Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

SPOOFING_PACKET_DROPPED from remote site in VPN to ISA Array

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> SPOOFING_PACKET_DROPPED from remote site in VPN to ISA Array Page: [1]
Login
Message << Older Topic   Newer Topic >>
SPOOFING_PACKET_DROPPED from remote site in VPN to ISA... - 11.Jul.2007 5:27:30 PM   
rGreg

 

Posts: 5
Joined: 11.Jul.2007
Status: offline 		I have 2 ISA 2006 Enterprise servers in an array in the main office.  (HQ1 and HQ2)
3 remote ISA 2006 Enterprise servers (Single server arrays) servers connect via L2TP/IPSEC VPNs.

ISA puts 2 VPN tunnels on one array server, and 1 on the other.
The tunnels are up fine, and I can get to all devices in the remote site.

I have 2 interesting problems.

#1 is annoying only - The HQ Array constantly alerts "ISA Server VPN Tunnel redistribution is recommended".  It seems it wants 1.5 connections on each member.

#2 is more serious.  Our ISA configuration server is on HQ1.  Any site that has its VPN tunnel connected to the array via HQ2 cannot access HQ1.  Pings follow the same pattern.  IF I ping from a remote site connected via HQ1 - it can ping HQ1 but not HQ2.  IF I ping from a remote site connected via HQ2 - it can ping HQ2 but now HQ1.  When any of these connections fail, the log shows a denied connection with a result code of "0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED"  The source address of that dropped connection is an address from the VPN static pool.

We are using static address pools all around (required on multi-server arrays).  I am aware of http://support.microsoft.com/kb/917025 - but that doesn't seem to apply because the tunnels are fully up.  I am also aware I can turn off spoofing detection - but I really don't want to.

The HQ Array is made up of 2 servers - each with 3 physical interfaces - Inside/Outside/Intra-Array

Thanks All.
rGreg
Post #: 1
RE: SPOOFING_PACKET_DROPPED from remote site in VPN to... - 11.Jul.2007 7:02:50 PM   
johnny_mango

 

Posts: 42
Joined: 17.Jan.2007
Status: offline 		Hi, with regards to your spoofing problem, the most likely is that the range of addresses you put in the static pool is a subset of the addresses defined in the properties of the Internal Network.
As far as I am aware, you can put pretty much anything for the static pool, as long as it doesn´t overlap, for if it overlaps how can the ISA determine what is a VPN client and what is an internal client?

(in reply to rGreg)
Post #: 2
RE: SPOOFING_PACKET_DROPPED from remote site in VPN to... - 11.Jul.2007 10:57:34 PM   
rGreg

 

Posts: 5
Joined: 11.Jul.2007
Status: offline 		Thanks... But no dice - Isa does not allow you to define that type of overlap.

(in reply to johnny_mango)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> SPOOFING_PACKET_DROPPED from remote site in VPN to ISA Array Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts