?
Solved

Why am I getting 'Spoofed Source Address' from a Remote VPN Client?

Posted on 2005-03-08
5
Medium Priority
?
1,319 Views
Last Modified: 2013-11-16
I have a Watchguard Firebox 700 Firewall with multiple users connecting to it using the Mobile User VPN client.

One user is causing a 'Spoofed Source Address' message in the firewall's Traffic Monitor. The client computer was working fine before and has been setup like all other clients.
Now, it cannot connect to the network.

The computer has a Remote VPN Client Address of 192.168.11.200 and is trying to connect to 192.168.11.3. This is a sample of the Traffic Monitor messages:

03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48  firewalld[100]:  deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)

Can anyone explain why this may be happening and how I may work towards fixing this?

I somewhat understand the firewall software, but overall, security technologies are not my forté.

Thank you,
btaplin
0
Comment
Question by:btaplin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
5 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13491217
is 192.168.11.200 not allowed in properly? What is the subnet mask of the 192.168.11.x subnet 255.255.255.0? if it's not 255.255.255.0 then your likely not allowing some address's in. For instance, if the allowed in subnet was 192.168.11.0/255.255.255.128 (or in shorthand 192.168.11.0/25) then I'm only allowing 192.168.11.1 through127 in the firewall, if the ip of 192.168.11.200 tried to come in, it'd be denied and seen as spoofed.

Check the client for spy-ware and or viri. If you find them, and it's windows XP or winME turn off system restore then remove the pest's.
-rich
0
 
LVL 1

Author Comment

by:btaplin
ID: 13495704
Hi Rich,

Thanks for your response.

Initially I thought it was the subnet mask too. The client was reporting 255.255.255.255 on the VPN Adaptor, whereas I thought it should be 255.255.255.0, but this was not the case. I checked other clients who were having no issues whatsoever and they were also reporting 255.255.255.255.

I traced the cause of the problem to the client profile on the firewall, perhaps it was somehow corrupted. I ended up correcting the problem by completely deleting the client profile from the firewall. I then rebuilt it using exactly the same settings as before, saved the changes to the firewall and redistributed the settings file to the client. Everything is fine now.

Thanks again.
btaplin
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 13498749
no objections.
-rich
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 13527921
Closed, 250 points refunded.

modulo
Community Support Moderator
Experts Exchange
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question