Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
DHCP Request Denied
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
DHCP Request Denied - 23.Jan.2007 4:11:32 PM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Hi,
I've set up a DHCP relay so that our VPN clients receive DHCP information from the server. I've used the steps details in this article http://www.isaserver.org/tutorials/2004dhcprelay.html however when the VPN clients connect, they don't receive the DHCP info, looking at the log, the DHCP request is being denied, but it doesn't say which rule, or why it's being denied. The deny details are listed below:
Original Client IP 192.168.0.30
Server Name ISA
Transport UDP
GMT Log Time 1/23/2007 8:43:54 PM
Source Port 68
Result Code 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Destination IP 255.255.255.255
Destination Port 67
Protocol DHCP (request)
Action Denied Connection
Rule 0
Client IP 192.168.0.30
Source Network VPN Clients
Destination Network Local Host
The access rule is setup as: Allow, Protocol: DHCP (request), From: Anywhere, Destination: Local Host, All Users.
I also have the DHCP reply setup as: Allow, Protocol: DHCP (reply), From: Internal/Local Host, Destination: Perimeter/VPN Clients, All Users.
I have the 'DHCP Relay Agent' setup in RRAS for the internal network (not internal LAN), server address is setup with our DHCP server address.
Any know any reason why it would be denied? Or how to fix this?
Cheers
Ben
|
|
|
|
|
RE: DHCP Request Denied - 24.Jan.2007 4:02:26 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Hmmm,
Having read a bit more into this, and looking at some other newsgroup errors, it appears that this error "Result Code 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED" is suggesting that the packet is spoofed. But why would ISA thing that the VPN Client was spoofing the address? I tested last night from home, I set the logging running, and disconnected/re-connected VPN, each time 2 DHCP requests were denied with the spoofed error.
Our internal network is configured as 192.168.0.1 - 192.168.0.255,not sure how ISA can be seeing 'Client IP 192.168.0.30 from Source Network VPN Clients' as spoofed!
Any suggestions on this would be greatly appreciated!
Ben
|
|
|
|
RE: DHCP Request Denied - 24.Jan.2007 9:53:49 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Well, after phoning Microsoft, and opening a support case (we have 2 free under out TechNet subscription), it turns out that this is a problem between Windows 2003 & ISA2004/2006. According to the support technician when ISA hands out the IP address, it takes up to 5 seconds for the routing table to be updated, this delay means that any traffic such as a DHCP request, is seen as coming from an IP address, that shouldn't exist on that network, so so is deemed to have been spoofed, and so is denied!
I was told by the Technician to add the following to the registry and reboot, which *should* solve the issue. I have added the registry setting, but not rebooted yet, due to people being online, so can't confirm whether it works or not.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
Ben
< Message edited by bjblackmore -- 24.Jan.2007 9:56:06 AM >
|
|
|
|
|
RE: DHCP Request Denied - 30.Jan.2007 9:32:25 AM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
Strange registry key. I can't find anything similar in my registry. Does it work?
|
|
|
|
|
RE: DHCP Request Denied - 30.Jan.2007 9:40:21 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Seems to have worked, in that VPN Clients now receive full DHCP scope information, however I still have a problem as VPN clients are not updating their DNS records.
So if you're in the office today, and have IP 192.168.0.30, but then tomorrow connect via the VPN, you'll get an IP of say 192.168.0.150, along with all your DHCP info, but DNS will still have an IP record of 192.168.0.30. Anyone who pings your hostname will get that IP back with no reply, rather than a reply from yuor real/live IP. DHCP *should* register the records with DNS as it assigns them to VPN clients.
I know VPN XP clients should update their own records, however we install the VPN connection using CMAK, and there is no option in CMAK to enable 'register this connection with DNS' like there is in a manual VPN connection.
|
|
|
|
|
RE: DHCP Request Denied - 30.Jan.2007 10:02:30 AM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
quote:
ORIGINAL: bjblackmore
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
I can't find the bold & underlined portion of the key. Should I add it (ISA2006)?
