Windows 2000 + PIX + AD - changing passwords?

Discussion in 'Cisco' started by shifty, Dec 7, 2005.

  1. shifty

    shifty Guest

    I have a unique problem in that there's nothing in Usenet about it I
    can locate :)

    I have a PIX 515 with 6.3(4) FW. I've an Active Directory based
    network on the inside. It is the single firewall on my network and the
    gateway for all clients.

    The PIX is setup for PPTP VPN, authenticating all AD users with dial-in
    permissions enabled using RADIUS and then dropping them inside the VPN
    to work internally.

    All current AD accounts and passwords are able to authenticate on the
    VPN and route to workstations inside the network fine; however, if the
    user changes their AD password, they can still authenticate properly
    PPTP VPN, but they can't get any packets into the network. It seems
    they're being redirected or dropped somewhere.

    With login before or after password change, the routing tables on the
    VPN client are the same (no change). All routing tables given are
    correct in both cases, so packets should be getting through in both
    situations. It is almost as if passwords or routes are being cached
    somewhere and the missing/dropped packet problem persists between
    reloads and reboots of the domain controller and the PIX.

    I've done everything shy of setup Ethereal in a few places to track
    packets. I setup console debugging on the PIX and notice that packets
    with the original password show up in the PIX console, but when the AD
    password is changed and the user logs on with the new password, and I
    don't seem to see the packets in the console.

    I'm stumped. Has anyone EVER seen anything like this before? It makes
    no sense to me. Is it possible that Routing and Remote Access or
    something else could be causing this problem? With all routes intact,
    the client knows where to send the packets to, they are apparently just
    being dumped or something.

    Any help greatly appreciated.
    shifty, Dec 7, 2005
    1. Advertisements

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. GK
    Doug G
    Mar 29, 2005
  2. Replies:
  3. Replies:
  4. John

    Changing cached passwords on Win 2k

    John, Jan 20, 2004, in forum: Computer Support
  5. DCS
    Mar 26, 2009