I've got a working Site-to-Site IPSec Tunnel from our ISA 2004. This tunnel is used to secure bidirectional mail from a customs application to customs. But when I turn on logging I see every couple of packets a "denied connection" with status "A packet was dropped because ISA Server determined that the source IP address is spoofed". Source : Internal (our mail server) Destination: Customs (mail server) However mail is passing through both ways. I don't get it. Why do I get these errors ???
Is this the error message you see(my , they make it into the TMG MBE too, already there were plenty of image problems) like so: http://support.microsoft.com/kb/917025 I think Win SP2 fixes the idle timer issues(at least with ISA 2006). You have installed Win SP2 on your ISA ? So your traffic is not blocked(you do not experience packet loss, your logs seem to indicate that "some" traffic was dropped) ?
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: adimcev
Not quite, I think that is for VPN clients.
Is this the error message you see(my , they make it into the TMG MBE too, already there were plenty of image problems) like so: http://support.microsoft.com/kb/917025 I think Win SP2 fixes the idle timer issues(at least with ISA 2006). You have installed Win SP2 on your ISA ? So your traffic is not blocked(you do not experience packet loss, your logs seem to indicate that "some" traffic was dropped) ?
Actually I was kinda guessing too, the KB article is a little confusing(I do not have access to an ISA 2004). They do not mention the Win SP2 to fix the idle timer issues, when the idle timer is applied even when there is traffic, causing "unwanted" IKE QM re-negotiations(only mention that Win 2003 SP1 was installed which means idle timer troubles). From that KB, it appears that they increase the idle timer to max(1 hour), to ensure that the minimum number of IKE QM will take places, and some queued packets will always(or so) be dropped when IKE negotiations take place. So in the end, by modifying that reg value, the IKE QM negotiations will take place only when the IPsec SA expires(if the default lifetime in seconds(3600) is kept), but it appears that it might be possible that some packets to still be dropped as spoofed(due to the firewall engine kernel-mode driver which is not reading the flags correctly). And dropped may not quite be trully equal with lost(for example they not say that the existing TCP connections will be terminated by the firewall engine).
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> VPN >> VPN IPSec tunnel, Spoofed IP error 
VPN IPSec tunnel, Spoofed IP error - 
, they make it into the TMG MBE too, already there were plenty of 
) like so: 
, the KB article is a little confusing(I do not have access to an ISA 2004). They do not mention the Win SP2 to fix the idle timer issues, when the idle timer is applied even when there is traffic, causing "unwanted" IKE QM re-negotiations(only mention that Win 2003 SP1 was installed which means idle timer troubles). From that KB, it appears that they increase the idle timer to max(1 hour), to ensure that the minimum number of IKE QM will take places, and some queued packets will always(or so) be dropped when IKE negotiations take place. So in the end, by modifying that reg value, the IKE QM negotiations will take place only when the IPsec SA expires(if the default lifetime in seconds(3600) is kept), but it appears that it might be possible that some packets to still be dropped as spoofed(due to the firewall engine kernel-mode driver which is not reading the flags correctly). And dropped may not quite be trully equal with lost(for example they not say that the existing TCP connections will be terminated by the firewall engine). 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread