Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion about article on enabling DHCP Relay Agent on the ISA Firewall
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on enabling DHCP Relay Age... - 19.Sep.2005 2:53:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Bill,
Did you ever figure out how to do this, or if this is a "by design" issue?
I'll check the DHCP request option classes today by doing a NetMon trace.
Thanks!
Tom
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 19.Sep.2005 3:06:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
quote:
Did you ever figure out how to do this, or if this is a "by design" issue?
I'll check the DHCP request option classes today by doing a NetMon trace.
Hi Tom,
No, I was never able to get it to work. But I don't think that this is "by design" because what's happening is not what's documented.
Thanks for offering to run a Netmon trace. I haven't been able to do this yet for lack of hardware. I'll be interested to see the results.
Thanks!
Bill
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 27.Sep.2005 1:12:00 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi Tom,
Have you had a chance to try this out yet? I still can't get it to work.
Thanks!
Bill
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 4.Jan.2006 1:07:30 PM
|
|
|
WILX
Posts: 11
Joined: 2.Dec.2005
Status: offline
|
Hi,
I have a problem relating to this article, i did exactly as it was said in the article, but i am still not able to get DNS suffix from my DHCP server.
When first establishg the VPN everything works fine, i get the suffix, but after disconecting and trying again suffix is missing. Then i restart the Remote Access Service and again in the first connection everything works fine, but in every next conection nothing, works just after restarting Remote Access Service again.
I looked at the logs, and there is something wrong with DHCP request.
In the first connection it is ok:
DHCP (request) Initiated Connection Allow DHCP requests from ISA Server to all networks
In the every next conection:
DHCP (request) Denied Connection [Enterprise] Default rule 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
I tried to assing IP adresses with DHCP(like in the article), and tried also to assing from static adress pool.
So i cant figure out where is the problem, why first conection is successful and every next is not?
Maybe someone have some ideas or comments?
Tnx!
< Message edited by WILX -- 4.Jan.2006 3:35:08 PM >
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 1.Mar.2006 6:26:34 PM
|
|
|
rualark
Posts: 2
Joined: 1.Mar.2006
Status: offline
|
Thank you for a good article.
So how to deal with FWX_E_FWE_SPOOFING_PACKET_DROPPED ?
I have an ISA server in my LAN, connected with a single NIC 192.168.61.20.
This NIC is NATed to a public address via 192.168.61.1 FreeBSD machine.
I wonder what addresses I should give to users connecting to my ISA via VPN?
I tried 192.168.61.0/24 and 192.168.63.0/24 (new segment). Tried both DHCP and
static pool. Anyway when it comes to sending DHCP Request (destination ip 255.255.255.255) it is denied
with FWX_E_FWE_SPOOFING_PACKET_DROPPED. Very bad!
What addresses should be used in such situation to avoid artificial "SPOOFING" alerts?
There is no spoofing!!! How can I tell it to ISA server???
Thank you in advance.
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 3.Mar.2006 5:53:12 PM
|
|
|
AbqBill
Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline
|
Hi rualark,
Is your DHCP running on the same server as ISA Server? If so, you need SP1 in order to use the DHCP Relay Agent.
HTH,
Bill
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 6.Mar.2006 11:25:37 AM
|
|
|
rualark
Posts: 2
Joined: 1.Mar.2006
Status: offline
|
Well I am using ISA 2004 SP2 on Windows Server 2003 SP1
;)
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 6.Mar.2006 5:35:13 PM
|
|
|
murpy
Posts: 43
Joined: 4.Mar.2006
Status: offline
|
FYI, the orginal article posted by tshinder at the begining of this thread does not exist.
Question Does theis topic apply to remote access VPN's only or does this apply to site to site vpns as well?
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 16.Mar.2006 2:51:50 AM
|
|
|
gkuyat
Posts: 6
Joined: 19.Jul.2005
From: San Francisco
Status: offline
|
I aslo have this problem with DHCP relay. It seems that the broadcast packets are dropped as spoofed no matter what I do. ISA will not allow me to add 255.255.255.255 as a valid address.
192.168.4.149 - UDP - - No - 192.168.4.103 3/16/2006 1:50:03 AM 68 0 0 0 0x0 0x0 3/15/2006 5:50:03 PM 192.168.4.149 255.255.255.255 67 DHCP (request) Denied Connection 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED VPN Clients Local Host - SFCB-ISA-01 Firewall
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 4.Apr.2006 9:06:24 AM
|
|
|
gkuyat
Posts: 6
Joined: 19.Jul.2005
From: San Francisco
Status: offline
|
It seems as though there is a time period between when ISA (or RRAS on behalf of ISA) hands out the IP address to the VPN client and when that same address is considered valid (not spoofed). Unfortunately, all the DHCP inform stuff routinely completes before this time and so all the requests get dropped as spoofed. To make it worse, this is intermittent and about four out of ten times, the address is valid and a response comes from the DHCP server. I have no idea how to resolve this, since I really need to tell the VPN CLIENT to wait for ISA (maybe 3 seconds) before sending the DHCP INFORM.
-Gary
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 31.May2006 7:19:57 AM
|
|
|
gkuyat
Posts: 6
Joined: 19.Jul.2005
From: San Francisco
Status: offline
|
This article would be great if only Microsoft software actually worked the way it is documented to work... In reality ISA 2004 cannot reliably handle DHCP Inform via a VPN. Please note that this issue only happens via VPN terminating in ISA - DHCP Inform works fine as long as ISA is not involved. This issue is EASILY reproduced and Microsoft has admitted that it is a defect affecting all ISA 2004 users who try this. Since it is a timing issue (basically ISA is slow) very slow clients may not see a problem as often as normal clients. If you try reconnecting again and again, eventually it will work at least once. But it will also eventually FAIL to work. Intermittent behavior is the worst, but that is precisely what this defect causes.
In a nutshell:
1> You VPN in
2> The ISA/RRAS server gives you an IP address
3> Your client tries to use this IP to issue DHCP inform requests
4> ISA discards your packets as spoofed since it doesn't realize that the IP it just issued you is valid
5> Your client tries a second time and occasionally this works but usually it doesn't
6> When it doesn't work, your client assumes that there are no DHCP Inform options
7> ISA realizes that it issued your client IP and traffic starts flowing normally
8> You don't have any of the DHCP options that the Inform should have gotten - and you never will get them
I documented the defect to Microsoft (SRX060404602316) who estimates that it will be fixed in ISA 2007 (seriously). Microsoft also asked me to fill out an IMPACT AND BUSINESS JUSTIFICATION form explaining why they should fix this defect. Sure I'm annoyed. I wasted a lot of time gathering traces and getting this into a nice reproducible form. All for nothing. It doesn't work reliably and the suggested workaround was to shut off spoof detection - just what I want in a firewall. Rrrrrrr...
-Gary
gkuyat@immunetolerance.org
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 31.May2006 6:19:46 PM
|
|
|
Zyphron
Posts: 5
Joined: 22.Aug.2005
From: Collegeville, PA
Status: offline
|
I actually tried disabling IP spoofing to get around this, problem is that now my Monitoring does not seem to show any DHCP request at all.
I only get two "Unidentified IP traffic" connections when a VPN connection first occurs, which are denied, and then normal connections for DNS, https, etc.
Any thoughts on how to get around this issue? Has anyone successfully disabled IP spoofing to get this working?
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 6.Jul.2006 9:50:11 PM
|
|
|
jrock
Posts: 2
Joined: 4.Jul.2006
Status: offline
|
Any resolutions on this?
Jay
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 3.Nov.2006 12:59:07 AM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
hi,
I have conigured My ISA Server the same as this tutorial given, but whenever I try to connect I'm getting an error 721, which it means the Remote Server doesn't response to assign an IP Address to the VPN Client which is trying to connect.
