Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Somewhat URGENT!! The system detected a possible attempt to compromise security

Posted on 2006-04-18
38
Medium Priority
?
7,368 Views
Last Modified: 2010-09-01
I had a few options on where to post this question, but I picked windows 2000 to be the most relevant area since it is happening on a windows 2000 server AD domain.

The issue at hand here is that I just set up a VPN connection on a sonicwall TZ170.  Finally got the sonicwall to hand out IP address information over the VPN from the AD server (runs DHCP, DNS, WINS), but when I go to browse the folders I get "The system detected a possible attempt to compromise security." (it's a bit longer than this but you get the point)

I've been reading that the error can be cause by DNS information for the ISP being loaded somewhere...but I can't figure out where it would be loaded?  The server doesn't have it loaded into the DHCP configuration, but the DNS config has it in its forwarder area so internet access works.

I set up WINS but I'm not sure if I really needed to or not.

So the question is how do I get my Laptop that needs to VPN in stop getting the "The system detected a possible attempt to compromise security" when I browse network folders?  It is XP SP2 professional all updated patches etc...

Thanks!
0
Comment
Question by:mrjking2000
  • 21
  • 16
38 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16482896
As you mentioned, all references point to DNS and authentication. Try running Windows NetDiag on the pc and see if there are any obvious problems. It is available from the Windows Resource Kit or:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/netdiag.exe
0
 
LVL 10

Expert Comment

by:stafi
ID: 16485947

"I've been reading that the error can be cause by DNS information for the ISP being loaded somewhere"

sonicwall tz170 have a feature under "networking" that is called "ddns" - what is configured there if any ?
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16488454
Stafi, Under Dynamic DNS, there are no entries.

Robwill, I will also run that netdiag.exe to see if it tells me anything, I've never used that before so we'll see what happens.

I'll update as soon as I run the program.
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:mrjking2000
ID: 16488853
okay 1st, the output of the netdiag log can be found at http://www.nti-llc.net/log/ then click to download the netdiag.log file.

Funny thing this morning now is that the VPN isn't even connecting all the way.  Here is the error I get in the router now.

04/19/2006 09:04:58.784 -       Malformed or unhandled IP packet dropped -
      216.xx.xxx.xxx, 0,

Note, I replaced the IP with x for the sake of someone reading this information and using it against me.


0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16489611
As to the initial problem I am no wiser. However,
1) *****Appears the SonicWall adapter and the local PC use the same subnet 192.168.1.0  VPN's should have different subnets at either end of the tunnel or you will have routing issues which could be the basis for DNS and other issues you are having. I would try changing the IP of the remote site if possible to another subnet such as 1920168.2.0
2) I understand the VPN connection was not established, and the wireless disconnected, but do you know why no response from gateway? Was the network cable connected at the time of testing? Is the gateway and DNS information correct for this adapter? should DHCP be enabled on the laptop for switching sites?
3) Can you confirm the subnet at both sites?
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16489789
okay, both sites are using the same subnet, so I will try making it a 2.xxx address.  As for the gateway not responding I do not know why.  I ran that netdiag while the vpn was holding in connecting state.  So that could be the reason.  DHCP is enabled on the laptop for ease of user just plugging in a going.

I know that the sonicwall is using the AD domain DHCP server.  It is on 192.168.1.x and the linksys that I was using to test with is on the same subnet.  I will change it to 192.168.2.x and give it a shot.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16489873
Interesting. If connected, or if "holding in connecting state" the virtual adapter may be configured to block local traffic, which would explain. But, the "Local Area Connection" appeared to have a static address and neither the gateway or DHCP server were reachable. Using DHCP is fine by the way.

Let me know how you make out with the different subnet. Identical subnets sometimes works when you are using a virtual adapter like this, but as a rule it is a definite no, no with VPN's.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16490202
okay the linksys won't let me go into a 2.x subnet, I have to stay in the 1.x.  So I manually set the IP address in the laptop and still to no avail I can't get into the VPN.  It won't even connect now, I still get the "Malformed or unhandled IP packet dropped - 216.xx.xxx.xxx, 0" error message.


