Nortel VPN and Win2K problem with Network Resources 3

[tdub95]

I've just come across a problem and wondering if anyone has any idea what is going on.

Using Nortel Extranet client 4_60 on Win2K. Can get access to email, internal web pages just fine, however, when connecting through broadband, cannot get access to mapped drives or netowrk shares. No problem with these through our dial-up solution (ipass), no problem with this on XP systems, and no problem when connecting directly to a T1-router with a public IP. Problem seems to be only using Win2K through broadband (with or without Linksys Router).

Using Client version 4_15 seems to have fixed this on the W2K systems. Anybody have any idea why? Or what is going on here?

Thanks

 

[tdub95]

This is a problem with the 4_60 client codebase in that it installs the EAC filter driver. This can cause some networking problems. Supposedly, this is a known issue at Nortel - but they don't seem to be telling anyone about it and I can't find any documentation about it. However, turning this off solves my problem, so something is wrong with this.

 

[sdelvecchio]

The ability to connect to resources through VPN is not only a filter Drivers issue, but is related to Kerberos. Windows 2000 when it authenticates it passes a Kerberos ticket back to the DC, but through the VPN cannot validate that ticket so it dies.

Microsoft has a fix for this which has worked for 5 out of 5 of our users.

http://www.tek-tips.com/gviewthread.cfm/lev2/5/lev3/34/pid/463/qid/460030#PostForm

 

[sdelvecchio]

Oops, sorry wrong link. Here's the correct one:

http://support.microsoft.com/default.aspx?scid=kb;en-us;244474

 

[tdub95]

Thanks,

The Microsoft fix involves registry hack - why do that when you can just turn off the EAC filter? It's easier, simpler, works, and less work for users. Unfortunately, it's not much of a better solution than turning off the EAC filter - even though it gets closer to the actual problem.

Also, turning off file compression in the Nortel Contivity Switch is supposed to work as well. Not sure I want to go that route yet, but it is another workaround.

Nortel is supposedly working on a fix for this that will be in a new client version.

 

[abrickwo69]

We use Nortel 460 in our company and we just applied the above fix to force kerberos to use TCP port 88. We only had to do this becasue some PC's over broadband and behind a NAT device or Linksys would hang on loading your personal settings. The fix works. And we noticed that the packet sizes were even smaller than before. The other issue for the mapped drives, are you forcing the client to log off on connect and then back onto the domain? This is the only way we can get our users to fully authenticate to AD and get all the mapped drives, etc.

 

[tdub95]

We are not forcing any domain logon.
Simply connect with the Nortel client and you have access.
We do have an issue with Exchange and Outlook asking for domain authentication sometimes though.

Of course, this depends on how you have your access rights and permissions set up as well.

 

[sdelvecchio]

The reason we had to impliment the registry hack was because disabling the EACfilt Driver didn't work for everyone. Not all the users when they viewed the network adapter properties had this driver installed and so attempting to correct this problem was very inconsistant.
Disabling the drive worked for some, but for others it took removing the adapter and reinstalling it, we needed one fix for all and this registry tweak did the trick. Plus we could script it into a policy and send it to all users, without user intervention.

 

[theden]

Hi,

I'm running v4.65 right now but i need to test V4_15.06, would you know where to get this? Denis@acdfm.com

Thanks

 

[ucallwa]

Hmm, I will have to try the above fixes for the authentication issues.
If the computer is part of the domain, and the correct username and password is cached correctly (current uid/password) upon logging into the box and then connect to VPN, we dont have a issue. But if the password is changed outside of the box, either by citrix or by the helpdesk, then the login password to windows and the domain password are different, we expeirance partial authentication and can only get to things like outlook and the intranet, but are hounded by password requests. Hitting internal servers and printers are a no go. What I have my users do is use "log in through dial up" with ppp, this will cache their current credentials and aliviate the issue.
But a permenate fix would be nice!

 

[twopoint]

found a password fix for this, Log in using your old password and connect through VPN, log off but do not disconnect the VPN. when you log back in you can use your new password.

 

[tdub95]

That's the domain login - will only work if Nortel is installed as a service on W2K/XP. I tried that as well - didn't quite work for me - took an average of 20 minutes to complete the login over a 56k connection, which makes it unusable and worthless as far as users are concerned.

I also think that it is an extra step for users that did not need to do that before. Kind of a real pain to tell users that they have to go through this extra step, which really sounds like non-sense (not that it is, just listen to yourself talk somebody through it: "log into the VPN, now log off the computer, log back on. Now you have access to all the stuff you did before this version of the VPN client."

 

[dabadgr]

I am trying to write a Batch File to make this Registry Change for endusers. Does anyone have any idea how to do this?

 

[twopoint]

true, but If you have a user with a changed password that can't get to the network, it is an option. otherwise the cached password will continue to lock out his account