Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Weird Multiple Gateway Multiple ISA Problem HELP ME PLS

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> Weird Multiple Gateway Multiple ISA Problem HELP ME PLS Page: [1]
Login
Message << Older Topic   Newer Topic >>
Weird Multiple Gateway Multiple ISA Problem HELP ME PLS - 30.Apr.2004 5:30:00 PM   
jasonistre

 

Posts: 5
Joined: 20.May2002
Status: offline 		I have 2 internet lines and 2 ISA 2004 servers, one for each line. Clients are configured via DHCP for both gateways with the faster one having a lower metric. I have a single internal subnet which is 192.168.10.0/24. Normally everything works fine, but If anyone on our internal network assigns themselve a static IP address outside of our subnet then the client machines and servers alike start to flop gateways back and forth about every 20-30 secs.

For instance If i plug in any machine on our network and assign it an address of 192.168.30.20/24 then every client and server alike on our network will constantly flop gateways until that machine is removed.

This causes outside users to notices outages in connectivity, and inside users get dissconnected and reconnected to instant messaging programs every few mins.

What can i do to prevent this? Is it an ISA problem, a windows problem, or a network problem?

I figure the easiest way is to configure our network switches to block all traffic not on the 192.168.10.0/24 subnet, but i'm not sure how to do this with Extreme Network switches, and surely there is a better way.

Thanks!

Jason Istre
Post #: 1
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 1.May2004 10:58:00 AM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Hi ,

What you mention there is very very strange.
The strange part is this :

The new host with 192.168.30.x and submask 255.255.255.0 will not even try to contact any servers in subnets it cannot 'see' due to it's subnet mask. For instance if you try to ping from this machine to 192.168.10.1 it will say 'host not reachable' without sending any packets out to your routers / switches. This is standard and is programmed into every TCP/IP machine ( otherwise , why use the submasks [Smile] )

- What switches you use ? tried looking for firmware upgrades and faqs about this switch ?

- What are your servers running ? Windows 2003 or windows 2000 ? And your clients ?

- What type of NIC are you using ? 3Com / realtek / intel ? ( or some other kind ? )

- Are you sure ALL your nics ( especially the one on your DHCP server and ISA servers ) are using 255.255.255.0 as subnet mask ?

Kind regards,
Lex P.

(in reply to jasonistre)
Post #: 2
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 1.May2004 7:02:00 PM   
jasonistre

 

Posts: 5
Joined: 20.May2002
Status: offline 		Right, I understand what your saying. The subnet mask is correct on every machine on our network. 255.255.255.0.

Here is what the ISA server is logging...

ISA Server name: ISA1

ISA Server detected a spoof attack from Internet Protocol (IP) address 192.168.11.33. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

In this error a IBM pSeries AIX server was static assign the ip address of 192.168.11.33 and subnet mask of 255.255.255.0. When the ethernet adapter was activated all the client on our network... Windows XP, and Windows 2003 servers suddenly started flopping back and forth between the 2 gateways until the AIX server was unplugged. Seems like the existence of the new subnet... any broadcast... might be screwing up a routing table on the ISA server or in the clients?!

(in reply to jasonistre)
Post #: 3
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 1.May2004 7:10:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		hm not really useful info the spoof error is quite a 'general' error I am getting a lot of them due to NLB and I can't get rid of em.

How about sniffing the network traffic while you start up your AIX server ?
your AIX server should not send any info to the router but you never know what service is broadcasting on it.
have you tried disabling the computer browser service on all your servers / ISA servers ?
You better post this on the beta newsgroups there's quite a lot of folk that might know the problem. As far as I can hear it's prolly broadcast info / BGP / RIP etc some kind of router / switch info that's screwing with your routing tables.

Tried a route -print on the ISA's ?

Kind regards,
Lex P.

(in reply to jasonistre)
Post #: 4
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 1.May2004 7:11:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		hm just a question : your AIX server , it doesn't run any DHCP does it ?... [Smile]

Lex P.

(in reply to jasonistre)
Post #: 5
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 1.May2004 8:12:00 PM   
jasonistre

 

Posts: 5
Joined: 20.May2002
Status: offline 		Route listing on any of the machine involved look normal.

I have pinpointed the problem to the AIX servers. If the static IP address outside out normal subnet is assigned to a windows or linux client the problem does not happen, but when assigned to any AIX server the problem immediately happens.

It should be noted that this problem is only observed with multiple gateways to the internet on a network (even if the AIX servers only are configured for one).

I should also note that this problem happens when used with a Nexland 800 Pro Turbo Firewall Router (which support multiple WAN ports) as well as with ISA server, so it's probably not a problem with ISA.

Anyway the solution im using is to make sure my AIX admins only assign ip addresses outside of our subnet to interfaces which belong to a seperate VLAN from our normal network.

GEEZ

Jason Istre

(in reply to jasonistre)
Post #: 6
RE: Weird Multiple Gateway Multiple ISA Problem HELP ME... - 2.May2004 11:35:00 AM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Ok nice to know that it's not an ISA problem [Smile]
good luck with your implementation.

Kind regards,
Lex P.

(in reply to jasonistre)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> Weird Multiple Gateway Multiple ISA Problem HELP ME PLS Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts