Windows 2000 + PIX + AD - changing passwords?

I have a unique problem in that there's nothing in Usenet about it I can locate :)

I have a PIX 515 with 6.3(4) FW. I've an Active Directory based network on the inside. It is the single firewall on my network and the gateway for all clients.

The PIX is setup for PPTP VPN, authenticating all AD users with dial-in permissions enabled using RADIUS and then dropping them inside the VPN to work internally.

All current AD accounts and passwords are able to authenticate on the VPN and route to workstations inside the network fine; however, if the user changes their AD password, they can still authenticate properly PPTP VPN, but they can't get any packets into the network. It seems they're being redirected or dropped somewhere.

With login before or after password change, the routing tables on the VPN client are the same (no change). All routing tables given are correct in both cases, so packets should be getting through in both situations. It is almost as if passwords or routes are being cached somewhere and the missing/dropped packet problem persists between reloads and reboots of the domain controller and the PIX.

I've done everything shy of setup Ethereal in a few places to track packets. I setup console debugging on the PIX and notice that packets with the original password show up in the PIX console, but when the AD password is changed and the user logs on with the new password, and I don't seem to see the packets in the console.

I'm stumped. Has anyone EVER seen anything like this before? It makes no sense to me. Is it possible that Routing and Remote Access or something else could be causing this problem? With all routes intact, the client knows where to send the packets to, they are apparently just being dumped or something.

Any help greatly appreciated.

Reply to
Loading thread data ... Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.