Original Client IP Server Name Transport Source Port Processing
Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache
Information Error Information Log Record Type Log Time Destination
IP Destination Port Protocol Action Rule Client IP Client
Username Source Network Destination Network
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
|
|
|
|
|
5/24/2006 5:23:54 PM Re: Internal Clients can't VPN to External VPN Server(s) |
"0x80074e24" in the PPTP Closed" log entry is significant.
This indicates that ISA closed the connection because the PPTP filter told it to.
Can you get simultaneous captures of the failing connection attempt?
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
<wharminda@gmail.com> wrote in message news:1148458030.916071.22210@j55g2000cwa.googlegroups.com...
Bit of a strange one. Can't find anything anywhere to solve this.
We are a small company and do support for an application we sell.
We need to VPN (mostly PPTP) to a number of our customers networks to
do the support, but can't get internal VPN's to go thru the ISA server.
ISA 2004 Std SP1 running on Windows 2003 R2 SP1
Request 531R SHDSL router with Port forwarding and NAT
External VPN clients can connect with PPTP to the ISA server without
any problems.
Internal VPN clients from XP workstations can't connect to external
PPTP VPN servers via the ISA server, but can if they plug directly into
the router.
Surfing the internet, ftp etc from Internal clients to external, work
fine.
Web site publishing works fine from external to internal
So it appears that all connectivity is fine from External to Internal
and vice versa.
When attempting to connect, on the client I get an Error 619 A
connection to the remote computer could not be established etc.
I am wondering if you can't have ISA act as a VPN server and also have
VPN pass thru from internal to external at the same time.
I have tried using the pptpsrv & pptpclnt tools, but GRE doesn't show
up on the pptpsrv, but then it doesn't when I try it Windows XP client
to Windows XP server either, so not sure that there is actually a
problem with the ISA server. Logs for this are pasted below.
ISA monitoring for PPTP VPN internal to external attempt shows:
Original Client IP Server Name Transport Source Port Processing
Time Bytes Sent Bytes Received Result Code Cache Information Error
Information Log Record Type Log Time Destination IP Destination
Port Protocol Action Rule Client IP Client Username Source
Network Destination Network
192.168.10.210 ServerName TCP 2975 31 0 0 0x0
0x0 0x0 Firewall 24/05/2006 15:46 202.72.136.112 1723 PPTP Initiated
Connection Full Internet Access 192.168.10.210 Internal External
192.168.10.210 ServerName GRE 0 0 0 0 0x0 0x0 0x0 Firewall 24/05/2006
15:46 202.72.136.112 0 PPTP Initiated Connection Full Internet
Access 192.168.10.210 Internal External
192.168.10.210 ServerName TCP 2975 156 516 356 0x80074e24
0x0 0x0 Firewall 24/05/2006 15:46 202.72.136.112 1723 PPTP Closed
Connection Full Internet Access 192.168.10.210 Internal External
192.168.10.210 ServerName GRE 0 60172 309 284 0x80074e24
0x0 0x0 Firewall 24/05/2006 15:47 202.72.136.112 0 PPTP Closed
Connection Full Internet Access 192.168.10.210 Internal External
ISA monitoring for pptpsrv session:
Original Client IP Server Name Transport Source Port Processing
Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache
Information Error Information Log Record Type Log Time Destination
IP Destination Port Protocol Action Rule Client IP Client
Username Source Network Destination Network
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
0.0.0.0 Servername TCP 2980 0 0 0 0x800733f5
0x0 0x0 Firewall 24/05/2006 15:56 192.168.10.6 1723 PPTP Denied
Connection Default rule 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
192.168.10.210 Servername GRE 0 0 0 0 0xc004000d
FWX_E_POLICY_RULES_DENIED 0x0 0x0 Firewall 24/05/2006
15:57 192.168.10.6 0 Unidentified IP Traffic Denied
Connection 192.168.10.210 Internal Local Host
|
|
|
5/24/2006 7:21:05 PM Re: Internal Clients can't VPN to External VPN Server(s) |
Hi Jim,
Thanks for the reply.
How do I do this?? "Can you get simultaneous captures of the failing
connection attempt?"
I've been thinking more about this as well and am thinking that maybe
the double NAT is killing it.
The Router NAT's to the ISA server which NAT's to the client.
We have about 6 PPTP VPN's that we regularly use. Oddly enough 1
actually works thru the ISA server, whereas the other 5 don't. If I
plug directly into the router and bypass the ISA server, the 1 that
works thru the ISA server doesn't work, but the other 5 do.
I have no idea how the VPN's are setup at the other end. My guess would
be that the 5 that don't work thru ISA are Windows 2003 VPN's and the 1
that does work is some 3rd party tool.
Once connected, the only differences I can see are that the 5 that work
assign IP addresses in the 192.168.x range and are all in the same
subnet as the VPN server we connect to, whereas the odd one out assigns
an IP address in the 10.x.x.x range and is in a different subnet to the
VPN server we connect to. The only other difference is that the 5 that
work have compression on.
I've changed the connection details so that we connect by IP address
and then I ran the ISA logs thru Excel side by side with the connection
that works thru ISA with the ones that don't and they are essentially
identical. I can't spot any difference between them.
|
|
|
5/25/2006 11:40:26 AM Re: Internal Clients can't VPN to External VPN Server(s) |
http://support.microsoft.com/kb/243270 - how to install NetMon
http://support.microsoft.com/kb/812953 - how to use NetMon
http://support.microsoft.com/kb/294818 - NetMon FAQ
You'll want to run two separate instances of NetMon, one capturing on the external and the other on the internal ISA interfaces;
while you create the failing scenario.
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
<wharminda@gmail.com> wrote in message news:1148523665.678901.159010@j33g2000cwa.googlegroups.com...
Hi Jim,
Thanks for the reply.
How do I do this?? "Can you get simultaneous captures of the failing
connection attempt?"
I've been thinking more about this as well and am thinking that maybe
the double NAT is killing it.
The Router NAT's to the ISA server which NAT's to the client.
We have about 6 PPTP VPN's that we regularly use. Oddly enough 1
actually works thru the ISA server, whereas the other 5 don't. If I
plug directly into the router and bypass the ISA server, the 1 that
works thru the ISA server doesn't work, but the other 5 do.
I have no idea how the VPN's are setup at the other end. My guess would
be that the 5 that don't work thru ISA are Windows 2003 VPN's and the 1
that does work is some 3rd party tool.
Once connected, the only differences I can see are that the 5 that work
assign IP addresses in the 192.168.x range and are all in the same
subnet as the VPN server we connect to, whereas the odd one out assigns
an IP address in the 10.x.x.x range and is in a different subnet to the
VPN server we connect to. The only other difference is that the 5 that
work have compression on.
I've changed the connection details so that we connect by IP address
and then I ran the ISA logs thru Excel side by side with the connection
that works thru ISA with the ones that don't and they are essentially
identical. I can't spot any difference between them.
|
|
|
5/25/2006 9:10:16 PM Re: Internal Clients can't VPN to External VPN Server(s) |
Hi Jim,
I can send you the cap files if you send me your email address.
I have taken out the IP Addresses and replaced with
VPN-Destination-IP-Address and our servername and replaced with
ISAServername.
The last frame in the unsuccessful VPN attempt logged by the ISA server
is:
21 3.366356 0030DA2E6D53 LOCAL PPPCHAP Challenge, ID =3D 0x 0: Challenge
VPN-Destination-IP-Address ISAServername IP
FRAME: Base frame properties
FRAME: Time of capture =3D 26/05/2006 11:55:09 AM
FRAME: Time delta from previous physical frame: 15625 microseconds
FRAME: Frame number: 21
FRAME: Total frame length: 78 bytes
FRAME: Capture frame length: 78 bytes
FRAME: Frame data: Number of data bytes remaining =3D 78 (0x004E)
ETHERNET: EType =3D Internet IP (IPv4)
ETHERNET: Destination address =3D 001372542121
ETHERNET: 0....... =3D Individual address
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Source address =3D 0030DA2E6D53
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol =3D GRE - General Routing Encapsulation; Packet ID =3D 11897;
Total IP Length =3D 64; Options =3D No Options
IP: Version =3D IPv4; Header Length =3D 20
IP: 0100.... =3D IP Version 4
IP: ....0101 =3D Header Length 20
IP: Type of Service =3D Normal Service
IP: 000..... =3D Precedence - Routine
IP: ...0.... =3D Normal Delay
IP: ....0... =3D Normal Throughput
IP: .....0.. =3D Normal Reliability
IP: ......0. =3D Normal Monetary Cost
IP: Total Length =3D 64 (0x40)
IP: Identification =3D 11897 (0x2E79)
IP: Fragmentation Summary =3D 0 (0x0)
IP: .0.............. =3D May fragment datagram if necessary
IP: ..0............. =3D Last fragment in datagram
IP: ...0000000000000 =3D Fragment Offset 0 (0x0000)
IP: Time to Live =3D 122 (0x7A)
IP: Protocol =3D GRE - General Routing Encapsulation
IP: Checksum =3D 22028 (0x560C)
IP: Source Address =3D VPN-Destination-IP-Address
IP: Destination Address =3D 192.168.168.168 (ISA Server External NIC)
GRE: ..KS....A....... Length: 28, Call ID: 2560
GRE: Flags Summary =3D 12417 (0x3081)
GRE: 0............... =3D Checksum Absent
GRE: .0.............. =3D Routing Absent
GRE: ..1............. =3D Key Present
GRE: ...1............ =3D Sequence Number Present
GRE: ....0........... =3D Strict Source Route Absent
GRE: ........1....... =3D Acknowledge Sequence Number Present
GRE: Recursion Control =3D 0 (0x0)
GRE: Ver =3D 1 (0x1)
GRE: Protocol Type =3D 0x880B
GRE: Key Length =3D 28 (0x1C)
GRE: Key Call ID =3D 2560 (0xA00)
GRE: Sequence Number =3D 3 (0x3)
GRE: Ack Number =3D 2 (0x2)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol =3D Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID =3D 0x 0: Challenge
PPPCHAP: Type =3D Challenge
PPPCHAP: ID =3D 0 (0x0)
PPPCHAP: Length =3D 26 (0x1A)
PPPCHAP: Data =3D 10 30 4A 5C D7 8B CE 60 E6 DB 07 CC 12 0B 4F BD 75
4E 31 4E 52 57
00000: 00 13 72 54 21 21 00 30 DA 2E 6D 53 08 00 45 00
..=2ErT!!.0=DA.mS..E.