Best regards,
Dennis.
|
|
|
|
|
RE: DHCP Request Denied - 30.Jan.2007 10:11:40 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Yeah, should be OK. We're using ISA20-06, and I got a .reg file from MS tech support, that I just merged with the registry, but creating it manually should work fine. Restart (preferably reboot) the firewall service after!
|
|
|
|
|
RE: DHCP Request Denied - 2.Feb.2007 2:43:13 AM
|
|
|
Erockalator
Posts: 6
Joined: 19.Oct.2004
Status: offline
|
I am running Server 2000 sp4, and ISA 2004 sp1.
I had to add the bold/underlined keys, but it did not fix anything for me.
Any additional input would be appreciated.
E
|
|
|
|
|
RE: DHCP Request Denied - 12.Feb.2007 8:59:01 PM
|
|
|
meshu
Posts: 1
Joined: 12.Feb.2007
Status: offline
|
Finally this worked!!! Thanks so much Ben. I really wish MS would write an article about this. Mine took about 3-4 hours to start working for some reason though even after a system reboot. Not really sure why, but you might want to wait a while before giving up hope on this solution.
Thanks again Ben!!!
|
|
|
|
RE: DHCP Request Denied - 13.Feb.2007 4:15:35 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Hey,
No worries, glad to be of service! There are a few hotfixes that may also help, M$ sent them to me after I applied this update, two are pre SP2 for Win2003 hotfixes, so they 'should' be available in the official SP2 release, one is a pre SP3 hotfix for winXP, (although both these SPs have been delayed).
The KBs for these are: 923200 & 920192 for Win2003, and 915357 for WinXP. (I have full urls & passwords from M$, but probably shouldn't post these on a public site!)
Ben
|
|
|
|
|
RE: DHCP Request Denied - 2.Apr.2007 9:33:13 AM
|
|
|
latham
Posts: 3
Joined: 2.Apr.2007
Status: offline
|
We run ISA 2004 SP2 on Windows 2003 Standard Edition SP2. I setup our VPN server to handle addressing per Tom's article (great article)http://www.isaserver.org/tutorials/2004dhcprelay.html approximately 4 months ago. It worked perfectly until just over one week ago when ISA started to log these messages:
Result Code 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Destination IP 255.255.255.255
Destination Port 67
Protocol DHCP (request)
Action Denied Connection
End users started complaining that they could establish a VPN connection, but could not access internal resources. If they disconnected and reconnected it would usually resolve the problem. This started at the exact time the DHCP deny messages were logged on ISA. I had made no configuration changes on ISA or 2003 server. I upgraded from Windows 2003 SP1 to SP2 this weekend as reading this thread suggested SP2 might resolve the problem. I am still receiving complaints from end users that they are able to establish a VPN connection, but can not access network resources. I haven't been able to speak directly with any of them while connected, but I'm only assuming that they can not access resources once the VPN is established because they are being denied a DHCP address. I have not tried the suggested Registry addition yet, but was looking to see if anyone had an updated status in the last 6 weeks? If no further updates to this problem, I'll attempt the registry addition later this week.
Ryan
|
|
|
|
|
RE: DHCP Request Denied - 2.Apr.2007 9:42:43 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
If you don't have any success with the registry change, let me know, and I'll email the hotfixes over!
|
|
|
|
|
RE: DHCP Request Denied - 3.Apr.2007 9:30:10 AM
|
|
|
latham
Posts: 3
Joined: 2.Apr.2007
Status: offline
|
Ben,
I rebooted the ISA server last night after adding the registry key and still experiencing connectivity issues and logging the denied DHCP requests. If you could send me the hotfixes that would be outstanding. Thanks,
Ryan
|
|
|
|
|
RE: DHCP Request Denied - 3.Apr.2007 9:39:00 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Hi Ryan,
I will email you with the hotfixes. Mean while, here is a list from the final email from M$ that details our entire solution, it contains the details on how to apply the hotfixes, and the other info might help as well:
PROBLEM:
VPN clients are failing to register in DNS
RESOLUTION:
· VPN clients are unable to get an dynamic IP address from DHCP server.
