No routing after AD password change (PIX + IAS + PPTP VPN)

I've been debugging all night and spent the past week banging usenet
for related posts to no avail, I'm at the end of my rope.

I cannot seem to VPN into my PIX and route packets into my network with
after changing the password of my Active Directory accounts...and
likewise, new users cannot route packets either.

Here's my basic setup and more information:

I have a Cisco PIX (506 and 515r, 6.3(4) flashed) in two locations with
a VPN tunnel between.

Both offices are in the same Active Directory forest and domain.

The PIXes are setup to authenticate with a Windows 2000 Advnaced Server
using Radius via IAS to allow remote PPTP VPN access.

Here's where it gets weird: I changed the password for my Active
Directory account the other day. Later that day, I went home and
logged into successfully to the VPN using the new password ... but
couldn't manage to reach anything inside the network at all even though
the supplied routing tables were correct.

Confused, I logged out of the VPN, logged into OWA and remotely changed
my AD password back to what it was previously. I logged back into the
VPN and I am now able to reach everything inside the network again. So
I'm able to authenticate with the current password, but I am only
allowed to route packets if I'm using my original password.

I did a 'route print' in both cases - and both of the routes with new
password and old password are identical. Based on the routes, routing
and access should work perfectly. Sounds like something is caching
something somewhere, right?

Confused, I setup a new user and allowed access to the VPN. I logged
into the VPN successfully with the new user but I am unable to get
around inside the network. If I log in with an old user, it works, but
not with new ones. The routing table looks perfect. I notice this
behavior in both offices. This shoots my caching theory out the
window. So, everyone can login to the VPN but only old accounts using
old passwords can route packets? WTF?

Confused and looking for more information, I checked the Event Viewer
on my domain controller. With all logins listed above, I show that IAS
has successfully authenticated the users and assigned IP addresses.
Confused, I reboot the domain controller to see if there was some
caching going on. I also checked IAS and Routing and Remote Access on
the domain controller and see nothing related to routes existing. I
also checked the IAS logfiles and see no anomalies between any of the
logins.

Next, I reset my AD password to its original state, reloaded the Cisco
PIX to ensure some caching wasn't occuring on it, and again rebooted my
domain controller. I hop on to two computers in my house -

>>From one computer, I log onto the VPN using my old account w/original
password. I then hop onto the PIX and set 'logging console debugging'.
I test logging in with both passwords on my old account - all is
successful and looks ok between both logins. For S&G, I tried to
telnet to an IP inside the network logged in both ways. Strangely, I
only see a console log entry for the VPN connection using the original
password. Nothing shows up in the console debug when I telnet
internally after logging off the vPN then back in again using the newly
changed password.

One last item: I logged into the VPN using my original password. I
then logon to the domain controller, change my network/AD password to a
new password. I log off of the domain controller but leave the VPN
connection established. I can manage to hit anywhere inside the
network still....until I disconnect and reconnect to the VPN. So I
know this is somehow related to my VPN session on the PIX. My only
other option to resolve this is packet sniffing on the domain
controller, but I'm hoping someone has seen an anomaly like this
before...

There has to be something caching passwords or otherwise dropping
packets here, but I can't figure out who/what where.

I walked away from this for a week and nothing updated internally, even
across multiple power cycles of all equipment. I am stumped.....

Anyone have any ideas?


PS - I'm not using Cisco VPN client at all and have not been in the
three years I've been configured this way.

.

Relevant Pages

  • Re: Help attempting to get hacked?
    ... I am experiancing similar issues with Win98 Clients ... >indicate that you are also using a W2K rras vpn? ... If your rras servers are all W2K, ... >domain controller. ...
    (microsoft.public.win2000.security)
  • Re: Slow login and difficulties accessing network reources
    ... Networking, Internet, Routing, VPN Troubleshooting on ... I have a remote site (with 4 workstation) connected over a VPN WAN ... Event Type: Error ... domain controller or the workstation, or is it the WAN connectivity between ...
    (microsoft.public.windows.server.networking)
  • Re: Possiblity of adding a second Exchange server to an SBS2003 domain
    ... DC meant Washington, D.C. or domain controller, but I think I figured ... Exchange mode across the VPN, or is there an additional Exchange ... Server in L.A.? ...
    (microsoft.public.windows.server.sbs)
  • Re: Joint 2003 Server to Domain over Checkpoint VPN
    ... Will do a network capture and let you know. ... We need to a) see whether the VPN is working correctly and b) see whether ... the server is configured correctly. ... If this computer is a domain controller for the specified domain, ...
    (microsoft.public.windows.server.networking)
  • Re: Help attempting to get hacked?
    ... indicate that you are also using a W2K rras vpn? ... logon and logon events for failuers and if so are you seeing a lot of failed ... controllers and servers sharing resources? ... the domain controller and then dcdiag on it looking for any errors. ...
    (microsoft.public.win2000.security)