00010: 00 40 2E 79 00 00 7A 2F 56 0C CA 48 88 70 C0 A8
..@.y..z/V.=CAH=88p=C0=A8
00020: A8 A8 30 81 88 0B 00 1C 0A 00 00 00 00 03 00 00
=A8=A80=81=88...........
00030: 00 02 C2 23 01 00 00 1A 10 30 4A 5C D7 8B CE 60
..=2E=C2#.....0J\=D7=8B=CE`
00040: E6 DB 07 CC 12 0B 4F BD 75 4E 31 4E 52 57
=E6=DB.=CC..O=BDuN1NRW
and the equivalent frame for the successful VPN connection is:
112 12.569481 0030DA2E6D53 LOCAL PPPCHAP Challenge, ID =3D 0x 1:
Challenge VPN-Destination-IP-Address ISAServername IP
FRAME: Base frame properties
FRAME: Time of capture =3D 26/05/2006 11:55:18 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 112
FRAME: Total frame length: 75 bytes
FRAME: Capture frame length: 75 bytes
FRAME: Frame data: Number of data bytes remaining =3D 75 (0x004B)
ETHERNET: EType =3D Internet IP (IPv4)
ETHERNET: Destination address =3D 001372542121
ETHERNET: 0....... =3D Individual address
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Source address =3D 0030DA2E6D53
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol =3D GRE - General Routing Encapsulation; Packet ID =3D 14122;
Total IP Length =3D 61; Options =3D No Options
IP: Version =3D IPv4; Header Length =3D 20
IP: 0100.... =3D IP Version 4
IP: ....0101 =3D Header Length 20
IP: Type of Service =3D Normal Service
IP: 111..... =3D Precedence - Network Control
IP: ...0.... =3D Normal Delay
IP: ....0... =3D Normal Throughput
IP: .....0.. =3D Normal Reliability
IP: ......0. =3D Normal Monetary Cost
IP: Total Length =3D 61 (0x3D)
IP: Identification =3D 14122 (0x372A)
IP: Fragmentation Summary =3D 16384 (0x4000)
IP: .1.............. =3D Cannot fragment datagram
IP: ..0............. =3D Last fragment in datagram
IP: ...0000000000000 =3D Fragment Offset 0 (0x0000)
IP: Time to Live =3D 50 (0x32)
IP: Protocol =3D GRE - General Routing Encapsulation
IP: Checksum =3D 28649 (0x6FE9)
IP: Source Address =3D VPN-Destination-IP-Address
IP: Destination Address =3D 192.168.168.168 (ISA Server External IP)
GRE: ..KS............ Length: 29, Call ID: 0
GRE: Flags Summary =3D 12289 (0x3001)
GRE: 0............... =3D Checksum Absent
GRE: .0.............. =3D Routing Absent
GRE: ..1............. =3D Key Present
GRE: ...1............ =3D Sequence Number Present
GRE: ....0........... =3D Strict Source Route Absent
GRE: ........0....... =3D Acknowledge Sequence Number Absent
GRE: Recursion Control =3D 0 (0x0)
GRE: Ver =3D 1 (0x1)
GRE: Protocol Type =3D 0x880B
GRE: Key Length =3D 29 (0x1D)
GRE: Key Call ID =3D 0 (0x0)
GRE: Sequence Number =3D 3 (0x3)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol =3D Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID =3D 0x 1: Challenge
PPPCHAP: Type =3D Challenge
PPPCHAP: ID =3D 1 (0x1)
PPPCHAP: Length =3D 27 (0x1B)
PPPCHAP: Data =3D 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD DA C2 91 48 DD
50 6F 50 54 6F 50
00000: 00 13 72 54 21 21 00 30 DA 2E 6D 53 08 00 45 E0
..=2ErT!!.0=DA.mS..E=E0
00010: 00 3D 37 2A 40 00 32 2F 6F E9 CB 31 6C 1C C0 A8
..=3D7*@.2/o=E9=CB1l.=C0=A8
00020: A8 A8 30 01 88 0B 00 1D 00 00 00 00 00 03 C2 23
=A8=A80.=88.........=C2#
00030: 01 01 00 1B 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD
..=2E...=B5=BEs=DB=84=A2R=FE.y=BD
00040: DA C2 91 48 DD 50 6F 50 54 6F 50
=DA=C2=91H=DDPoPToP
Unsuccessful:
124 5.800924 LOCAL 00123FE98A29 PPPCHAP Challenge, ID =3D 0x 0: Challenge
VPN-Destination-IP-Address 192.168.10.210 IP
FRAME: Base frame properties
FRAME: Time of capture =3D 26/05/2006 11:55:04 AM
FRAME: Time delta from previous physical frame: 2930 microseconds
FRAME: Frame number: 124
FRAME: Total frame length: 78 bytes
FRAME: Capture frame length: 78 bytes
FRAME: Frame data: Number of data bytes remaining =3D 78 (0x004E)
ETHERNET: EType =3D Internet IP (IPv4)
ETHERNET: Destination address =3D 00123FE98A29
ETHERNET: 0....... =3D Individual address
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Source address =3D 001372542120
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol =3D GRE - General Routing Encapsulation; Packet ID =3D 11897;
Total IP Length =3D 64; Options =3D No Options
IP: Version =3D IPv4; Header Length =3D 20
IP: 0100.... =3D IP Version 4
IP: ....0101 =3D Header Length 20
IP: Type of Service =3D Normal Service
IP: 000..... =3D Precedence - Routine
IP: ...0.... =3D Normal Delay
IP: ....0... =3D Normal Throughput
IP: .....0.. =3D Normal Reliability
IP: ......0. =3D Normal Monetary Cost
IP: Total Length =3D 64 (0x40)
IP: Identification =3D 11897 (0x2E79)
IP: Fragmentation Summary =3D 0 (0x0)
IP: .0.............. =3D May fragment datagram if necessary
IP: ..0............. =3D Last fragment in datagram
IP: ...0000000000000 =3D Fragment Offset 0 (0x0000)
IP: Time to Live =3D 121 (0x79)
IP: Protocol =3D GRE - General Routing Encapsulation
IP: Checksum =3D 62690 (0xF4E2)
IP: Source Address =3D VPN-Destination-IP-Address
IP: Destination Address =3D 192.168.10.210
GRE: ..KS....A....... Length: 28, Call ID: 256
GRE: Flags Summary =3D 12417 (0x3081)
GRE: 0............... =3D Checksum Absent
GRE: .0.............. =3D Routing Absent
GRE: ..1............. =3D Key Present
GRE: ...1............ =3D Sequence Number Present
GRE: ....0........... =3D Strict Source Route Absent
GRE: ........1....... =3D Acknowledge Sequence Number Present
GRE: Recursion Control =3D 0 (0x0)
GRE: Ver =3D 1 (0x1)
GRE: Protocol Type =3D 0x880B
GRE: Key Length =3D 28 (0x1C)
GRE: Key Call ID =3D 256 (0x100)
GRE: Sequence Number =3D 3 (0x3)
GRE: Ack Number =3D 2 (0x2)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol =3D Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID =3D 0x 0: Challenge
PPPCHAP: Type =3D Challenge
PPPCHAP: ID =3D 0 (0x0)
PPPCHAP: Length =3D 26 (0x1A)
PPPCHAP: Data =3D 10 30 4A 5C D7 8B CE 60 E6 DB 07 CC 12 0B 4F BD 75
4E 31 4E 52 57
00000: 00 12 3F E9 8A 29 00 13 72 54 21 20 08 00 45 00 ..?=E9=8A)..rT!
..=2EE.
00010: 00 40 2E 79 00 00 79 2F F4 E2 CA 48 88 70 C0 A8
..@.y..y/=F4=E2=CAH=88p=C0=A8
00020: 0A D2 30 81 88 0B 00 1C 01 00 00 00 00 03 00 00
..=D20=81=88...........
