From: Kansas City, MO
At one time my ISA box was working properly, and as I've been trying to iron minor problems out, aparently I changed something causing a major problem.
ANY requests made of the ISA server from an outside machine (such as DNS requests, SMTP attempts, VPN attempts, etc both TCP and UDP) all get rejected by the packet filter and recorded in the log as spoof attempts. The event log messages read:
Event ID: 15108 Source: Microsoft ISA Server Category: Packet Filter ISA Server detected a spoof attack from Internet Protocol (IP) address <ip here>. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.
The packet filter log confirms that the packet was discarded with a log entry that shows the correct destination address (the external interface of the ISA box) and correct source address (the IP of the machine on the internet). Under interface, the correct IP of the external interface of the ISA box is shown.
The last thing I did was remove the DNS service from the ISA box because it wasn't supposed to even be there and it was causing problems publishing my DNS servers that sit behind it. After I rebooted (and have rebooted several times since) this has happened every time.
Has anyone seen this? Where should I start looking? It's killing me....