0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16490219
oh, the IP I set was 192.168.2.15
SN mask 255.255.255.0
Gateway 192.168.1.1
DNS 216.17.128.1 & 128.2

Was able to get online right away and browse MSN.com.  But still no VPN connection
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16490299
P.S. goto http://nti-llc.net/log/routerlog.jpg for the actual router log.

again I blurred out my IP addresses intentionally for those uh...honest folk...you know.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16490591
Is the gateway above correct if using the 192.168.2.0 subnet. I am surprised you can connect, should be 192.168.2.1 or similar.
We are out of my league here but the malformed packets appears to be outgoing IGMP multicast packets being set to 224.0.0.2 which is directed at all routers. I am not familiar with the SonicWall routers but looking at the online manual you should be able to disable that, if enabled, by going to the Network section, on the routing page and un-checking/disabling RIPv1 and RIPv2.
Based on what you have told me there is no need for that.
However, this should have nothing to do with your VPN connection.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16491021
well that is where my problems come to play.  I can't change that linksys router...so what I think I'm going to do is hook the laptop directly up to the dsl gateway.  That is on the 192.168.0.x subnet.  I'll post my results soon.
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 2000 total points
ID: 16491178
>>" going to do is hook the laptop directly up to the dsl gateway.  That is on the 192.168.0.x subnet."
Bingo !
I was referring to the LAN IP of the Linksys, which still has to be changed. But, you are saying the WAN port of the Linksys and the modem are in the 192.168.0.0 subnet. This is a private, not public IP, and means your modem is a combined modem and router, performing NAT. (Network Address Translation). Doing as you suggested should resolve the dual subnet issue and may solve the VPN problem. If you wish to re-connect the Linksys you will need to change it's LAN IP, and put the modem in bridge mode. This intern will mean you need to configure the WAN page of the Linksys with the appropriate ISP information; dynamic, static, PPPoE, etc. By doing so you eliminate the NAT function of the modem.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16491539
The dsl gateway is running bridged mode.  but I think the NAT is still turned on.  I was having complications getting the laptop to take a public IP address to the world, but I did manage to get the router onto the 168.2.x subnet.  I got the vpn to connect but it assigned 223.0.0.1 IP and not one from the DHCP server.

I'm going to get that laptop directly online through that dsl gateway one way or another.  Let me ask you this, should I turn off NAT on the bridged dsl gateway altogether?  I think the sonicwall is running NAT anyway.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16491639
NAT on the DSL is fine so long as you are not using the Linksys. The problem occurs when you have 2 NAT devices. Maybe go that rout and don't worry about the bridging until the VPN is working.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16492136
Well this is making me happy!  I just got onto the VPN, it assigned me an IP address, and I opened a file.  But my vbs logon script isn't executing on the laptop even though the "execute domain logon script when connection is established" is turned on.

Hooray, the VPN is letting me do things!!
Any ideas on how to make my VBS script work now through the VPN?
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16492231
the updated netdiag log is posted too so you can see the difference.

same location as last time, http://www.nti-llc.net/log

This time netdiag2.log
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16492726
Generally logon scripts won't work because they are executed at logon, and at logon you don't have a connection to the server. That is one advantage of a hardware to hardware VPN. The workaround is usually to have a copy of the script on your desktop, after the VPN is established, click on it to run. You mention ""execute domain logon script when connection is established" is turned on. I am not familiar with that. I assume this part of the SonicWall VPN client ??? If so the client may have to have the location of the script entered in the client configuration, so it can run it after establishing the VPN. If DNS is not working properly (see below) it may have that information but not be able to find it.

As for NetDiag results, looking better. I would say the balance of the problems are related to DNS. For test purposes, if nothing else, try making your DC the primary DNS server on the "local area connection" adapter. Also, on the Sonic/virtual adapter and on the "local area connection" adapters try adding the domain suffix, like MyDomain.abc on the TCP/IP properties under advanced, DNS, "DNS suffix for this connection". After doing so you need to reboot or enter on the laptop:
ipconfig  /flushdns
ipconfig  /registerdns

One last thing you could try is moving the Sonic/virtual adapter to the top of the Binding list. To do so open Network connections and on the menu bar, choose advanced, advanced settings, adapter and bindings, connections.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16492859
Excellent suggestions.  Yes the "execute domain logon script" is part of the sonicwall Global VPN client software package.  I was messing around with a .bat login script on the laptop and it gave an error about multiple connections to the server.

Right now the laptop is in use in a meeting which will run the rest of the day.  So for now it is working as far as VPN goes.  And I explained how to go the back way into the server.  Basically My Computer, change address bar to \\harley and all works well.

I'm going to leave this open for a couple of days until I play with is some more.  I will be out of town tomorrow all day so no chance to work on it more.  The one last thing I know I have to do is at the remote site...they run on the same 192.168.1.x subnet, so I am going to have to change it to a 2.x SN.  Can I program a linksys router to run on a totally different IP range?  like a 10.10.x.x address so I know for a fact there will never be any conflicts?

