locked
Forefront TMG 2010 SP1 Site 2 Site VPN Marking Traffic as Spoofed

    Question

  • Hello,

    I have installed 2 x 2 Node NLB Cluster. I am Trying to setup a site 2 site VPN between them. I have walked throught the configuration wizard and Everything created Successfully. I can see the VPN session being created on both ends. When I try and Ping accoss the Connection the Packets make it to the TMG server at the other end but are being dropped as Spoofed.

    0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

     

    If anyone has any insight as to why this would happen please let me know.

     

    Thanks

     

    Nick

    Tuesday, July 13, 2010 3:12 PM

All replies

  • Hi,

     

    Thank you for the post.

     

     Please refer to this article to disable the IP spoof detection feature: http://support.microsoft.com/kb/838114

     

    Regards,


    Nick Gu - MSFT
    Thursday, July 15, 2010 5:42 AM
    Moderator
  • Hi,

     

    Thank you for the post.

     

     Please refer to this article to disable the IP spoof detection feature: http://support.microsoft.com/kb/838114

     

    Regards,


    Nick Gu - MSFT

    Surely this is a bit drastic? Is this the only way to fix the problem?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Thursday, July 15, 2010 8:05 AM
  • I think one needs to find out why it is throwing the alert instead of disabling the alert.

    --
    Phillip Windell
     
    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
    "Nick Gu - MSFT" <=?utf-8?B?TmljayBHdSAtIE1TRlQ=?=> wrote in message news:c6c63e25-716d-47da-88b1-67a1be5e192e...

    Hi,

     

    Thank you for the post.

     

     Please refer to this article to disable the IP spoof detection feature: http://support.microsoft.com/kb/838114

     

    Regards,


    Nick Gu - MSFT
    Thursday, July 15, 2010 1:27 PM
  • Agreed - I also have this problem with a number of branch office servers, and would like to understand why. Or at least I have a highly similar problem - traffic from internal clients at the branch offices, with a S2S VPN destination, start to get marked as spoofed approximately 24 - 72 hrs after the firewall service starts.

    All TMG servers are using static address pools (with statically assigned DNS servers addresses) for VPN addressing. This problem did not present under ISA 2006 with the same network set up.

    At the moment, the workaround I am using is to schedule a TMG restart every morning before the branch offices open, but like disabling the spoofing feature entirely, it's a bit hackish :)

    Wednesday, July 21, 2010 10:46 AM
  • Have you tried to install TMg SP1?
    Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
    Friday, July 23, 2010 5:08 AM
    Owner
  • Having recently moved from ISA 2006 to TMG with SP1, I too have this problem.

    I have two sites each with a Windows DC alongside other servers with a site to site VPN which is still ISA 2006 at one end and TMG at the other. Both are in a front/back configuration with a router/firewall NAting from External ip address to a private address in a subnet serving the LAN side of the router and the ISA/TMG 'external' network card. The internal LAN side of each IS/TMG is yet another subnet, different at each site.

    The ISA end is totally unchanged. I imported the old rules to TMG which replaced ISA at the other end and it is there I see the problem, even with the spoofing registry hack. Things largely work but packets incoming from the ISA-based site are being declared as spoof because the address of the VPN is in the local LAN space, since I'm using DHCP for Address Assignment. Presumably this appears as a spoof because the traffic is incoming from the PPTP tunnel interface yet it has an address in the local LAN.

    I've tried playing with fixed address allocation, both in the 'DMZ' LAN space and yet another unique subnet, but can't get the network rules correct to give me full functionality. As it is now things appear to work despite the spoofed packets dropped.

    So what is the definitive way to set things up for this configuration? I've read most of the online postings as regards setup and am no closer

    -Mike-

    Friday, August 06, 2010 4:34 PM