00030: 00 02 C2 23 01 00 00 1A 10 30 4A 5C D7 8B CE 60
..=2E=C2#.....0J\=D7=8B=CE`
00040: E6 DB 07 CC 12 0B 4F BD 75 4E 31 4E 52 57
=E6=DB.=CC..O=BDuN1NRW
Successful
387 15.004049 LOCAL 00123FE98A29 PPPCHAP Challenge, ID =3D 0x 1:
Challenge VPN-Destination-IP-Address 192.168.10.210 IP
FRAME: Base frame properties
FRAME: Time of capture =3D 26/05/2006 11:55:13 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 387
FRAME: Total frame length: 75 bytes
FRAME: Capture frame length: 75 bytes
FRAME: Frame data: Number of data bytes remaining =3D 75 (0x004B)
ETHERNET: EType =3D Internet IP (IPv4)
ETHERNET: Destination address =3D 00123FE98A29
ETHERNET: 0....... =3D Individual address
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Source address =3D 001372542120
ETHERNET: .0...... =3D Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol =3D GRE - General Routing Encapsulation; Packet ID =3D 14122;
Total IP Length =3D 61; Options =3D No Options
IP: Version =3D IPv4; Header Length =3D 20
IP: 0100.... =3D IP Version 4
IP: ....0101 =3D Header Length 20
IP: Type of Service =3D Normal Service
IP: 111..... =3D Precedence - Network Control
IP: ...0.... =3D Normal Delay
IP: ....0... =3D Normal Throughput
IP: .....0.. =3D Normal Reliability
IP: ......0. =3D Normal Monetary Cost
IP: Total Length =3D 61 (0x3D)
IP: Identification =3D 14122 (0x372A)
IP: Fragmentation Summary =3D 16384 (0x4000)
IP: .1.............. =3D Cannot fragment datagram
IP: ..0............. =3D Last fragment in datagram
IP: ...0000000000000 =3D Fragment Offset 0 (0x0000)
IP: Time to Live =3D 49 (0x31)
IP: Protocol =3D GRE - General Routing Encapsulation
IP: Checksum =3D 3776 (0xEC0)
IP: Source Address =3D VPN-Destination-IP-Address
IP: Destination Address =3D 192.168.10.210
GRE: ..KS............ Length: 29, Call ID: 256
GRE: Flags Summary =3D 12289 (0x3001)
GRE: 0............... =3D Checksum Absent
GRE: .0.............. =3D Routing Absent
GRE: ..1............. =3D Key Present
GRE: ...1............ =3D Sequence Number Present
GRE: ....0........... =3D Strict Source Route Absent
GRE: ........0....... =3D Acknowledge Sequence Number Absent
GRE: Recursion Control =3D 0 (0x0)
GRE: Ver =3D 1 (0x1)
GRE: Protocol Type =3D 0x880B
GRE: Key Length =3D 29 (0x1D)
GRE: Key Call ID =3D 256 (0x100)
GRE: Sequence Number =3D 3 (0x3)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol =3D Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID =3D 0x 1: Challenge
PPPCHAP: Type =3D Challenge
PPPCHAP: ID =3D 1 (0x1)
PPPCHAP: Length =3D 27 (0x1B)
PPPCHAP: Data =3D 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD DA C2 91 48 DD
50 6F 50 54 6F 50
00000: 00 12 3F E9 8A 29 00 13 72 54 21 20 08 00 45 E0 ..?=E9=8A)..rT!
..=2EE=E0
00010: 00 3D 37 2A 40 00 31 2F 0E C0 CB 31 6C 1C C0 A8
..=3D7*@.1/.=C0=CB1l.=C0=A8
00020: 0A D2 30 01 88 0B 00 1D 01 00 00 00 00 03 C2 23
..=D20.=88.........=C2#
00030: 01 01 00 1B 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD
..=2E...=B5=BEs=DB=84=A2R=FE.y=BD
00040: DA C2 91 48 DD 50 6F 50 54 6F 50
=DA=C2=91H=DDPoPToP
|
|
|
5/26/2006 8:27:35 AM Re: Internal Clients can't VPN to External VPN Server(s) |
(responding offline)
--
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
<wharminda@gmail.com> wrote in message news:1148616616.858959.132750@j55g2000cwa.googlegroups.com...
Hi Jim,
I can send you the cap files if you send me your email address.
I have taken out the IP Addresses and replaced with
VPN-Destination-IP-Address and our servername and replaced with
ISAServername.
