Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Why am I getting 'Spoofed Source Address' from a Remote VPN Client?

Posted on 2005-03-08
5
Medium Priority
?
1,321 Views
Last Modified: 2013-11-16
I have a Watchguard Firebox 700 Firewall with multiple users connecting to it using the Mobile User VPN client.

One user is causing a 'Spoofed Source Address' message in the firewall's Traffic Monitor. The client computer was working fine before and has been setup like all other clients.
Now, it cannot connect to the network.

The computer has a Remote VPN Client Address of 192.168.11.200 and is trying to connect to 192.168.11.3. This is a sample of the Traffic Monitor messages:

03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)

Can anyone explain why this may be happening and how I may work towards fixing this?

I somewhat understand the firewall software, but overall, security technologies are not my forté.

Thank you,
btaplin
0
Comment
Question by:btaplin
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13491217
is 192.168.11.200 not allowed in properly? What is the subnet mask of the 192.168.11.x subnet 255.255.255.0? if it's not 255.255.255.0 then your likely not allowing some address's in. For instance, if the allowed in subnet was 192.168.11.0/255.255.255.128 (or in shorthand 192.168.11.0/25) then I'm only allowing 192.168.11.1 through127 in the firewall, if the ip of 192.168.11.200 tried to come in, it'd be denied and seen as spoofed.

Check the client for spy-ware and or viri. If you find them, and it's windows XP or winME turn off system restore then remove the pest's.
-rich
0
 
LVL 1

Author Comment

by:btaplin
ID: 13495704
Hi Rich,

Thanks for your response.

Initially I thought it was the subnet mask too. The client was reporting 255.255.255.255 on the VPN Adaptor, whereas I thought it should be 255.255.255.0, but this was not the case. I checked other clients who were having no issues whatsoever and they were also reporting 255.255.255.255.

I traced the cause of the problem to the client profile on the firewall, perhaps it was somehow corrupted. I ended up correcting the problem by completely deleting the client profile from the firewall. I then rebuilt it using exactly the same settings as before, saved the changes to the firewall and redistributed the settings file to the client. Everything is fine now.

Thanks again.
btaplin
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13498749
no objections.
-rich
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13527921
Closed, 250 points refunded.

modulo
Community Support Moderator
Experts Exchange
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question