· Referred http://support.microsoft.com/kb/917025 - Error message in ISA Server 2004 when you configure an IPsec tunnel mode site-to-site VPN on an ISA Server 2004 -based computer: “0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED” and Edited HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
· Analyzed ISABPA, ISAINFO, MPSREPORTS on ISA server and NETMON traces and found that VPN clients are getting connected without any issues
· Then found that the issue is with VPN client computers not registering their names in the DNS. The client computers are getting the IP address and details from the DHCP server.
· All client computers are rolled out with the CMAK for VPN access. Set IP
· Followed http://support.microsoft.com/kb/294785 - New group policies for DNS in Windows Server 2003
· Now VPN Clients are receiving correct DHCP scope information however DHCP/VPN Clients are not updating DNS
· You set IPDnsFlags =1 in rasphone.pbk has an entry and connected successfully.
· With the help of Developer support, Created the Script to change this on all CMAK clients.
· Set the registry key DnsRegistrationUseDcCredentials to 1
· Checked the DHCP and DNS is working in Internal Network (Internal clients are registering and updating records with dynamic and static IP client)
· Updated DHCPsvc.dll on clients (hotfix 915357)
· Updated TCPIP.sys and Ipnat.sys on ISA (hotfix 923200 and hotfix 926754)
· Updated TCPIP.sys and DNS.exe on the DC with DNS (hotfix 923200 and hotfix 920192)
· Checked the DNS settings - Set dynamic updates to Secure and non secure
· Removed the DHCP service account from DNSUpdateProxy group
· Referred for the behaviour of Using DHCP with ISA/VPN Server Clients - http://www.isaserver.org/tutorials/dhcpoptions.html
Ben
|
|
|
|
|
RE: DHCP Request Denied - 4.Apr.2007 1:09:13 PM
|
|
|
latham
Posts: 3
Joined: 2.Apr.2007
Status: offline
|
After spending a little more time on this I discovered it wasn't actually an issue specifically with DHCP. ISA was blocking mutliple types of traffic because it thought the internal addresses being issued by the DHCP relay to the VPN clients were spoofed. So it was dropping several types of traffic, such as DNS, netbios, etc. The only option I could figure out was to run the following MS article - http://support.microsoft.com/kb/838114/. I implemented this early this morning and the traffic is no longer being dropped by the ISA server for valid VPN clients.
Ben - thanks for sending over the hotfixes, as an FYI these have all been rolled up into 2003 SP2, which i had already applied to our ISA and DC servers.
|
|
|
|
|
RE: DHCP Request Denied - 1.Jun.2007 5:03:05 AM
|
|
|
justmee
Posts: 505
Joined: 14.May2007
Status: offline
|
Hi guys,
Ben thank you for being so kind and shared this with us.
That reg patch really works.
Before seeing your posts I had fixed this by disabling IP Spoofing on ISA.
Thanks again!
by the way the reg patch is:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc
just simple copy these line into a Notepad file and save this file with the extension ".reg".
Double-click it and things will start to look good.
The VPN client will send two DHCPINFORM packets if no reply is received. With this patch only one of them is declared as spoofed. The other one will make it.
The discussion point before seing your comments was:
http://forums.isaserver.org/fb.aspx?m=2002045624
I'll post there the links to your comments.
Best regards!
|
|
|
|
|
RE: DHCP Request Denied - 1.Jun.2007 7:18:47 AM
|
|
|
Batelogo
Posts: 5
Joined: 11.Feb.2004
Status: offline
|
Hi
for me worked with a new rule DHCP Relay, witch is:
from: LocalHost;
To: DHCP Server;
Protol: new Protocol port 67 - UDP - send/receive
Users: All users.
The order off the rules are:
1 - DHCP Reply (Local Host to VPN Clients);
2 - DHCP Request (VPN Clients to Local Host);
3 - DHCP Relay.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
