Somewhat URGENT!! The system detected a possible attempt to compromise security

I had a few options on where to post this question, but I picked windows 2000 to be the most relevant area since it is happening on a windows 2000 server AD domain.

The issue at hand here is that I just set up a VPN connection on a sonicwall TZ170.  Finally got the sonicwall to hand out IP address information over the VPN from the AD server (runs DHCP, DNS, WINS), but when I go to browse the folders I get "The system detected a possible attempt to compromise security." (it's a bit longer than this but you get the point)

I've been reading that the error can be cause by DNS information for the ISP being loaded somewhere...but I can't figure out where it would be loaded?  The server doesn't have it loaded into the DHCP configuration, but the DNS config has it in its forwarder area so internet access works.

I set up WINS but I'm not sure if I really needed to or not.

So the question is how do I get my Laptop that needs to VPN in stop getting the "The system detected a possible attempt to compromise security" when I browse network folders?  It is XP SP2 professional all updated patches etc...

Thanks!
LVL 1
mrjking2000Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
As you mentioned, all references point to DNS and authentication. Try running Windows NetDiag on the pc and see if there are any obvious problems. It is available from the Windows Resource Kit or:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/netdiag.exe
0
stafiCommented:

"I've been reading that the error can be cause by DNS information for the ISP being loaded somewhere"

sonicwall tz170 have a feature under "networking" that is called "ddns" - what is configured there if any ?
0
mrjking2000Author Commented:
Stafi, Under Dynamic DNS, there are no entries.

Robwill, I will also run that netdiag.exe to see if it tells me anything, I've never used that before so we'll see what happens.

I'll update as soon as I run the program.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

mrjking2000Author Commented:
okay 1st, the output of the netdiag log can be found at http://www.nti-llc.net/log/ then click to download the netdiag.log file.

Funny thing this morning now is that the VPN isn't even connecting all the way.  Here is the error I get in the router now.

04/19/2006 09:04:58.784 -       Malformed or unhandled IP packet dropped -
      216.xx.xxx.xxx, 0,

Note, I replaced the IP with x for the sake of someone reading this information and using it against me.


0
Rob WilliamsCommented:
As to the initial problem I am no wiser. However,
1) *****Appears the SonicWall adapter and the local PC use the same subnet 192.168.1.0  VPN's should have different subnets at either end of the tunnel or you will have routing issues which could be the basis for DNS and other issues you are having. I would try changing the IP of the remote site if possible to another subnet such as 1920168.2.0
2) I understand the VPN connection was not established, and the wireless disconnected, but do you know why no response from gateway? Was the network cable connected at the time of testing? Is the gateway and DNS information correct for this adapter? should DHCP be enabled on the laptop for switching sites?
3) Can you confirm the subnet at both sites?
0
mrjking2000Author Commented:
okay, both sites are using the same subnet, so I will try making it a 2.xxx address.  As for the gateway not responding I do not know why.  I ran that netdiag while the vpn was holding in connecting state.  So that could be the reason.  DHCP is enabled on the laptop for ease of user just plugging in a going.

I know that the sonicwall is using the AD domain DHCP server.  It is on 192.168.1.x and the linksys that I was using to test with is on the same subnet.  I will change it to 192.168.2.x and give it a shot.
0
Rob WilliamsCommented:
Interesting. If connected, or if "holding in connecting state" the virtual adapter may be configured to block local traffic, which would explain. But, the "Local Area Connection" appeared to have a static address and neither the gateway or DHCP server were reachable. Using DHCP is fine by the way.

Let me know how you make out with the different subnet. Identical subnets sometimes works when you are using a virtual adapter like this, but as a rule it is a definite no, no with VPN's.
0
mrjking2000Author Commented:
okay the linksys won't let me go into a 2.x subnet, I have to stay in the 1.x.  So I manually set the IP address in the laptop and still to no avail I can't get into the VPN.  It won't even connect now, I still get the "Malformed or unhandled IP packet dropped - 216.xx.xxx.xxx, 0" error message.


0
mrjking2000Author Commented:
oh, the IP I set was 192.168.2.15
SN mask 255.255.255.0
Gateway 192.168.1.1
DNS 216.17.128.1 & 128.2

Was able to get online right away and browse MSN.com.  But still no VPN connection
0
mrjking2000Author Commented:
P.S. goto http://nti-llc.net/log/routerlog.jpg for the actual router log.

again I blurred out my IP addresses intentionally for those uh...honest folk...you know.
0
Rob WilliamsCommented:
Is the gateway above correct if using the 192.168.2.0 subnet. I am surprised you can connect, should be 192.168.2.1 or similar.
We are out of my league here but the malformed packets appears to be outgoing IGMP multicast packets being set to 224.0.0.2 which is directed at all routers. I am not familiar with the SonicWall routers but looking at the online manual you should be able to disable that, if enabled, by going to the Network section, on the routing page and un-checking/disabling RIPv1 and RIPv2.
Based on what you have told me there is no need for that.
However, this should have nothing to do with your VPN connection.
0
mrjking2000Author Commented:
well that is where my problems come to play.  I can't change that linksys router...so what I think I'm going to do is hook the laptop directly up to the dsl gateway.  That is on the 192.168.0.x subnet.  I'll post my results soon.
0
Rob WilliamsCommented:
>>" going to do is hook the laptop directly up to the dsl gateway.  That is on the 192.168.0.x subnet."
Bingo !
I was referring to the LAN IP of the Linksys, which still has to be changed. But, you are saying the WAN port of the Linksys and the modem are in the 192.168.0.0 subnet. This is a private, not public IP, and means your modem is a combined modem and router, performing NAT. (Network Address Translation). Doing as you suggested should resolve the dual subnet issue and may solve the VPN problem. If you wish to re-connect the Linksys you will need to change it's LAN IP, and put the modem in bridge mode. This intern will mean you need to configure the WAN page of the Linksys with the appropriate ISP information; dynamic, static, PPPoE, etc. By doing so you eliminate the NAT function of the modem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mrjking2000Author Commented:
The dsl gateway is running bridged mode.  but I think the NAT is still turned on.  I was having complications getting the laptop to take a public IP address to the world, but I did manage to get the router onto the 168.2.x subnet.  I got the vpn to connect but it assigned 223.0.0.1 IP and not one from the DHCP server.

I'm going to get that laptop directly online through that dsl gateway one way or another.  Let me ask you this, should I turn off NAT on the bridged dsl gateway altogether?  I think the sonicwall is running NAT anyway.
0
Rob WilliamsCommented:
NAT on the DSL is fine so long as you are not using the Linksys. The problem occurs when you have 2 NAT devices. Maybe go that rout and don't worry about the bridging until the VPN is working.
0
mrjking2000Author Commented:
Well this is making me happy!  I just got onto the VPN, it assigned me an IP address, and I opened a file.  But my vbs logon script isn't executing on the laptop even though the "execute domain logon script when connection is established" is turned on.

Hooray, the VPN is letting me do things!!
Any ideas on how to make my VBS script work now through the VPN?
0
mrjking2000Author Commented:
the updated netdiag log is posted too so you can see the difference.

same location as last time, http://www.nti-llc.net/log

This time netdiag2.log
0
Rob WilliamsCommented:
Generally logon scripts won't work because they are executed at logon, and at logon you don't have a connection to the server. That is one advantage of a hardware to hardware VPN. The workaround is usually to have a copy of the script on your desktop, after the VPN is established, click on it to run. You mention ""execute domain logon script when connection is established" is turned on. I am not familiar with that. I assume this part of the SonicWall VPN client ??? If so the client may have to have the location of the script entered in the client configuration, so it can run it after establishing the VPN. If DNS is not working properly (see below) it may have that information but not be able to find it.

