A packet was dropped because Forefront TMG determined that the source IP address is spoofed
Hi

I get tons of these:  A packet was dropped because Forefront TMG determined that the source IP address is spoofed

When crossing from one network to another network.

Even the TMG's IP's are some times seen as spoofed

My setup
2 x TMG 2010 Ent in an Enterprise array controled by a third server
The network setup is
1x External
3x Internal (10.10.1.x, 10.10.3.x, 10.10.10.x)
Both servers have 4 NIC's one for external and 1 for each network.
All 4 networks are NLB enabled.

All servers exept in the 10.10.10.x network is running 2008 R2, the servers in 10.10.10.x is running 2008

All the TMG servers are Hyper-V machines, the 3 internal Virtual NIC's are link'ed to the same Physical NIC. And the External is link'ed to another Physical NIC.
February 20th, 2010 11:51am

Based on the info above, the local address table should include at least the following:

10.10.1.0 - 10.10.1.255
10.10.3.0 - 10.10.3.255
10.10.10.0 - 10.10.10.255

You may need to add more if the there are other subnets inside of the FTMG internal nic.

In the FTMG gui, select networking - select the internal network then select addr

Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 1:33pm

Hi

Thank you for your answer.

Sorry, not sure, if it's a question, or something I should do.
You are not completely right, but the 10.10.10.0 - 10.10.10.127 (255.255.255.128), But you couldn't know that. :)

I have take a sceenshot of the network setup, please look here:
http://misc.norphf.dk/tmg-network.PNG

/nOrphf
February 20th, 2010 3:37pm

:)  No, being psychic is not a skill I have...

I assume though that the spoofed addresses reported are on the 10.10.10.0 subnet?
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 3:56pm

Hi

No, that's actually all 3 internal -> external
and all internal -> internal

I am getting that many, that my tmg log query stoped because the rate of incomming data was too fast :(
February 20th, 2010 4:07pm

A couple of examples please?
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 5:10pm

Hi

Sure: http://misc.norphf.dk/spoofed.PNG

Hope its enough.

/nOrphf
February 20th, 2010 5:18pm

If it helps you troubleshoot, I have this Visio picture
http://misc.norphf.dk/network.PNG

  • Edited by nOrphf Friday, February 26, 2010 1:34 PM
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 5:25pm

If it helps you troubleshoot, I have this Visio picture
http://misc.norphf.dk/network.PNG

  • Edited by nOrphf Friday, February 26, 2010 1:34 PM
February 20th, 2010 5:25pm

Believe me - i have seen worse.
Can you provide the output from an ipconfig /all please from the FTMG box?
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 7:28pm

Not sure, wheter I'm just giving away my IP info, or your still trying to help, but I have deleted most of the info, as I don't like to float.

You can get the ip config on A PM if you reply back.

  • Edited by nOrphf Tuesday, February 23, 2010 9:00 AM Removed the IPCONFIG.
February 20th, 2010 7:36pm

Not sure, wheter I'm just giving away my IP info, or your still trying to help, but I have deleted most of the info, as I don't like to float.

You can get the ip config on A PM if you reply back.

  • Edited by nOrphf Tuesday, February 23, 2010 9:00 AM Removed the IPCONFIG.
Free Windows Admin Tool Kit Click here and download it now
February 20th, 2010 7:36pm

Any one who can help?
February 26th, 2010 4:34pm

I don't get into PM's because if someone else needs to follow this thread in the future it would be disjoined. You can mask you external IP octets before posting, the internal info is probably no different to a million other users. Provide the ipconfig - masked as necessary - and we can continue.

Free Windows Admin Tool Kit Click here and download it now
February 26th, 2010 9:56pm

Hi

Sorry the negative post, it was just because you didn't write back after I posted the IPconfig, but here it is again:

IPconfig removed :)

I have rearranged the visio drawing so I think it gives a better overview. here is the link again: http://misc.norphf.dk/network.PNG (If it helps :) )

  • Edited by nOrphf Wednesday, March 03, 2010 7:27 AM
February 27th, 2010 10:44am

Hi

Sorry the negative post, it was just because you didn't write back after I posted the IPconfig, but here it is again:

IPconfig removed :)

I have rearranged the visio drawing so I think it gives a better overview. here is the link again: http://misc.norphf.dk/network.PNG (If it helps :) )

  • Edited by nOrphf Wednesday, March 03, 2010 7:27 AM
Free Windows Admin Tool Kit Click here and download it now
February 27th, 2010 10:44am

Hi

I have just had an power outage so all power was cut, for 20 minutes.

Now I don't recieve this error anymore.

Now I recive this error instead: http://misc.norphf.dk/denied.PNG

It's mostly traffic to my VPN connected computer, but as you can see, there ar also some traffic to 10.10.1.255.

Not sure whether this problem is related to that I have 2 TMG's and that they have there own VPN IP address assignment.

Not sure whether I should create a new thread for this :)

/nOrphf
March 2nd, 2010 2:44pm

Hi,

 

Due to the complexity of this issue we are unable to effectively assist with this request in the forum.

 

I would like to suggest that you contact Microsoft Product Support Services via telephone so that a dedicated Support Professional can assist with this request.

 

To obtain the phone numbers for specific technology request please take a look at the web site listed below.

 

http://support.microsoft.com/default.aspx?scid=fh;EN-US;PHONENUMBERS

 

If you are outside the US please see http://support.microsoft.com for regional support phone numbers.

 

Thank you for your patience and understanding.

 

Regards,

 

 

Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2010 4:32am

I just reapplied the Networks, and found out that I had a faulty DNS server, so changed it to my ISP's dns, and no it's running smooth.

Unfortunatly I don't know which one solved ny problem, but I belive it was the DNS issue.

Thanks for aswering.

/nOrphf

  • Marked as answer by nOrphf Friday, March 05, 2010 10:28 PM
March 6th, 2010 1:28am

I just reapplied the Networks, and found out that I had a faulty DNS server, so changed it to my ISP's dns, and no it's running smooth.

Unfortunatly I don't know which one solved ny problem, but I belive it was the DNS issue.

Thanks for aswering.

/nOrphf

  • Marked as answer by nOrphf Friday, March 05, 2010 10:28 PM
Free Windows Admin Tool Kit Click here and download it now
March 6th, 2010 1:28am

No problem - and thanks for following up. The important part is that you are now operational :)
March 6th, 2010 12:30pm

In many cases IP address is spoofed because there is no valid route created for used network addresses. Remember to check your routes.
Free Windows Admin Tool Kit Click here and download it now
September 30th, 2013 3:35am

Had similar issue trying to RDP to my UAG server.  The client I was trying to RDP from had 2 nics and the Name resolution was being done on the IP address that I was not using to access the server therefore it was deemed by TMG to be spoofed. I disabled the secondary card as it was no longer needed and this fixed the issue.
January 28th, 2014 10:56am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics