locked
UDP 1900 to 239.255.255.250 denied as spoofed RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm using Forefront TMG 2010 with SP2 (Policy imported from ISA 2006)

    network topology is:

    |------internal

    external  |

    |------perimeter

    I am seeing a continual stream of blocked uPNP traffic to the broadcast ip address; 239.255.255.250. I have tried everything to trap this, I've attempted to add this ip to the internal range, to the perimeter address range, created policies trapping this but to no avail.

    The alternating errors I get  are: 

    0xc0040014 E_FWE_SPOOFING_PACKET_DROPPED

    A packet was dropped because Forefront TMG determined that the source IP 
address is spoofed. 

Rule: None - see Result Code

Source: Perimeter (192.168.2.203:1900)
Destination: Perimeter 
(239.255.255.250:1900)
Protocol: UDP 1900
    0xc0040050 FWX_E_TCPIP_DROP_IP_NOT_LOCALLY_DESTINED
     
    Status: An ingoing packet was dropped because its destination address does not exist on the system, and no appropriate forwarding interface exists.  
Rule: None - see Result Code 
Source: Perimeter (192.168.2.203:1900) 
Destination: Perimeter (239.255.255.250:1900) 
Protocol: UDP 1900

    Any insight into resolving this issue would be appreciated.

    Monday, March 12, 2012 6:24 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote
    The issue was that both the old and the new gateway were plugged into the same switch so one-way traffic was getting to the TMG server from the old ISA server. Now that there is only one route to the TMG server the IP spoofing has stopped. 
    • Marked as answer by cmartin-vs Tuesday, March 13, 2012 2:39 PM
    Tuesday, March 13, 2012 2:39 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    do you need to allow Multicast traffic to the TMG Server? Because there are clients / devices which sends announcements via Multicast, Forefront TMG denies the traffic. If you do not want to see this traffic on TMG filling the logs, I recommend to create a "garbage" collection rule which allows / denies unwanted traffic like NetBIOS broadcasts, DHCP and Multicast Broadcasts/Multicasts. In this rule disable the logging for the rule

    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Monday, March 12, 2012 6:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Thanks for the reply Marc. 

    I've tried to trap this rule by 

    from: perimeter (192.168.2.0-255) 
    to: 239.255.255.250 
    protocols: udp 1900 (send receive)

    No success, am I missing something?

    Monday, March 12, 2012 6:49 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
     

    Hi,

    Thank you for the post.

    As far as I know, ISA neither supports broadcast nor multicast forwarding.

    Regards,

    Nick Gu - MSFT

    Tuesday, March 13, 2012 2:50 AM
    Moderator
  • Question
    Sign in to vote
    0
    Sign in to vote
    My main concern is that everything is showing as spoofed as the reason for not handling the traffic. I'm going to try something out this morning and will report back if it worked. 
    Tuesday, March 13, 2012 12:55 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    The issue was that both the old and the new gateway were plugged into the same switch so one-way traffic was getting to the TMG server from the old ISA server. Now that there is only one route to the TMG server the IP spoofing has stopped. 
    • Marked as answer by cmartin-vs Tuesday, March 13, 2012 2:39 PM
    Tuesday, March 13, 2012 2:39 PM