When I plug a client into the External Hub where ISA Server External Interface is connected and trying to establish a VPN Connection to ISA, I'm assigned an APIPA Address!!
When i change the Address Assignments in the ISA Server to be a Static Pool with Different Subnet than the internal Interface on, I got an IP Address if I'm connecting using the External NIC IP 10.90.8.2, but if I try to connect from outside using the public IP which is registered in no-ip.com, still I'm getting the Error 721.
I have ran the Logging with crateria:
Client IP = 10.90.8.3
Condition = Equals
Value = 10.90.8.3
I have the Destination 137 NetBIOS Name Service Denied Connnection, Rule Default Rule.
Any Idea how to resolve this issue?
Thanks,
Habibalby
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 24.Jan.2007 6:01:13 AM
|
|
|
bjblackmore
Posts: 80
Joined: 9.Aug.2005
Status: offline
|
Hi,
Has anyone been able to solve this? It sounds very much like the problem I'm getting with FWX_E_FWE_SPOOFING_PACKET_DROPPED (http://forums.isaserver.org/DHCP_Request_Denied/m_2002037070/tm.htm)!
gkuyat says here that MS said the problem would be fixed in ISA 2007, I assume this became ISA 2006? We're running ISA 2006, and the problem still seems to be present!
quote:
ORIGINAL: gkuyat
I documented the defect to Microsoft (SRX060404602316) who estimates that it will be fixed in ISA 2007 (seriously).
Taking the process below into account, does anyone know of any registry settings that would delay the client from issuing DHCP inform requests? Or someway of speeding up ISA?
quote:
ORIGINAL: gkuyat
In a nutshell:
1> You VPN in
2> The ISA/RRAS server gives you an IP address
3> Your client tries to use this IP to issue DHCP inform requests
4> ISA discards your packets as spoofed since it doesn't realize that the IP it just issued you is valid
5> Your client tries a second time and occasionally this works but usually it doesn't
6> When it doesn't work, your client assumes that there are no DHCP Inform options
7> ISA realizes that it issued your client IP and traffic starts flowing normally
8> You don't have any of the DHCP options that the Inform should have gotten - and you never will get them
I'm eager to get this problem fixed, as it's causing some problems!
Ben
< Message edited by bjblackmore -- 24.Jan.2007 6:02:14 AM >
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 6.Mar.2007 4:53:57 PM
|
|
|
knutern
Posts: 24
Joined: 25.Mar.2002
From: Norway
Status: offline
|
I got the DHCP-stuff kinda working, only the DHCP-inform packet is not being sent to the "DUN-DHCP" rather to our primary DHCP-Server which we use for internal clients. But the DHCP Relay Agent does not have the internal DHCP-server configured. The counters on the "Internal" interface of the DHCP Relay Agent (Requests received) are increasing, but non of the others. On my so called DUN-DHCP, i get no DHCP-packets from my VPN-clients... What is wrong... Hints any one?
_____________________________
Cheers
Knut Erik
"America will never be destroyed from the outside. If we falter and lose our freedoms, it will be because we destroyed ourselves." -- Abraham Lincoln
|
|
|
|
|
RE: Discussion about article on enabling DHCP Relay Age... - 10.Jan.2008 11:12:01 AM
|
|
|
CSDAdmin
Posts: 19
Joined: 19.Oct.2006
Status: offline
|
I found I had to add to and from on both dhcp reply and request since our addressing is the internal addresses.
Request DHCP to localhost from Internal/VPN Clients
Reply DHCP to Internal/VPN Clients from localhost
Then adding the registry entries to remove spoofing protection seemed to get rid of all errors.
Now just to get the dns suffix to go through. DHCP options does have the domain name option but it isn't passing through, now with no errors at all on isa.
< Message edited by CSDAdmin -- 10.Jan.2008 11:31:07 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