As for NetDiag results, looking better. I would say the balance of the problems are related to DNS. For test purposes, if nothing else, try making your DC the primary DNS server on the "local area connection" adapter. Also, on the Sonic/virtual adapter and on the "local area connection" adapters try adding the domain suffix, like MyDomain.abc on the TCP/IP properties under advanced, DNS, "DNS suffix for this connection". After doing so you need to reboot or enter on the laptop:
ipconfig  /flushdns
ipconfig  /registerdns

One last thing you could try is moving the Sonic/virtual adapter to the top of the Binding list. To do so open Network connections and on the menu bar, choose advanced, advanced settings, adapter and bindings, connections.
0
mrjking2000Author Commented:
Excellent suggestions.  Yes the "execute domain logon script" is part of the sonicwall Global VPN client software package.  I was messing around with a .bat login script on the laptop and it gave an error about multiple connections to the server.

Right now the laptop is in use in a meeting which will run the rest of the day.  So for now it is working as far as VPN goes.  And I explained how to go the back way into the server.  Basically My Computer, change address bar to \\harley and all works well.

I'm going to leave this open for a couple of days until I play with is some more.  I will be out of town tomorrow all day so no chance to work on it more.  The one last thing I know I have to do is at the remote site...they run on the same 192.168.1.x subnet, so I am going to have to change it to a 2.x SN.  Can I program a linksys router to run on a totally different IP range?  like a 10.10.x.x address so I know for a fact there will never be any conflicts?

Thanks for all the help.  Can't thank you enough...Experts Exchange has saved the day again!
0
Rob WilliamsCommented:
>>"Can I program a linksys router to run on a totally different IP range?  like a 10.10.x.x address so I know for a fact there will never be any conflicts?"
Certainly. You can use any private IP address scheme;
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Though it it can be a big job to change, I like to have the main office something that is not common. That way when you have a user in a hotel in Siberia, there is an almost zero chance of a conflict with the hotel router. Most places use the defaults which are; 192.168.0.0, 192.168.1.0, 192.168.2.0, 192.168.100.0, 192.168.111.0, and 10.0.0.0  I'll often use part of the clients address or phone number as the 3rd octet so I can remember it. 172.16.0.0 - 172.31.255.255 is probably the least common. You're problem may have been the 2 NAT devices and your client might be OK with similar subnets. Some VPN's, where the client creates a virtual adapter, work OK in those situations. I am not familiar with SonicWall to say.

I am very curious about the "execute domain logon script when connection is established" feature. Very useful. If I get a chance I will look into that further.

Let me know how you make out.
--Rob
0
mrjking2000Author Commented:
Sounds good, I will most likely change both my home and his home to the uncommon 172.16.x.x scheme.  Probably take a good 20-30 minutes to reconfigure everything.

Right now the dsl gateway is still running NAT, and the sonicwall is running a NAT'd WAN IP as well.  And it worked when I connected.

thanks again, I'll post updated info when I get the user online at their house.
0
mrjking2000Author Commented:
Rob,

All is working, although I still have some minor buggy things going on.  I.E. occasionally the server won't let me into it even after entering the user/password, slow VPN connection speeds...things like that.  But the original question at hand was solved.

If you have any clues as to why I keep getting the error "the domain detected a possible compromise to security" and "multiple connections to the server are not permitted" (I think this is almost word for word on the errors) I think that we'd be good to go if these were solved.

I can ask these in a new question or maybe we can continue this one for a few more threads.

Thanks!
0
Rob WilliamsCommented:
Thanks mrjking2000. Glad to hear you have it working.
The "multiple connections to the server are not permitted" error can be due to trying to map the same dive letter or access the same folder with 2 different user names. I haven't seen it for a while, but as I recall it's a little "weird". However, I do recall when I did have it, completely removing all drive mappings from the PC, rebooting and re-creating with the current logon credentials resolved. You could try that.
--Rob
0
mrjking2000Author Commented:
Hmm, I will give that a shot, and if I can't get it solved I'll go ahead and post a new question.

I figured it may have something to do with domain security policy...the username in question has admin rights to the domain.  But he is not using the administrator logon.

Thanks!
0
Rob WilliamsCommented:
>>"username in question has admin rights to the domain.  But he is not using the administrator logon."
Do you mean logging on with one name and accessing resources with another? That would do it.
0
mrjking2000Author Commented:
no the laptop signs in as (for example) "johnny" then when you click on the mapped drive I get the security compromised error, but the back way in is to go into my computer, then change the address bar to \\harley.  After you do that a user/password box appears, then he types in "johnny" and the password and gets right in.

But the username is a member of the administrator's group, as is mine.  The other users are just regular no power sign-ins.  They can just open and save documents.
0
Rob WilliamsCommented:
I still suspect your problem is the existing drive mappings. If possible try removing them completely and re-creating. As for admins and users, that error message is independent of the users privileges, it indicates trying to establish a connection to the same resource with 2 different sets of credentials. This may not actually be the case but it may be a corrupted mapping that appears as such.
I have also seen the error message when the computer is removed from a domain and rejoined, again it is the drive mappings causing the issue.
What is the exact "multiple connections to the server are not permitted" message. I can't seem to find anything on that and I have dealt with it several times in the past.
0
mrjking2000Author Commented:
well I can't find the exact text that the actual message had, but the laptop held these in the event viewer.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            4/24/2006
Time:            9:02:33 PM
User:            N/A
Computer:      RANDYLAPTOP
Description:
The Security System could not establish a secured connection with the server cifs/harley.office.kingcontracting.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            4/24/2006
Time:            9:02:33 PM
User:            N/A
Computer:      RANDYLAPTOP
Description:
The Security System detected an attempted downgrade attack for server cifs/harley.office.kingcontracting.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Rob WilliamsCommented:
A few things I found.
-Verify the time on the local machine agrees with that doing the authentication
-If the user's password has changed and is still logged into another machine with the old password
-If there is a scheduled event on the local machine trying to access/authenticate to the server using an old account or conflicting account
0
mrjking2000Author Commented:
The time syncs up with the logon script, and I haven't seen any errors saying it failed in the event log.  The password is synced properly too, and there should not be any scheduled events.

I was messing around with the server security this morning on the "digitaly encrypt client"/"Server" connection under domain security policy.  None of that was set, but I changed it to "when possible" and we'll see what that does.

The other complaint I'm hearing is that it takes forever to open files.
0
mrjking2000Author Commented:
one more thing, I just ran nslookup on my workstation (not the laptop) and I got this:

P:\>nslookup
*** Can't find server name for address 192.168.1.100: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.1.100

this doesn't look right to me.
0
Rob WilliamsCommented:
The above inability to resolve and slow opening of files would tend to indicate a DNS issue. Assuming the above is when the VPN is connected;
-Is the laptop a member of the Domain? If not try adding the domain name and suffix to the DNS tab of the network adapter's DNS configuration under advanced TCP/IP properties
-If not already there, add the corporate DNS server as the primary DNS serve in the network adapters TCP/IP properties
-Is 192.168.1.100 your DNS server or a router? Perhaps DNS is pointing to the wrong device.
0
mrjking2000Author Commented:
1.100 is the DNS server, DHCP server, WINS server (which I don't think I need), and the 2000 active directory Domain Controller.  So it's doing a lot...

I will add the name and suffix to the advanced properties tab and will have to report back.
0
mrjking2000Author Commented:
Okay all the above did not yeild any faster of a connection.  from all the checks that have been done all the DNS should be set up correctly.  I am truely stumped.
0
Rob WilliamsCommented:
The nslookup failure would almost definately indicate a DNS issue of some sort, though I too have no other ideas. You could try running the netdiag utility fom the windows resource kit, on the workstaion's in question. It often points out connection or DNS issues. Also available from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/netdiag.exe
0
mrjking2000Author Commented:
well I can't thank you enough for the ideas.  I am going to post a new question to see if we can get this sped up a bit.  I have spoke with other companies that I know in town and their VPNs are super fast.  So we have something that I just can't find hiding in a setting somewhere.

Thanks again!
0
Rob WilliamsCommented:
Very welcome. New question is a good idea, it will stir up some new answers by others.
Good luck,
--Rob
0
Rob WilliamsCommented:
mrjking2000, saw your new question in the VPN topic area. Try adding a 20 point "pointer question" in the networking TA. Mention the DNS issue, you will probably get a lot more responses.
http://www.experts-exchange.com/help.jsp#hi262
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.