Archive

Archive for the ‘ISA 2006’ Category

ISA 2006 WMI Monitoring: FWX_E_FWE_SPOOFING_PACKET_DROPPED errors.

October 5, 2009 1 comment

Goal: Setup Monitoring Server using WMI, Script and RPC access.

I am running ISA 2006 SP1 Enterprise in an Enterprise Array.  I have 4 ISA servers that have a Hardware Load Balancer out in front.  NLB integration is not enabled as the LB is doing this work. The ISA servers have 2 network cards, one for the External Network (The Internet) and one for the Internal Network.  (Internal Trusted Network(DMZ)). The External NICS have a default gateway defined.  The Internal NICS do not.

I have added persistent, static routes to the routing table for VLANs within the trusted network (internal).  The Internal NICs use these routes.
Persistent Routes:  (examples)
  Network Address          Netmask               Gateway Address  Metric
  252.560.156.128          255.255.255.224   252.506.331.62       1
  122.506.12.0               255.255.255.0      252.506.331.62       1
  252.506.328.128          255.255.255.224   252.506.331.62       1
  252.506.330.0             255.255.255.128   252.506.331.62       1

I have added these Static routes to the Internal network ranges. Not the 252.506.331.62 subnet is the default gateway of the Internal NIC assigned VLAN.  These IPs are for example only.

image

To add static routes: route add -p 252.506.328.0 Mask 255.255.255.128 252.506.331.62

The WMI\Monitoring server is located\associated in these static routes.  The gateway address needs to be the default gateway of the Internal NIC VLAN.

I have created an Allow rule for all Outbound traffic from the Monitoring server to the LocalHosts.  I have also disabled RPC Filtering.

When I attempt to run a WMI script, I get this error in the ISA 2006 logs:
RPC (all interfaces)    Denied Connection    0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED

I am able to ping the Monitoring server from the ISA Array and vice versa.  I can successfully retrieve WMI settings from the ISA servers to the Monitoring server, but not both directions.

What I have found is Network traffic has two definitions regarding ISA and its packet filtering.  Either it is External or Internal traffic.  External (The world) and Internal (our DMZ).  An IP address cannot be associated to both.  The FWX_E_FWE_SPOOFING_PACKET_DROPPED error means that IP traffic is being forwarded to the network interface that is not expecting traffic from that IP address range.  If ISA sees traffic come in thru the External interface and route back out thru the External interface and is destined to an internal IP, it will be tagged as spoofed and blocked.  ISA requires it go thru in Internal interface if it is destined to an internal resource.  The issue is the ISA FQDN is associated to the External interface, which is the default.  This makes routing in a dual homed environment one big pain.

THE FIX:
To overcome this:
  • Add Static routes to the internal network routing table to reflect internal VLANs and subnets. (Internal NIC)

  • Create an Allow rule from the Monitoring Server to access the LocalHost (ISA)
  • Remove the RPC Filters from the Allow rule.  (Leave Enforce Strict RPC compliance alone with the Enterprise Rules)

  • Add static entries in the host file on both the ISA Servers and on the Monitoring Server, for each others DNS entries.
  • The Monitoring servers must have their host file entries reflect the Internal NIC IP for DNS.  (For reverse DNS Lookups, etc)
  • Double check your static routing table- use: Route Print to determine existing settings….

Advertisements
Categories: ISA 2006