locked
UDP 1900 to 239.255.255.250 denied as spoofed RRS feed

  • Question

  • I'm using Forefront TMG 2010 with SP2 (Policy imported from ISA 2006)

    network topology is:

    |------internal

    external  |

    |------perimeter

    I am seeing a continual stream of blocked uPNP traffic to the broadcast ip address; 239.255.255.250. I have tried everything to trap this, I've attempted to add this ip to the internal range, to the perimeter address range, created policies trapping this but to no avail.

    The alternating errors I get  are: 

    0xc0040014 E_FWE_SPOOFING_PACKET_DROPPED

    A packet was dropped because Forefront TMG determined that the source IP 
    address is spoofed. 
    
    Rule: None - see Result Code
    
    Source: Perimeter (192.168.2.203:1900)
    Destination: Perimeter 
    (239.255.255.250:1900)
    Protocol: UDP 1900
    0xc0040050 FWX_E_TCPIP_DROP_IP_NOT_LOCALLY_DESTINED
    Status: An ingoing packet was dropped because its destination address does not exist on the system, and no appropriate forwarding interface exists.  
    Rule: None - see Result Code 
    Source: Perimeter (192.168.2.203:1900) 
    Destination: Perimeter (239.255.255.250:1900) 
    Protocol: UDP 1900 
    

    Any insight into resolving this issue would be appreciated.

    Monday, March 12, 2012 6:24 PM

Answers

  • The issue was that both the old and the new gateway were plugged into the same switch so one-way traffic was getting to the TMG server from the old ISA server. Now that there is only one route to the TMG server the IP spoofing has stopped. 
    • Marked as answer by cmartin-vs Tuesday, March 13, 2012 2:39 PM
    Tuesday, March 13, 2012 2:39 PM

All replies

  • Hi,

    do you need to allow Multicast traffic to the TMG Server? Because there are clients / devices which sends announcements via Multicast, Forefront TMG denies the traffic. If you do not want to see this traffic on TMG filling the logs, I recommend to create a "garbage" collection rule which allows / denies unwanted traffic like NetBIOS broadcasts, DHCP and Multicast Broadcasts/Multicasts. In this rule disable the logging for the rule


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

    Monday, March 12, 2012 6:29 PM
  • Thanks for the reply Marc. 

    I've tried to trap this rule by

    from: perimeter (192.168.2.0-255)

    to: 239.255.255.250

    protocols: udp 1900 (send receive)


    No success, am I missing something?

    Monday, March 12, 2012 6:49 PM
  •  

    Hi,

    Thank you for the post.

    As far as I know, ISA neither supports broadcast nor multicast forwarding.

    Regards,


    Nick Gu - MSFT

    Tuesday, March 13, 2012 2:50 AM
    Moderator
  • My main concern is that everything is showing as spoofed as the reason for not handling the traffic. I'm going to try something out this morning and will report back if it worked. 
    Tuesday, March 13, 2012 12:55 PM
  • The issue was that both the old and the new gateway were plugged into the same switch so one-way traffic was getting to the TMG server from the old ISA server. Now that there is only one route to the TMG server the IP spoofing has stopped. 
    • Marked as answer by cmartin-vs Tuesday, March 13, 2012 2:39 PM
    Tuesday, March 13, 2012 2:39 PM