Why am I getting 'Spoofed Source Address' from a Remote VPN Client?
I have a Watchguard Firebox 700 Firewall with multiple users connecting to it using the Mobile User VPN client.
One user is causing a 'Spoofed Source Address' message in the firewall's Traffic Monitor. The client computer was working fine before and has been setup like all other clients.
Now, it cannot connect to the network.
The computer has a Remote VPN Client Address of 192.168.11.200 and is trying to connect to 192.168.11.3. This is a sample of the Traffic Monitor messages:
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
Can anyone explain why this may be happening and how I may work towards fixing this?
I somewhat understand the firewall software, but overall, security technologies are not my forté.
Thank you,
btaplin
One user is causing a 'Spoofed Source Address' message in the firewall's Traffic Monitor. The client computer was working fine before and has been setup like all other clients.
Now, it cannot connect to the network.
The computer has a Remote VPN Client Address of 192.168.11.200 and is trying to connect to 192.168.11.3. This is a sample of the Traffic Monitor messages:
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1221 139 syn (spoofed source address)
03/08/05 09:48 firewalld[100]: deny in ipsec0 48 tcp 20 128 192.168.11.200 192.168.11.3 1219 445 syn (spoofed source address)
Can anyone explain why this may be happening and how I may work towards fixing this?
I somewhat understand the firewall software, but overall, security technologies are not my forté.
Thank you,
btaplin
ASKER
Hi Rich,
Thanks for your response.
Initially I thought it was the subnet mask too. The client was reporting 255.255.255.255 on the VPN Adaptor, whereas I thought it should be 255.255.255.0, but this was not the case. I checked other clients who were having no issues whatsoever and they were also reporting 255.255.255.255.
I traced the cause of the problem to the client profile on the firewall, perhaps it was somehow corrupted. I ended up correcting the problem by completely deleting the client profile from the firewall. I then rebuilt it using exactly the same settings as before, saved the changes to the firewall and redistributed the settings file to the client. Everything is fine now.
Thanks again.
btaplin
Thanks for your response.
Initially I thought it was the subnet mask too. The client was reporting 255.255.255.255 on the VPN Adaptor, whereas I thought it should be 255.255.255.0, but this was not the case. I checked other clients who were having no issues whatsoever and they were also reporting 255.255.255.255.
I traced the cause of the problem to the client profile on the firewall, perhaps it was somehow corrupted. I ended up correcting the problem by completely deleting the client profile from the firewall. I then rebuilt it using exactly the same settings as before, saved the changes to the firewall and redistributed the settings file to the client. Everything is fine now.
Thanks again.
btaplin
no objections.
-rich
-rich
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check the client for spy-ware and or viri. If you find them, and it's windows XP or winME turn off system restore then remove the pest's.
-rich