I am getting a few strange errors with Site to Site VPN connections.
One of our external vendors is quite upset and wants to ship a router, mostly because "No one has heard of TMG and it's not Industry Standard".
Now, the problem seems to affect another Site to Site VPN we have, I thought it was isolated to Vendor #1.
The main problem is that we get "FWX_E_OUTBOUND_PATH_THROUGH_DROPPED"
Doing a 'tracert' through the firewall shows that there is no route to the external IP for the Site to Site VPN, which is quite weird. If I remove all network objects, after a while the TMG server will either connect, or give me a valid route to the external site.
In other words, I add a site to site network.
The Remote VPN gateway IP address I can "ping".
Once I add this, it doesn't connect. Contacted Client #1. They said that our packets aren't even hitting their Cisco.
I do a tracert, and get errors in the TMG logging that say FWX_E_OUTBOUND_PATH_THROUGH_DROPPED.
In TMG logging, I get an error that says ": A packet generated on the local host was rejected because its
source IP address is assigned to one network adapter and its destination IP
address is reachable through another network adapter."
Our external partner says that no packets hit their VPN concentrator, which makes sense if they can't route out.
All routing tables make sense, internal IP's on the inside, external IP's on the external interfaces, and don't have any exclusions just for the VPN gateway.
However, after serveral hours with no other changes on TMG, it will suddenly start working and connect.
Also in the event log, I will occasionally see these errors:
Description: Forefront TMG detected a proxy server
loop. There may be a problem in the configuration of the Forefront TMG Web
chaining policy. Alternatively, in Enterprise Edition, when CARP is enabled and
there are intermittent interruptions of intra-array connectivity, array member A
may forward a request to array member B according to the CARP algorithm, and
array member B may forward the request to array member A in an endless loop.
However, I double checked the times and the above error doesn't always correspond to the times that the VPN thinks it doesn't have a route to the external site (although on occasion the above happens within a minute of the VPN not connecting).
I have no Proxy servers installed other than the 1 TMG server. It *used* to be a member of a cluster with itself (long story) but I fixed that issue. (I had exported rules from "Fwall-2" and imported 'all' setup into 'Fwall-4" and then it got somewhat confused. I have eventually removed any mention of Fwall-2 and TMG now things it is a stand alone server, not an array).
The above errors happen and 'un happen' with NO CHANGES to the TMG setup. It's spontaneous.
Our partner wants us to buy a unit that they will reconfigure, but I'm worried I'll have the same problems setting this up, as I'd have to somehow change the simple edge network into a perimeter network, and then we may still have the same routing issue.
Any ideas? I'll open a formal ticket if we need to.
== John ==