[isalist] E-mail alters from an ISA server when user attempts a connect with a wrong password.
- From: "Glenn P. JOHNSTON" <glenn.johnston@xxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 4 Apr 2006 12:11:52 +1000
Hi,
Strange problem with an ISA server / VPN inbound.
When a user connects from the Internet using the correct domain / username /
password no issues, no alerts from the ISA server, user connects & can access
internal servers / e-mail / web browse exactly as you would expect.
If they enter a CORRECT domain / username, but an INCORRECT password, the ISA
server sends the following alerts.
The internal address range for the lan is 192.168.1.0/24, the internal address
of the ISA server is 192.168.1.1 the internet connects to a hardware router
with port forwarding which NATs the internet to 10.1.1.1, the external
interface on the ISA server is 10.1.1.2.
There is nothing on the network on address 192.168.2.103 !
First it sends a;
ISA Server name: EBG-ISA
The VPN connection attempt by user EBG\glenn.johnston from VPN client IP
address 60.240.40.192 could not be established.
The failure is due to error: 0xc0040021
Which is expected, when this alert is active.
Then over a period of 3 - 4 minutes several hundred copies of; which is not
expected, always referring to address 192.168.2.103.
ISA Server name: EBG-ISA
ISA Server detected a spoof attack from Internet Protocol (IP) address
192.168.2.103. A spoof attack occurs when an IP address that is not reachable
via the interface on which the packet was received. If logging for dropped
packets is set, you can view details in the packet filter log.
Then about 2 or 3 minutes after the spoof attack e-mails stop, it sends a final
ISA Server name: EBG-ISA
ISA Server disconnected the following client: 60.240.40.192 because its
connection limit was exceeded. For more information about this event, see the
Windows event viewer.
The VPN client on the notebook is set to not to retry, on connect failure.
And, there is nothing in the event viewer referring to the connection limit
being exceeded.
What's going on ?
It's not causing any operational issues, if the user attempts to connect again
with the correct password, they connect straight in, even while the spoof
messages are being sent. But it's driving me craze, I know something is not
right, but can not work out what.
Regards
Glenn
Other related posts:
- » [isalist] E-mail alters from an ISA server when user attempts a connect with a wrong password.
