RRAS on ISA 2004 not keeping configs

Hi group,

I've got some ISA 2004 servers that are configured for L2TP/IPSec
site-to-site VPNs, using certificates from our internal PKI. The VPN works
fine when using all authentication options, including EAP. However, if the
tunnel disconnects, or if a server is rebooted, the configuration used to
make EAP work seems to roll-back to MS-CHAPv2. It happens almost all the
time, but on occasion, the settings don't change.

To be clear, it's the setting within RRAS itself that are not stable. All
the ISA settings remain intact 100% of the time.

Examples:

1) The demand-dial interface changes from EAP authentication to MS-CHAPv2.
On my HQ site, it usually changes back to "Typical" security options (as
opposed to Advanced), and on the remote site, the settings remain within the
"Advanced" category, but appear as MS-CHAPv2, instead of EAP. As a result of
it switching from EAP to MS-CHAPv2, I also lose the EAP credentials settings
for the interface.

2) In the RRAS policy that allows VPN access to our users, a similar
situation occurs. Instead of it changing from EAP though, the certificate
that I assign to the policy changes to a Web certificate that's also
installed on the machine. The policy also loses the NAS-Port-type rule that
I assign it. This can happen without a reboot or anything. Simply leaving
the service running will eventually cause the config to revert back to
something else.

Has anyone seen this before? Any ideas?

Thanks!
Oliver

Has anyone seen this?

"Oliver O'Boyle" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> To be clear, it's the setting within RRAS itself that are not stable. All
> the ISA settings remain intact 100% of the time.

ISA "owns" RRAS when they are on the same box. RRAS is no longer
independent. ISA will reset RRAS however it wants it whenever it wants it.

If you want to work with RRAS separately, then run it on a separate box.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/downlo...7/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Deployment Guidelines for ISA Server 2004 Enterprise Edition
http://www.microsoft.com/technet/pro...isaserver.mspx
-----------------------------------------------------

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> To be clear, it's the setting within RRAS itself that are not stable. All
>> the ISA settings remain intact 100% of the time.
>
> ISA "owns" RRAS when they are on the same box. RRAS is no longer
> independent. ISA will reset RRAS however it wants it whenever it wants
> it.
>
> If you want to work with RRAS separately, then run it on a separate box.
>

I am aware of this, however, when you configure site-to-site VPNs to use
EAP, even with ISA on the box, you still need to go into the RRAS service
and configure the demand-dial interface manually. There's no way around it
via the ISA Management Console.

Oliver




> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/IS...cessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/downlo...7/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Guidance
> http://www.microsoft.com/isaserver/t...dance/2004.asp
> http://www.microsoft.com/isaserver/t...dance/2000.asp
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.asp
>
> Deployment Guidelines for ISA Server 2004 Enterprise Edition
> http://www.microsoft.com/technet/pro...isaserver.mspx
> -----------------------------------------------------
>
>
>

Yes there are some things you still do in RRAS Admin, but it is really
"fuzzy" sometimes. I don't have an "lists" of what you can or can't do. I
don't really know what else to tell you.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Oliver O'Boyle" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>> To be clear, it's the setting within RRAS itself that are not stable.
>>> All the ISA settings remain intact 100% of the time.
>>
>> ISA "owns" RRAS when they are on the same box. RRAS is no longer
>> independent. ISA will reset RRAS however it wants it whenever it wants
>> it.
>>
>> If you want to work with RRAS separately, then run it on a separate box.
>>
>
> I am aware of this, however, when you configure site-to-site VPNs to use
> EAP, even with ISA on the box, you still need to go into the RRAS service
> and configure the demand-dial interface manually. There's no way around it
> via the ISA Management Console.
>
> Oliver
>
>
>
>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>> -----------------------------------------------------
>> Understanding the ISA 2004 Access Rule Processing
>> http://www.isaserver.org/articles/IS...cessRules.html
>>
>> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
>> http://download.microsoft.com/downlo...7/ts_rules.doc
>>
>> Microsoft Internet Security & Acceleration Server: Guidance
>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>
>> Microsoft Internet Security & Acceleration Server: Partners
>> http://www.microsoft.com/isaserver/partners/default.asp
>>
>> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>> http://www.microsoft.com/technet/pro...isaserver.mspx
>> -----------------------------------------------------
>>
>>
>>
>
>

"Phillip Windell" <@.> wrote in message
news:(E-Mail Removed)...
> Yes there are some things you still do in RRAS Admin, but it is really
> "fuzzy" sometimes. I don't have an "lists" of what you can or can't do. I
> don't really know what else to tell you.
>

The rule is, if you can configure it in ISA, don't mess with it in RRAS. EAP
and RRAS Policies are two areas that require you to work in RRAS.

I don't believe my problem is "normal", and so there is probably no stock
answer out there. I am hoping to hear from someone who has also seen this,
or who knows why it's happening.

But thanks for trying

Oliver

> --
> Phillip Windell [MCP, MVP, CCNA]
> www.wandtv.com
>
>
> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>
>> "Phillip Windell" <@.> wrote in message
>> news:(E-Mail Removed)...
>>> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
>>> news:(E-Mail Removed)...
>>>> To be clear, it's the setting within RRAS itself that are not stable.
>>>> All the ISA settings remain intact 100% of the time.
>>>
>>> ISA "owns" RRAS when they are on the same box. RRAS is no longer
>>> independent. ISA will reset RRAS however it wants it whenever it wants
>>> it.
>>>
>>> If you want to work with RRAS separately, then run it on a separate box.
>>>
>>
>> I am aware of this, however, when you configure site-to-site VPNs to use
>> EAP, even with ISA on the box, you still need to go into the RRAS service
>> and configure the demand-dial interface manually. There's no way around
>> it via the ISA Management Console.
>>
>> Oliver
>>
>>
>>
>>
>>> --
>>> Phillip Windell [MCP, MVP, CCNA]
>>> www.wandtv.com
>>> -----------------------------------------------------
>>> Understanding the ISA 2004 Access Rule Processing
>>> http://www.isaserver.org/articles/IS...cessRules.html
>>>
>>> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
>>> http://download.microsoft.com/downlo...7/ts_rules.doc
>>>
>>> Microsoft Internet Security & Acceleration Server: Guidance
>>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>>
>>> Microsoft Internet Security & Acceleration Server: Partners
>>> http://www.microsoft.com/isaserver/partners/default.asp
>>>
>>> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>>> http://www.microsoft.com/technet/pro...isaserver.mspx
>>> -----------------------------------------------------
>>>
>>>
>>>
>>
>>
>
>

Ok,
Good luck with it!

Phil

"Oliver O'Boyle" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>
> "Phillip Windell" <@.> wrote in message
> news:(E-Mail Removed)...
>> Yes there are some things you still do in RRAS Admin, but it is really
>> "fuzzy" sometimes. I don't have an "lists" of what you can or can't do.
>> I don't really know what else to tell you.
>>
>
> The rule is, if you can configure it in ISA, don't mess with it in RRAS.
> EAP and RRAS Policies are two areas that require you to work in RRAS.
>
> I don't believe my problem is "normal", and so there is probably no stock
> answer out there. I am hoping to hear from someone who has also seen this,
> or who knows why it's happening.
>
> But thanks for trying
>
> Oliver
>
>> --
>> Phillip Windell [MCP, MVP, CCNA]
>> www.wandtv.com
>>
>>
>> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>>>
>>> "Phillip Windell" <@.> wrote in message
>>> news:(E-Mail Removed)...
>>>> "Oliver O'Boyle" <(E-Mail Removed)> wrote in message
>>>> news:(E-Mail Removed)...
>>>>> To be clear, it's the setting within RRAS itself that are not stable.
>>>>> All the ISA settings remain intact 100% of the time.
>>>>
>>>> ISA "owns" RRAS when they are on the same box. RRAS is no longer
>>>> independent. ISA will reset RRAS however it wants it whenever it wants
>>>> it.
>>>>
>>>> If you want to work with RRAS separately, then run it on a separate
>>>> box.
>>>>
>>>
>>> I am aware of this, however, when you configure site-to-site VPNs to use
>>> EAP, even with ISA on the box, you still need to go into the RRAS
>>> service and configure the demand-dial interface manually. There's no way
>>> around it via the ISA Management Console.
>>>
>>> Oliver
>>>
>>>
>>>
>>>
>>>> --
>>>> Phillip Windell [MCP, MVP, CCNA]
>>>> www.wandtv.com
>>>> -----------------------------------------------------
>>>> Understanding the ISA 2004 Access Rule Processing
>>>> http://www.isaserver.org/articles/IS...cessRules.html
>>>>
>>>> Troubleshooting Client Authentication on Access Rules in ISA Server
>>>> 2004
>>>> http://download.microsoft.com/downlo...7/ts_rules.doc
>>>>
>>>> Microsoft Internet Security & Acceleration Server: Guidance
>>>> http://www.microsoft.com/isaserver/t...dance/2004.asp
>>>> http://www.microsoft.com/isaserver/t...dance/2000.asp
>>>>
>>>> Microsoft Internet Security & Acceleration Server: Partners
>>>> http://www.microsoft.com/isaserver/partners/default.asp
>>>>
>>>> Deployment Guidelines for ISA Server 2004 Enterprise Edition
>>>> http://www.microsoft.com/technet/pro...isaserver.mspx
>>>> -----------------------------------------------------
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>