Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Site To Site - Spoofing Packet Dropped??

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> VPN >> Site To Site - Spoofing Packet Dropped?? Page: [1]
Login
Message << Older Topic   Newer Topic >>
Site To Site - Spoofing Packet Dropped?? - 4.Mar.2007 12:05:05 PM   
duffo

 

Posts: 37
Joined: 14.Jan.2004
From: London
Status: offline 		Hello ISA Gurus!

Here is the environment ;
1. My Side
ISA Server 2006
2. Remote Site
Cisco VPN 3000 Concentrator

I am trying to create a Site to Site VPN using ISA. We have created the tunnell on both sides and here is the config on my end ;

Local Tunnel Endpoint: 999.222.122.67
Remote Tunnel Endpoint: 999.209.156.136

IKE Phase I Parameters:
   Mode: Main mode
   Encryption: 3DES
   Integrity: SHA1
   Diffie-Hellman group: Group 2 (1024 bit)
   Authentication Method: Pre-shared secret (test)
   Security Association Lifetime: 28800 seconds

IKE Phase II Parameters:
   Mode: ESP tunnel mode
   Encryption: 3DES
   Integrity: SHA1
   Perfect Forward Secrecy: ON
   Diffie-Hellman group: Group 2 (1024 bit)
   Time Rekeying: ON
   Security Association Lifetime: 3600 seconds
   Kbyte Rekeying: OFF
Remote Network 'OtherSite' IP Subnets:
   Subnet: 999.109.157.55/255.255.255.255
   Subnet: 999.209.156.136/255.255.255.255

I have also set up access rules permitting all traffic in both directions between both protected networks.

If the remote site tries to ping a protected host on our side I see the following on the ISA Server ;

1 ) I see VPN session appear on the Sessions tab of the Monitoring Section of the ISA Management Console
2 ) I see an IKE packet from the other site between peers
3 ) I see a log entry which shows the PING packet has been denied, however it is not being denied by any firewall rule, instead there is the following error code in the log;
0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

A cisco suypport guy has looked at the logs on the other side and he says that the negotiation for Phase 2 is not completing and the ISA is not responding and thus the tunnel is not up. However on my side it looks like the tunnell is up because I can see the ping packet arrive, but it is blocked by ISA for some reason.

Can anyone advise on the following ;
1. Is there somewhere in ISA that I can see the log entries  for the tunnell negotiation with the other peer and perhaps get an idea as to why the tunnell is failing ---

OR

2. Does anyone know why I get the FWX_E_FWE_SPOOFING_PACKET_DROPPED error in the firewall logs.

The thoughts / ideas of the members of this knowedgeable forum would be valued
Many Thanks
Tim

Post #: 1
RE: Site To Site - Spoofing Packet Dropped?? - 1.Jul.2007 3:35:28 AM   
download2m

 

Posts: 3
Joined: 1.Jul.2007
Status: offline 		you can test this topics:
http://support.microsoft.com/kb/917025
& to to disable the IP Spoof Detection feature in Microsoft ISA Server 2004 :
http://support.microsoft.com/kb/838114/

_____________________________

Best Wishes

Mohamed Fathy
ERP Project Coordinator
MCP, MCSE, MCSA , A+ , NET +,

(in reply to duffo)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> VPN >> Site To Site - Spoofing Packet Dropped?? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts