• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Please can someone help me understand the network behind a network concept, please.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Please can someone help me understand the network behind a network concept, please. Page: [1]
Login
Message << Older Topic   Newer Topic >>
Please can someone help me understand the network behin... - 1.Jul.2005 5:33:00 AM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
Hi,

I cant seem to understand why my ISA server is still generating the following errors, can anyone help. I will attempt to details my network setup completely, and please bear in mind I've read the ISA 2004 book network behind a network concept about 100 times and understood it completely but I'm still receiving the following errors..

ISA Server detected routes through adapter INTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 10.40.0.0-10.40.255.255;10.60.0.0-10.60.255.255;10.80.0.0-10.80.255.255;.

and

ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 10.40.0.0-10.40.255.255;10.60.0.0-10.60.255.255;10.80.0.0-10.80.255.255;.

and

Microsoft ISA Server Control encountered a failure. The failure occurred during Reading of VPN configuration because the system call MprAdminServerSetCredentials failed. Use the source location 121.2974.4.0.2163.213 to report the failure. The error description is: The binding handle is invalid.

My setup is as follows.

ISA Server 2004 on Windows Server 2003 SP1, with dual NIC's.

External (194.168.169.34 / 255.255.255.224)
Internal (10.20.1.3/16)

Our network contains the additional subnets which can be reached via an internal Cisco router

10.40.0.0/16
10.60.0.0/16
10.80.0.0/16

I have defined these in the properties of the Internal Network as they are behind the internal NIC in the ISA Server as shown below...

10.20.0.0 - 10.20.255.255
10.40.0.0 - 10.40.255.255
10.60.0.0 - 10.60.255.255
10.80.0.0 - 10.80.255.255
10.255.255.255 - 10.255.255.255

I have added the following static routes to RRAS to enable access to the remote subnets...

10.40.0.0 255.255.0.0 10.20.1.7 INTERNAL
10.60.0.0 255.255.0.0 10.20.1.7 INTERNAL
10.80.0.0 255.255.0.0 10.20.1.7 INTERNAL

My routing table on the ISA server is as follows...

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

W:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 04 23 af 66 87 ...... Intel(R) PRO/1000 MT Dual Port Server Adapte
r #2
0x10004 ...00 04 23 af 66 86 ...... Intel(R) PRO/1000 MT Dual Port Server Adapte
r
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 194.168.169.61 194.168.169.34 10
10.20.0.0 255.255.0.0 10.20.1.3 10.20.1.3 10
10.20.1.3 255.255.255.255 127.0.0.1 127.0.0.1 10
10.40.0.0 255.255.0.0 10.20.1.7 10.20.1.3 1
10.60.0.0 255.255.0.0 10.20.1.7 10.20.1.3 1
10.80.0.0 255.255.0.0 10.20.1.7 10.20.1.3 1
10.255.255.255 255.255.255.255 10.20.1.3 10.20.1.3 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
194.168.169.32 255.255.255.224 194.168.169.34 194.168.169.34 10
194.168.169.34 255.255.255.255 127.0.0.1 127.0.0.1 10
194.168.169.35 255.255.255.255 127.0.0.1 127.0.0.1 10
194.168.169.255 255.255.255.255 194.168.169.34 194.168.169.34 10
224.0.0.0 240.0.0.0 10.20.1.3 10.20.1.3 10
224.0.0.0 240.0.0.0 194.168.169.34 194.168.169.34 10
255.255.255.255 255.255.255.255 10.20.1.3 10.20.1.3 1
255.255.255.255 255.255.255.255 194.168.169.34 194.168.169.34 1
Default Gateway: 194.168.169.61
===========================================================================
Persistent Routes:
None

Can anybody explain to me why I'm still getting the errors shown at the begining of the article, I've wasted a week and a bit on this now and I really need to understand what is not correct with my configuration! Please Please Please help!

"[Frown]" "[Frown]" "[Frown]" "[Confused]" "[Confused]" :
Post #: 1
RE: Please can someone help me understand the network b... - 1.Jul.2005 9:57:00 AM   
isawader

 

Posts: 420
Joined: 27.Apr.2005
Status: offline
My suggestion is instead of you typing the IP ranges for External and Internal Networks, let ISA grab the settings from the "Add Adapters". It's strange that you have same IP ranges in both INTERNAL and EXTERNAL.

I would also suggest that you make the internal 10.x.x.x routing as persistent.

[ July 01, 2005, 10:00 AM: Message edited by: isawader ]

(in reply to future2000)
Post #: 2
RE: Please can someone help me understand the network b... - 1.Jul.2005 10:16:00 AM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
thanks for your reply. I did originally add the adaptor as you suggest, however that only picked up the local subnet the adaptor was on so I then had to manually add the other subnets of our remote networks.

10.40.0.0/16, 10.60.0.0/16 and 10.80.0.0/16.

As for the IP ranges, you cannot define external that's why I cannot understand why the error in the event log is generated for both adaptors, especially as I've already defined those subnet addresses as being part of the internal network as suggested in the book and articles on this site.

Also the routes I set up in RRAS are persistent by default and they work too as I can now route between my sites from the ISA server.

anyway thank for your help, this is really bugging me, I cannot for the life of me figure out what the hell is wrong with my setup. It's not like it's an isolated incident either, I've got another virutally identical box with the same issue occuring!

(in reply to future2000)
Post #: 3
RE: Please can someone help me understand the network b... - 1.Jul.2005 11:08:00 AM   
LLigetfa

 

Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
I suggest you put the entire 10.0.0.0 to 10.255.255.255 range on your internal and simplify your routes. I too suggest you add a static route for the same 10.0.0.0 scope.

(in reply to future2000)
Post #: 4
RE: Please can someone help me understand the network b... - 4.Jul.2005 3:25:00 AM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
thanks for the reply. I did the following, I changed the definition of the internal network to the following...
10.255.255.255
10.0.0.0 - 10.255.255.255

I then removed all my static routes in RRAS leaving only the following...

10.0.0.0 255.0.0.0 10.20.1.7 INTERNAL

although I can still route to remote subnets ok the error messages have just changed to the following?!?!?

ISA Server detected routes through adapter EXTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 10.0.0.0-10.19.255.255;10.21.0.0-10.255.255.254;.

and

ISA Server detected routes through adapter INTERNAL that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 10.0.0.0-10.19.255.255;10.21.0.0-10.255.255.254;.

My routing table is now as follows...

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

W:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 04 23 af 66 87 ...... Intel(R) PRO/1000 MT Dual Port Server Adapte
r #2
0x10004 ...00 04 23 af 66 86 ...... Intel(R) PRO/1000 MT Dual Port Server Adapte
r
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 194.168.169.61 194.168.169.34 10
10.0.0.0 255.0.0.0 10.20.1.7 10.20.1.3 1
10.20.0.0 255.255.0.0 10.20.1.3 10.20.1.3 10
10.20.1.3 255.255.255.255 127.0.0.1 127.0.0.1 10
10.255.255.255 255.255.255.255 10.20.1.3 10.20.1.3 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
194.168.169.32 255.255.255.224 194.168.169.34 194.168.169.34 10
194.168.169.34 255.255.255.255 127.0.0.1 127.0.0.1 10
194.168.169.35 255.255.255.255 127.0.0.1 127.0.0.1 10
194.168.169.255 255.255.255.255 194.168.169.34 194.168.169.34 10
224.0.0.0 240.0.0.0 10.20.1.3 10.20.1.3 10
224.0.0.0 240.0.0.0 194.168.169.34 194.168.169.34 10
255.255.255.255 255.255.255.255 10.20.1.3 10.20.1.3 1
255.255.255.255 255.255.255.255 194.168.169.34 194.168.169.34 1
Default Gateway: 194.168.169.61
===========================================================================
Persistent Routes:
None

W:\>

I cannot understand what I'm doing wrong. Help!
[Confused]

(in reply to future2000)
Post #: 5
RE: Please can someone help me understand the network b... - 27.Jul.2005 4:52:00 PM   
JRuffner

 

Posts: 7
Joined: 31.Aug.2004
From: New London, CT
Status: offline
I have a similar problem with a Recently updated SBS2003 Box with SBS SP1 and ISA2004 patches applied. I did not receive the error before upgrade.

I also have a network configuration similar to yours where I learned that the only way to add the static routes successfully is to add them through the command line. For some reason they are not fully "registered" within ISA if added through RRAS.

I have yet another network similar to yours where I have added the routes through the cmd line and still recieve the errors mentioned.

Good Luck
JR

(in reply to future2000)
Post #: 6
RE: Please can someone help me understand the network b... - 27.Jul.2005 4:55:00 PM   
JRuffner

 

Posts: 7
Joined: 31.Aug.2004
From: New London, CT
Status: offline
I have a similar problem with a Recently updated SBS2003 Box with SBS SP1 and ISA2004 patches applied. I did not receive the error before upgrade.

I also have a network configuration similar to yours where I learned that the only way to add the static routes successfully is to add them through the command line. For some reason they are not fully "registered" within ISA if added through RRAS.

I have yet another network similar to yours where I have added the routes through the cmd line and still recieve the errors mentioned.

Good Luck
JR

(in reply to future2000)
Post #: 7
RE: Please can someone help me understand the network b... - 28.Jul.2005 3:14:00 AM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
thanks for your comments, I have come to believe this is a bug in the software as whatever configuration I use I always receive these errors, despite the routing config working properly. I'll guess I'll just ignore the errors!

[Eek!]

(in reply to future2000)
Post #: 8
RE: Please can someone help me understand the network b... - 28.Jul.2005 1:35:00 PM   
costas71

 

Posts: 14
Joined: 26.Jul.2005
From: Cyprus
Status: offline
Hi,

Did you check on any other issues not ISA related? I had a case once where my routing was all messed up after installing static routes on a windows 2000 server, only to find out after three days that a forgotten windows NT 4.0 server had the same IP address as my static destination gateway. Strange enough my router did not complain that the IP I was setting up was allready in use in the network as it usually happens and all other hosts were routing traffic without problems.

(in reply to future2000)
Post #: 9
RE: Please can someone help me understand the network b... - 29.Jul.2005 2:26:00 AM   
future2000

 

Posts: 35
Joined: 26.Feb.2004
From: Guildford
Status: offline
Hi,

thanks for the reply. Yes I checked everything pretty exhaustively. I installed the entire server again from scratch twice only to receive the same error whatever I did.

I'm sure it's a problem with the software.

Thanks

[Razz]

(in reply to future2000)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Please can someone help me understand the network behind a network concept, please. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts