[isalist] Re: VPN Clients - 0xc004002d FWX_E_UNREACHABLE_ADDRESS
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 12 May 2010 05:47:01 +0000
If you selected more than one adapter, this would be the result.
Run through that weirdzard again and make sure only the Internal adapter is
selected.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Pochedley
Sent: Monday, May 10, 2010 9:27 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Clients - 0xc004002d FWX_E_UNREACHABLE_ADDRESS
Jim,
These are other errors I'm seeing, and I'm not sure why:
Error: The routing table for the network adapter LAN1 includes IP address
ranges that are not defined in the array-level network Internal, to which it is
bound. As a result, packets arriving at this network adapter from the IP
address ranges listed below or sent to these IP address ranges via this network
adapter will be dropped as spoofed. To resolve this issue, add the missing IP
address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
External:10.1.6.70-10.1.6.70;
Error: The network "External" does not correlate with the network adapters that
belong to it.
Ranges in adapter "GX1" that do not belong to network "External":
10.1.6.70-10.1.6.70;
When networks are configured correctly, the IP address ranges included in each
array-level network must include all IP addresses that are routable through its
network adapters according to their routing tables. Otherwise valid packets may
be dropped as spoofed.
Note that this event may be generated once after you add a route, create a
remote site network, or configure Network Load Balancing and may be safely
ignored if it does not re-occur.
I allowed TMG to "define" the internal network by clicking Add Adapter for the
Internal network addresses. TMG automatically excluded the 10.1.6.70 address,
which is assigned to the RRAS adapter in the server. Hence, I'm not sure why
it's being fussed about.
Joe P
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Monday, May 10, 2010 11:29 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: VPN Clients - 0xc004002d FWX_E_UNREACHABLE_ADDRESS
Joe,
Look for signs of other problems in Monitoring / Alerts and in the Windows
Application event logs.
Generally, when a firewall service (or machine) restart causes "mysterious
things", it's because of policy changes that were either misapplied or not
applied at all for other reasons.
Also, make absolutely sure that you are not assigning IPs via AD user
properties that are inappropriate for the VPN clients (or quarantined VPON
clients) as you've defined those ranges to TMG.
Jim
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Joe Pochedley
Sent: Monday, May 10, 2010 7:26 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] VPN Clients - 0xc004002d FWX_E_UNREACHABLE_ADDRESS
We've got VPN (PPTP) setup through TMG, using DHCP to pull IP addresses for the
VPN clients. This is essentially the same setup we had under ISA2006...
For some reason, this past weekend the VPN began "failing" for the clients...
By failing, I mean this... Clients could connect to the TMG server, the VPN
connection is established successfully. However clients are not able to
communicate with any internal hosts. In looking at the logs, the clients
successfully send packets through TMG, and the receiving host receives the
packets (confirmed with a packet capture). However, when the internal host
tries to reply, TMG blocks the connection with the following:
Action: Denied Connection
Rule: None - see Result Code
Result Code: 0xc004002d FWX_E_UNREACHABLE_ADDRESS
Source Network: Internal
Destination network: VPN Clients
(I'll post full log entries if someone needs more info.)
So, TMG recognizes that the destination is on the VPN that it's hosting, but it
still thinks the destination IP is unreachable?
The issues seems to have started when I restarted the TMG firewall service to
update authentication forms (OWA FBA on the TMG server). I received a number
of events similar to the following in the event log:
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 5/8/2010 10:30:59 AM
Event ID: 21265
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Charon
Description:
The routing table for the network adapter Internal includes IP address ranges
that are not defined in the array-level network VPN Clients, to which it is
bound. As a result, packets arriving at this network adapter from the IP
address ranges listed below or sent to these IP address ranges via this network
adapter will be dropped as spoofed. To resolve this issue, add the missing IP
address ranges to the array network. The following IP address ranges will be
dropped as spoofed:
Internal:10.1.6.47-10.1.6.47,10.1.6.63-10.1.6.63,10.1.6.67-10.1.6.67,10.1.6.70-10.1.6.70,10.1.6.223-10.1.6.223,10.1.6.244-10.1.6.244,10.1.6.252-10.1.6.252;
The IP addresses listed in each error are presumably ones assigned from DHCP to
the VPN clients.
Why would restarting the firewall service cause TMG to no longer properly
recognize the VPN IP's? Obviously it's a rare occurrence where one needs to
restart the TMG firewall service, but it's something I'd done many times under
ISA 2006 with no ill effects to the VPN (aside from kicking off active clients,
of course). How do I keep it from happening in the future?
Joe Pochedley
Other related posts:
