Welcome to ISAserver.org

Network Adapter Errors

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Network Adapter Errors

Page: [1]

Message

<< Older Topic Newer Topic >>

Network Adapter Errors - 14.Aug.2007 10:15:26 AM

NickW2008

Posts: 2
Joined: 14.Aug.2007
Status: offline

Hi,

Since setting up a site-to-site VPN we receive the following error detailed in the MS KB 884496.

Description: ISA Server detected routes through the network adapter WAN that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: [x.255.255.255]. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Our DMZ uses a private address range that�s been subnetted and our remote site also uses a subnet of the same private address range. This error started after creating the site-to-site VPN link clearly because the x.255.255.255 address is associated with the DMZ adapter - hence the spoofed error.

Any thoughts as to how best to resolve this would be appreciated. Ideally we would rather not change all addresses at the remote site.

Regards

Post #: 1

Featured Links*

RE: Network Adapter Errors - 14.Aug.2007 11:29:17 AM

tshinder

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: online

If everything is working as you expect, then you can ignore the error.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to NickW2008)

Post #: 2

RE: Network Adapter Errors - 17.Aug.2007 3:41:59 AM

NickW2008

Posts: 2
Joined: 14.Aug.2007
Status: offline

Unfortunately our site-to-site VPN isn't working.

Regards

Nick

(in reply to tshinder)

Post #: 3

RE: Network Adapter Errors - 17.Aug.2007 10:22:07 AM

tshinder

Posts: 47181
Joined: 10.Jan.2001
From: Texas
Status: online

Hi Nick,

OK, I just read your first post again. Yes, you can't use the same Network IDs on both sides or the ISA Firewall won't be able to route the connections.

Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to NickW2008)

Post #: 4

RE: Network Adapter Errors - 17.Jun.2008 5:18:15 PM

terminic

Posts: 6
Joined: 20.Aug.2007
Status: offline

Tom,

I am assuming that it is impossible to NAT the VPN connections to other addresses to overcome this like you would on a PIX or ASA, correct?

Chris Termini

(in reply to tshinder)

Post #: 5

RE: Network Adapter Errors - 17.Jun.2008 11:21:49 PM

gbarnas

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline

For some reason, ISA adds the default network (not subnet) broadcast address to the network address definitions. While it may be needed, it's often incorrect. For example, if I define a subnet 172.16.0.0/24 on one interface and 172.16.1.0/24 on another, it will add 172.16.255.255 to both, and then complain about it. Well - duh!

I remove the auto-added broadcast addresses and define my own, correct values. in the example above, I add 172.16.0.255 and 172.16.1.255 respectively, which are the corret SUBNET broadcast addresses.

Glenn

(in reply to NickW2008)

Post #: 6

RE: Network Adapter Errors - 18.Jun.2008 4:09:23 AM

Jason Jones

Posts: 1981
Joined: 30.Jul.2002
From: United Kingdom
Status: online

quote:

ORIGINAL: gbarnas

For some reason, ISA adds the default network (not subnet) broadcast address to the network address definitions. While it may be needed, it's often incorrect. For example, if I define a subnet 172.16.0.0/24 on one interface and 172.16.1.0/24 on another, it will add 172.16.255.255 to both, and then complain about it. Well - duh!

I remove the auto-added broadcast addresses and define my own, correct values. in the example above, I add 172.16.0.255 and 172.16.1.255 respectively, which are the corret SUBNET broadcast addresses.

Glenn

I raised this as a bug with MS PSS a while ago and they said it was due to the way that Windows creates the routing tables. It always seems to assume the boradcast address is the "pure" class broadcast address and seems to ignore the correct broadcast is you have subnetted networks. The important thing is to get the OS routing tables and ISA in sync as much as possible and this will prevent the ISA alerts.

Not sure if this is the same in Win2k8?

Cheers

JJ

_____________________________

Jason Jones
Microsoft MVP (Forefront Edge Security)

Silversands Ltd
http://www.silversands.co.uk
View My Blog: http://blog.msfirewall.org.uk/

Get Our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbarnas)

Post #: 7

RE: Network Adapter Errors - 28.Aug.2008 1:08:44 PM

sketchy00

Posts: 14
Joined: 8.Aug.2008
From: Bellevue, WA
Status: offline

I think I'm running into the same thing, (getting that same alert in ISA about non-correlating routes), but am not 100% sure on how to fix it. I am building up an ISA 2006 (a celestix unit), and have a DMZ1, and DM2 interfaces. One has a 10.20.0.0 /16 subnet, while the other has a 10.30.0.0 /16 subnet. Those networks in ISA were defined by address range. If I did an "add adapter" it assumes that this is a pure class, and wants to put in a 10.0.0.0 /8. Even when I don't do that, I look in the routing table, and I see:

10.255.255.255    255.255.255.255    10.20.0.1    DMZ1    10
10.255.255.255    255.255.255.255    10.30.0.1    DMZ2    10

among some of the others of:

10.20.0.0    255.255.0.0    216.190.22.17    DMZ1    10
10.20.0.1    255.255.255.255     127.0.0.1    Loopack    10
10.30.0.0    255.255.0.0    216.190.22.17    DMZ2    10
10.30.0.1    255.255.255.255     127.0.0.1    Loopack    10
etc.

So my question is, can or should I remove those first two routes, and will they reappear if I do?

- Sketchy

(in reply to Jason Jones)

Post #: 8

RE: Network Adapter Errors - 29.Aug.2008 9:11:37 AM

gbarnas

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline

We've discussed this offline, but for the benefit of others...

You don't need to modify the routes - they are generally correct. ISA will define a broadcast address based on the network class and not the actual subnet. As Jason mentioned, this is likely a bug in the configuration logic.

To correct this, you need to open the network properties dialog, go to the Address tab, and remove the broadcast address that ISA defined, and then define the correct broadcast address by clicking Add Range, and specifying the brodcast address for start and end addresses.

For example, your 10.20.0.0/16 network should have a 10.20.255.255 broadcast, but ISA defines 10.255.255.255. It has the same address in the 10.30.0.0 network, which results in the error messages. Changing both to the correct 10.20.255.255 and 10.30.255.255 will solve the problem and eliminate the error.

Glenn

(in reply to sketchy00)

Post #: 9

RE: Network Adapter Errors - 29.Aug.2008 9:44:20 AM