Tuesday, August 23, 2011

Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.

 

TMG Logging is showing fallowing errors:……………….

  • Denied Connection MCCNPWINTMG1 8/15/2011 11:09:37 PM
  • Log type: Firewall service
  • Status: A packet was dropped because Forefront TMG determined that the source IP address is spoofed.
  • Rule: None - see Result Code
  • Source: Internal (172.26.4.22:55507)
  • Destination: Local Host (172.26.7.104:3389)
  • Protocol: RDP (Terminal Services)
  • Additional information
  • Number of bytes sent: 0 Number of bytes received: 0
  • Processing time: 0ms Original Client IP: 172.26.4.22

clip_image001

The network is reaching out to TMG internal interface is not recognized by the TMG server, thus TMG thinks the IP address is spoofed and drop the connection.

You need to tell TMG the Network or the IP Address itself does belong to Internal Network, so

Add static route to destination , for example

If we want to add static route for IP address 172.26.5.10 , and tell TMG what DGW to use to reach out this IP we would be using fallowing command from elevated command window ( CMD run as an administrator)

 

route add 172.26.5.10 mask 255.255.255.255 172.26.7.97 -p

Open MFTMG , click networking, Under Networks

Internal , internal Properties , click add range and add the IP address range.

image

Once you have completed this Click on monitoring, configuration and click to make sure TMG servers have been synched.

*** Before making any changes as good practice take backup of your TMG as the backup takes couple, minutes and you can go back if there are any unexpected issues, otherwise like me you will sit in the middle of the night and have to re-build everything (-: , un-necessary headache IMO***

**** Also as another good practice make the changes on the ARRAY MANAGER, if you are running TMG array***

Respectfully,
Oz Casey, Dedeal ( MVP north America)
MCITP (EMA), MCITP (SA)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server +
http://smtp25.blogspot.com/ (Blog)
http://telnet25.wordpress.com/ (Blog)

No comments: