How to fix "missing ranges" on ISA external NIC?
-
Wednesday, January 23, 2013 5:33 PM
This is a brand new ISA Enterprise server that was installed today with 2 nics. Internal nic has 4 192.168.x networks.
Internal nic has a unique 192.168.x network that is not included in the range of the internal nic.
"The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network External, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network." It says to resolve this issue, add the missing IP address ranges to the array network.
It is more than just an error message, it is blocking client access to the ISA server.
I did a search on this error and found several posts about it, but didn't see any that have instructions on the specific steps to add the missing address ranges.
I don't see any way to configure the External network in ISA.
How is the fixed (specific steps to commands)? For instance if the internal nic was configured for 192.168.0.x to 192.168.9.x and 192.168.12.x to 192.168.15.x and the external NIC was 192.168.200.15 with gateway of 192.168.200.1, what would the command be to fix this error.
All Replies
-
Wednesday, January 23, 2013 7:13 PM
Hi,
add the Internal NIC IP address range to the IP properties of the INTERNAL TMG network
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Wednesday, January 23, 2013 10:50 PM
I don't understand that answer.
I internal NIC is already configured in ISA with the IP ranges to be assigned to the internal network.
Are you talking about something else?
-
Thursday, January 24, 2013 6:03 AM
Hi,
you wrote: "Internal nic has a unique 192.168.x network that is not included in the range of the internal nic." You must add this network to the INTERNAL network object definition on your ISA Server
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Thursday, January 24, 2013 6:07 AM
I meant to say EXTERNAL nic.
I have all the internal IP ranges included on the internal nic and I still have this issue.
-
Thursday, January 24, 2013 7:26 AMI would suggest that you look at the logs first. Look at the console and Logs and Monitoring, configure the conditions so that they match to what you want to see. These can provide some insight into why the access is blocked.
-
Thursday, January 24, 2013 7:44 AMModerator
Hi,
Thank you for the post.
You may also run ISA BPA to check the configuration issue and output the error message.
Regards,
Nick Gu - MSFT
- Marked As Answer by MyGposts Friday, January 25, 2013 1:48 PM
-
Thursday, January 24, 2013 4:11 PM
It looks like it says it cannot route to any of the other subnets, but I don't understand why.
I could guess it is because there is no gateway defined on the internal adapter, but I thought there is not supposed to be a gateway on the internal adapter when you have a gateway on the external adapter that goes to the Internet.
How is this supposed to work when your ISA server is not on the same subnet as your workstations?
BPA had this info:
Events that triggered the alert:
1/23/2013 7:53:25 AM - The routing table for the network adapter EXTERNAL includes IP address ranges that are not defined in the array-level network External, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
Internal:192.168.1.0-192.168.6.255,192.168.8.0-192.168.9.255,192.168.188.0-192.168.188.255;
ISA Server detected routes through the network adapter INTERNAL that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.1.0-192.168.6.255,192.168.8.0-192.168.9.255,192.168.188.0-192.168.188.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.- Edited by MyGposts Thursday, January 24, 2013 4:12 PM
-
Thursday, January 24, 2013 4:34 PM
Hi,
the Default Gateway has been configured only on the external NIC?
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Thursday, January 24, 2013 5:46 PM
Yes, the internal nic only has IP address, subnet mask and dns (our AD DNS servers).
External nic has IP, subnet maks and gateway (no DNS).
I don't understand how to make the ISA communicate with other internal subnets without a gateway.
I can only access other hosts that are on the same subnet as the server, but we have several internal IP ranges.
-
Thursday, January 24, 2013 7:24 PM
Hi,
you must add the additional subnets in the TMG MMC with Network Topology routes
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
-
Thursday, January 24, 2013 7:56 PMIt is ISA 2006 Enterprise. How is this done and what information is added to what?
-
Thursday, January 24, 2013 8:10 PM
Hi,
sorry. Use route add -p from the command line.
type route /? for more information. Default Gateway is your internal Router which provides access to the different internal IP subnetsregards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
- Marked As Answer by MyGposts Friday, January 25, 2013 6:46 AM
.png)
