RE: VPN/ISA 2004 issue after SP1 install on sbs2003
- From: v-crinal@xxxxxxxxxxxxxxxxxxxx ("Crina Li")
- Date: Fri, 23 Dec 2005 07:30:55 GMT
Hi Colin,
Thank you for posting in SBS newsgroup.
>From the description, I understand that you received the spoof attack alert
15108 and error 14147 from the event log after you upgraded the server to
SBS 2003 SP1 with ISA server 2004. If I have misunderstood your concerns,
please do let me know.
As I know, the ISA server identifies the spoof attacking according to the
routing table and the LAT (for ISA 2004 server, it's the address range of
the internal network object). If the ISA server receives a package with an
internal IP as source address from the external port, the package would be
treated as a spoof attack. For a normal ISA server, the event 15108 just
reports the blocked intrusions.
The 14147 error could indicate network object configuration issue. Let's
focus on the 14147 error in this thread.
In order to isolate the problem, please help to gather the following
information:
1. Have you already run the CEICW to configure the network and firewall
settings after installing the ISA 2004?
2. How many subnets in your LAN of SBS?
3. Have you received any error message regarding VPN when you connect to
SBS from branch offices?
4. Do you create router to router VPN between branch offices and head
office?
Currently, you may try to add the remote LAN address range into the local
ISA server 'Internal' network address range. Go to the ISA server. Open ISA
Management console. Navigate to Configuration\Network. Open the properties
of the Internal network object. Add the remote LAN address range into the
object. Does the situation occur?
You can also refer to the following KB to see it helps.
884496 Client computers cannot access external resources, and event ID 14147
http://support.microsoft.com/?id=884496
More information:
867483 How to configure networks in ISA Server 2004
http://support.microsoft.com/?id=867483
For remote access between two offices, I also provide the following
documents for your reference:
Connecting a Remote Office to a Small Business Server 2000 Network
http://www.microsoft.com/technet/prodtechnol/sbs/2000/maintain/remotofc.mspx
Note: this article is for SBS 2000 network but it can also apply to SBS
2003 network.
888711 Site-to-site VPN in ISA Server 2004
http://support.microsoft.com/?id=888711
812076 HOW TO: Enable a Cisco IPSec VPN Client to Connect to a Cisco VPN
http://support.microsoft.com/?id=812076
Virtual Private Networking with Windows Server 2003: Deploying Site-to-Site
VPNs
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/windowsserver2003/deploy/confeat/vpndpls2.asp
I am appreciated your time and look forward to hearing from you.
Best regards,
Crina Li (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| From: "cdlaurie" <CLAURIE@xxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| Subject: VPN/ISA 2004 issue after SP1 install on sbs2003
| Date: 22 Dec 2005 04:33:38 -0800
| Organization: http://groups.google.com
| |
|
| I am having issues with 2 remote sites connecting to sbs2003 premium
| after installing sp1 which as you know has upgraded isa.
|
| The sites are connected to head office external nic using Draytek 2600
| routers, using pptp vpn . The head office has sbs2003 with ISA 2004.
| The client pc's in the branch offices seem to have intermittent
| connection and upon looking in event logs on sbs, there are numerous
| events which are appearing every 30 seconds (see below).
|
| The 2 branch offices use the 192.168.1.x & 192.168.2.x subnets and
| these are mentioned in the event logs.
| I have also noticed on the Draytek that the packets transferred between
| branch office and Head office are no longer encrypted (as they are
| normally shown in green). Furthermore the branch office routers are not
| transmitting packets but are not recieving any from SBS at the head
| office.
|
| I have performed various searches for the specific events and have
| found some info but not all apears relevant, the info that has ben
| relevant i have tried but have had no success.
|
| Have any of you encouuntered such a scenario or point me in direction
| of some resources.
|
| Any help greatly appreciated!
|
| Colin
|
|
| The event logs are:
|
| Event Type: Warning
| Event Source: Microsoft Firewall
| Event Category: Packet filter
| Event ID: 15108
| Date: 22/12/2005
| Time: 11:06:13
| User: N/A
| Computer: SBS2003
| Description:
| ISA Server detected a spoof attack from Internet Protocol (IP) address
| 192.168.1.13. A spoof attack occurs when an IP address that is not
| reachable via the interface on which the packet was received. If
| logging for dropped packets is set, you can view details in the packet
| filter log.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
| ---------------------------------
|
| Event Type: Error
| Event Source: Microsoft Firewall
| Event Category: None
| Event ID: 14147
| Date: 22/12/2005
| Time: 11:04:33
| User: N/A
| Computer: SBS2003
| Description:
| ISA Server detected routes through adapter Network Connection that do
| not correlate with the network element to which this adapter belongs.
| For best practice, the address range of an ISA Server network should
| match the address ranges routable through the associated network
| adapter as defined in the routing table. Otherwise valid packets may be
| dropped as spoofed. (This alert may occur momentarily when you create a
| remote site network. You may safely ignore this message if it does not
| reoccur.) The address ranges in conflict are:
| 192.168.1.0-192.168.2.255;.
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
.
- Prev by Date: RE: NT Backup works fine but server performance report says "Did not run" and reports errors in event log! Why?
- Next by Date: Re: Can't Upgrade From SBS 2000 To SBS 2003 Because Of ISA 2000
- Previous by thread: RE: inteinfo
- Next by thread: RE: VPN/ISA 2004 issue after SP1 install on sbs2003
- Index(es):
Relevant Pages
|