The last frame in the unsuccessful VPN attempt logged by the ISA server
is:
21 3.366356 0030DA2E6D53 LOCAL PPPCHAP Challenge, ID = 0x 0: Challenge
VPN-Destination-IP-Address ISAServername IP
FRAME: Base frame properties
FRAME: Time of capture = 26/05/2006 11:55:09 AM
FRAME: Time delta from previous physical frame: 15625 microseconds
FRAME: Frame number: 21
FRAME: Total frame length: 78 bytes
FRAME: Capture frame length: 78 bytes
FRAME: Frame data: Number of data bytes remaining = 78 (0x004E)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 001372542121
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 0030DA2E6D53
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = GRE - General Routing Encapsulation; Packet ID = 11897;
Total IP Length = 64; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 64 (0x40)
IP: Identification = 11897 (0x2E79)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 122 (0x7A)
IP: Protocol = GRE - General Routing Encapsulation
IP: Checksum = 22028 (0x560C)
IP: Source Address = VPN-Destination-IP-Address
IP: Destination Address = 192.168.168.168 (ISA Server External NIC)
GRE: ..KS....A....... Length: 28, Call ID: 2560
GRE: Flags Summary = 12417 (0x3081)
GRE: 0............... = Checksum Absent
GRE: .0.............. = Routing Absent
GRE: ..1............. = Key Present
GRE: ...1............ = Sequence Number Present
GRE: ....0........... = Strict Source Route Absent
GRE: ........1....... = Acknowledge Sequence Number Present
GRE: Recursion Control = 0 (0x0)
GRE: Ver = 1 (0x1)
GRE: Protocol Type = 0x880B
GRE: Key Length = 28 (0x1C)
GRE: Key Call ID = 2560 (0xA00)
GRE: Sequence Number = 3 (0x3)
GRE: Ack Number = 2 (0x2)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol = Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID = 0x 0: Challenge
PPPCHAP: Type = Challenge
PPPCHAP: ID = 0 (0x0)
PPPCHAP: Length = 26 (0x1A)
PPPCHAP: Data = 10 30 4A 5C D7 8B CE 60 E6 DB 07 CC 12 0B 4F BD 75
4E 31 4E 52 57
00000: 00 13 72 54 21 21 00 30 DA 2E 6D 53 08 00 45 00
...rT!!.0Ú.mS..E.
00010: 00 40 2E 79 00 00 7A 2F 56 0C CA 48 88 70 C0 A8
..@.y..z/V.ÊH^pÀ¨
00020: A8 A8 30 81 88 0B 00 1C 0A 00 00 00 00 03 00 00
¨¨0^...........
00030: 00 02 C2 23 01 00 00 1A 10 30 4A 5C D7 8B CE 60
...Â#.....0J\×<Î`
00040: E6 DB 07 CC 12 0B 4F BD 75 4E 31 4E 52 57
æÛ.Ì..O½uN1NRW
and the equivalent frame for the successful VPN connection is:
112 12.569481 0030DA2E6D53 LOCAL PPPCHAP Challenge, ID = 0x 1:
Challenge VPN-Destination-IP-Address ISAServername IP
FRAME: Base frame properties
FRAME: Time of capture = 26/05/2006 11:55:18 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 112
FRAME: Total frame length: 75 bytes
FRAME: Capture frame length: 75 bytes
FRAME: Frame data: Number of data bytes remaining = 75 (0x004B)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 001372542121
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 0030DA2E6D53
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = GRE - General Routing Encapsulation; Packet ID = 14122;
Total IP Length = 61; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 111..... = Precedence - Network Control
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 61 (0x3D)
IP: Identification = 14122 (0x372A)
IP: Fragmentation Summary = 16384 (0x4000)
IP: .1.............. = Cannot fragment datagram
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 50 (0x32)
IP: Protocol = GRE - General Routing Encapsulation
IP: Checksum = 28649 (0x6FE9)
IP: Source Address = VPN-Destination-IP-Address
IP: Destination Address = 192.168.168.168 (ISA Server External IP)
GRE: ..KS............ Length: 29, Call ID: 0
GRE: Flags Summary = 12289 (0x3001)
GRE: 0............... = Checksum Absent
GRE: .0.............. = Routing Absent
GRE: ..1............. = Key Present
GRE: ...1............ = Sequence Number Present
GRE: ....0........... = Strict Source Route Absent
GRE: ........0....... = Acknowledge Sequence Number Absent
GRE: Recursion Control = 0 (0x0)
GRE: Ver = 1 (0x1)
GRE: Protocol Type = 0x880B
GRE: Key Length = 29 (0x1D)
GRE: Key Call ID = 0 (0x0)
GRE: Sequence Number = 3 (0x3)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol = Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID = 0x 1: Challenge
PPPCHAP: Type = Challenge
PPPCHAP: ID = 1 (0x1)
PPPCHAP: Length = 27 (0x1B)
PPPCHAP: Data = 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD DA C2 91 48 DD
50 6F 50 54 6F 50
00000: 00 13 72 54 21 21 00 30 DA 2E 6D 53 08 00 45 E0
...rT!!.0Ú.mS..Eà
00010: 00 3D 37 2A 40 00 32 2F 6F E9 CB 31 6C 1C C0 A8
..=7*@.2/oéË1l.À¨
00020: A8 A8 30 01 88 0B 00 1D 00 00 00 00 00 03 C2 23
¨¨0.^.........Â#
00030: 01 01 00 1B 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD
......µ¾sÛ"¢Rþ.y½
00040: DA C2 91 48 DD 50 6F 50 54 6F 50
ÚÂ'HÝPoPToP
Unsuccessful:
124 5.800924 LOCAL 00123FE98A29 PPPCHAP Challenge, ID = 0x 0: Challenge
VPN-Destination-IP-Address 192.168.10.210 IP
FRAME: Base frame properties
FRAME: Time of capture = 26/05/2006 11:55:04 AM
FRAME: Time delta from previous physical frame: 2930 microseconds
FRAME: Frame number: 124
FRAME: Total frame length: 78 bytes
FRAME: Capture frame length: 78 bytes
FRAME: Frame data: Number of data bytes remaining = 78 (0x004E)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 00123FE98A29
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 001372542120
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = GRE - General Routing Encapsulation; Packet ID = 11897;
Total IP Length = 64; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 000..... = Precedence - Routine
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 64 (0x40)
IP: Identification = 11897 (0x2E79)
IP: Fragmentation Summary = 0 (0x0)
IP: .0.............. = May fragment datagram if necessary
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 121 (0x79)
IP: Protocol = GRE - General Routing Encapsulation
IP: Checksum = 62690 (0xF4E2)
IP: Source Address = VPN-Destination-IP-Address
IP: Destination Address = 192.168.10.210
GRE: ..KS....A....... Length: 28, Call ID: 256
GRE: Flags Summary = 12417 (0x3081)
GRE: 0............... = Checksum Absent
GRE: .0.............. = Routing Absent
GRE: ..1............. = Key Present
GRE: ...1............ = Sequence Number Present
GRE: ....0........... = Strict Source Route Absent
GRE: ........1....... = Acknowledge Sequence Number Present
GRE: Recursion Control = 0 (0x0)
GRE: Ver = 1 (0x1)
GRE: Protocol Type = 0x880B
GRE: Key Length = 28 (0x1C)
GRE: Key Call ID = 256 (0x100)
GRE: Sequence Number = 3 (0x3)
GRE: Ack Number = 2 (0x2)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol = Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID = 0x 0: Challenge
PPPCHAP: Type = Challenge
PPPCHAP: ID = 0 (0x0)
PPPCHAP: Length = 26 (0x1A)
PPPCHAP: Data = 10 30 4A 5C D7 8B CE 60 E6 DB 07 CC 12 0B 4F BD 75
4E 31 4E 52 57
00000: 00 12 3F E9 8A 29 00 13 72 54 21 20 08 00 45 00 ..?éS)..rT!
...E.
00010: 00 40 2E 79 00 00 79 2F F4 E2 CA 48 88 70 C0 A8
..@.y..y/ôâÊH^pÀ¨
00020: 0A D2 30 81 88 0B 00 1C 01 00 00 00 00 03 00 00
..Ò0^...........
00030: 00 02 C2 23 01 00 00 1A 10 30 4A 5C D7 8B CE 60
...Â#.....0J\×<Î`
00040: E6 DB 07 CC 12 0B 4F BD 75 4E 31 4E 52 57
æÛ.Ì..O½uN1NRW
Successful
387 15.004049 LOCAL 00123FE98A29 PPPCHAP Challenge, ID = 0x 1:
Challenge VPN-Destination-IP-Address 192.168.10.210 IP
FRAME: Base frame properties
FRAME: Time of capture = 26/05/2006 11:55:13 AM
FRAME: Time delta from previous physical frame: 0 microseconds
FRAME: Frame number: 387
FRAME: Total frame length: 75 bytes
FRAME: Capture frame length: 75 bytes
FRAME: Frame data: Number of data bytes remaining = 75 (0x004B)
ETHERNET: EType = Internet IP (IPv4)
ETHERNET: Destination address = 00123FE98A29
ETHERNET: 0....... = Individual address
ETHERNET: .0...... = Universally administered address
ETHERNET: Source address = 001372542120
ETHERNET: .0...... = Universally administered address
ETHERNET: Ethernet Type : 0x0800 (Internet IP (IPv4))
IP: Protocol = GRE - General Routing Encapsulation; Packet ID = 14122;
Total IP Length = 61; Options = No Options
IP: Version = IPv4; Header Length = 20
IP: 0100.... = IP Version 4
IP: ....0101 = Header Length 20
IP: Type of Service = Normal Service
IP: 111..... = Precedence - Network Control
IP: ...0.... = Normal Delay
IP: ....0... = Normal Throughput
IP: .....0.. = Normal Reliability
IP: ......0. = Normal Monetary Cost
IP: Total Length = 61 (0x3D)
IP: Identification = 14122 (0x372A)
IP: Fragmentation Summary = 16384 (0x4000)
IP: .1.............. = Cannot fragment datagram
IP: ..0............. = Last fragment in datagram
IP: ...0000000000000 = Fragment Offset 0 (0x0000)
IP: Time to Live = 49 (0x31)
IP: Protocol = GRE - General Routing Encapsulation
IP: Checksum = 3776 (0xEC0)
IP: Source Address = VPN-Destination-IP-Address
IP: Destination Address = 192.168.10.210
GRE: ..KS............ Length: 29, Call ID: 256
GRE: Flags Summary = 12289 (0x3001)
GRE: 0............... = Checksum Absent
GRE: .0.............. = Routing Absent
GRE: ..1............. = Key Present
GRE: ...1............ = Sequence Number Present
GRE: ....0........... = Strict Source Route Absent
GRE: ........0....... = Acknowledge Sequence Number Absent
GRE: Recursion Control = 0 (0x0)
GRE: Ver = 1 (0x1)
GRE: Protocol Type = 0x880B
GRE: Key Length = 29 (0x1D)
GRE: Key Call ID = 256 (0x100)
GRE: Sequence Number = 3 (0x3)
PPP: Challenge Handshake Authentication Protocol Frame (0xC223)
PPP: Protocol = Challenge Handshake Authentication Protocol
PPPCHAP: Challenge, ID = 0x 1: Challenge
PPPCHAP: Type = Challenge
PPPCHAP: ID = 1 (0x1)
PPPCHAP: Length = 27 (0x1B)
PPPCHAP: Data = 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD DA C2 91 48 DD
50 6F 50 54 6F 50
00000: 00 12 3F E9 8A 29 00 13 72 54 21 20 08 00 45 E0 ..?éS)..rT!
...Eà
00010: 00 3D 37 2A 40 00 31 2F 0E C0 CB 31 6C 1C C0 A8
..=7*@.1/.ÀË1l.À¨
00020: 0A D2 30 01 88 0B 00 1D 01 00 00 00 00 03 C2 23
..Ò0.^.........Â#
00030: 01 01 00 1B 10 B5 BE 73 DB 84 A2 52 FE 09 79 BD
......µ¾sÛ"¢Rþ.y½
00040: DA C2 91 48 DD 50 6F 50 54 6F 50
ÚÂ'HÝPoPToP
|
|
|
5/28/2006 8:09:09 PM Re: Internal Clients can't VPN to External VPN Server(s) |
Emailed Cap files to Jim.
|
|
|
5/29/2006 12:07:26 PM Re: Internal Clients can't VPN to External VPN Server(s) |
Got them and responded offline with the detailed analysis.
Detailed analysis (actual values changed):
1. VPN client sends a PPTP Start-Control-Connection-Request message; ISA forwards this to the VPN server unchanged
2. VPN server responds with a PPTP Start-Control-Connection-Reply message; ISA forwards this to the client unchanged
3.
VPN client sends a PPTP Outgoing-Call-Request control message that includes a field called "CallID" with a value of 666.
This
uniquely identifies this caller to the server
4.
ISA forwards the PPTP Outgoing-Call-Request control message that includes a field called "CallID" with a value of 999.
The PPTP
filter changes this to avoid potential conflicts between multiple internal PPTP clients and maintains an internal lookup table so
that it can translate this between the client & server as the conversation proceeds.
5.
VPN server responds with an Outgoing-Call-Reply acknowledging the call request.
This includes the clients CallID as a PeerCallID
and adds its own CallID of 969 to the data.
6. ISA translates the PeerCallID to the internal client's value of 666 and forwards the packet to the XP client
7.
VPN client acknowledges the Outgoing-Call-Reply with a Set-Link-Info message, which uses a PeerCallID of 969; the VPN server's
"CallID"
Now we have a conversation that's identified as:
VPN client CallID = 666
ISA CallID = 999
VPNSvr CallID = 969
These values will be exchanged between the client and server for all following PPTP control messages and *must* always be the same.
Note that "CallID" always refers to the sender and "PeerCallID" always refers to the receiver of a given packet.
8.
VPN server sends a PPTP Set-Link-Info message with the PeerCallID not equal to 666.
Since this CallID is not related to this
current PPTP connection, the ISA PPTP filter instructs the firewall service to close the connection to the server and client.
The VPN server is changing the PeerCallID (VPN client's CallID) for this session and the ISA PPTP filter is closing the connection
as a protective measure.
--
Jim Harrison [ISA SE]
Read the help, books and articles!
This posting is provided "AS IS" with no warranties, and confers no rights.
<wharminda@gmail.com> wrote in message news:1148872149.492462.322760@i39g2000cwa.googlegroups.com...
Emailed Cap files to Jim.
|
|
|
6/1/2006 8:38:11 PM Re: Internal Clients can't VPN to External VPN Server(s) |
Thanks to Jim for his help.
Last comment from Jim on how to fix the problem:
Hi Mark,
You can't do anything at your end.
Send my analysis to them and ask them to contact PSS
|
|
|
|