Thanks for all the help.  Can't thank you enough...Experts Exchange has saved the day again!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16493129
>>"Can I program a linksys router to run on a totally different IP range?  like a 10.10.x.x address so I know for a fact there will never be any conflicts?"
Certainly. You can use any private IP address scheme;
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
Though it it can be a big job to change, I like to have the main office something that is not common. That way when you have a user in a hotel in Siberia, there is an almost zero chance of a conflict with the hotel router. Most places use the defaults which are; 192.168.0.0, 192.168.1.0, 192.168.2.0, 192.168.100.0, 192.168.111.0, and 10.0.0.0  I'll often use part of the clients address or phone number as the 3rd octet so I can remember it. 172.16.0.0 - 172.31.255.255 is probably the least common. You're problem may have been the 2 NAT devices and your client might be OK with similar subnets. Some VPN's, where the client creates a virtual adapter, work OK in those situations. I am not familiar with SonicWall to say.

I am very curious about the "execute domain logon script when connection is established" feature. Very useful. If I get a chance I will look into that further.

Let me know how you make out.
--Rob
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16493321
Sounds good, I will most likely change both my home and his home to the uncommon 172.16.x.x scheme.  Probably take a good 20-30 minutes to reconfigure everything.

Right now the dsl gateway is still running NAT, and the sonicwall is running a NAT'd WAN IP as well.  And it worked when I connected.

thanks again, I'll post updated info when I get the user online at their house.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16533744
Rob,

All is working, although I still have some minor buggy things going on.  I.E. occasionally the server won't let me into it even after entering the user/password, slow VPN connection speeds...things like that.  But the original question at hand was solved.

If you have any clues as to why I keep getting the error "the domain detected a possible compromise to security" and "multiple connections to the server are not permitted" (I think this is almost word for word on the errors) I think that we'd be good to go if these were solved.

I can ask these in a new question or maybe we can continue this one for a few more threads.

Thanks!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16533773
Thanks mrjking2000. Glad to hear you have it working.
The "multiple connections to the server are not permitted" error can be due to trying to map the same dive letter or access the same folder with 2 different user names. I haven't seen it for a while, but as I recall it's a little "weird". However, I do recall when I did have it, completely removing all drive mappings from the PC, rebooting and re-creating with the current logon credentials resolved. You could try that.
--Rob
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16534121
Hmm, I will give that a shot, and if I can't get it solved I'll go ahead and post a new question.

I figured it may have something to do with domain security policy...the username in question has admin rights to the domain.  But he is not using the administrator logon.

Thanks!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16534231
>>"username in question has admin rights to the domain.  But he is not using the administrator logon."
Do you mean logging on with one name and accessing resources with another? That would do it.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16537285
no the laptop signs in as (for example) "johnny" then when you click on the mapped drive I get the security compromised error, but the back way in is to go into my computer, then change the address bar to \\harley.  After you do that a user/password box appears, then he types in "johnny" and the password and gets right in.

But the username is a member of the administrator's group, as is mine.  The other users are just regular no power sign-ins.  They can just open and save documents.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16537528
I still suspect your problem is the existing drive mappings. If possible try removing them completely and re-creating. As for admins and users, that error message is independent of the users privileges, it indicates trying to establish a connection to the same resource with 2 different sets of credentials. This may not actually be the case but it may be a corrupted mapping that appears as such.
I have also seen the error message when the computer is removed from a domain and rejoined, again it is the drive mappings causing the issue.
What is the exact "multiple connections to the server are not permitted" message. I can't seem to find anything on that and I have dealt with it several times in the past.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16537762
well I can't find the exact text that the actual message had, but the laptop held these in the event viewer.

Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40961
Date:            4/24/2006
Time:            9:02:33 PM
User:            N/A
Computer:      RANDYLAPTOP
Description:
The Security System could not establish a secured connection with the server cifs/harley.office.kingcontracting.local.  No authentication protocol was available.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





Event Type:      Warning
Event Source:      LSASRV
Event Category:      SPNEGO (Negotiator)
Event ID:      40960
Date:            4/24/2006
Time:            9:02:33 PM
User:            N/A
Computer:      RANDYLAPTOP
Description:
The Security System detected an attempted downgrade attack for server cifs/harley.office.kingcontracting.local.  The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request.
 (0xc000005e)".

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16538547
A few things I found.
-Verify the time on the local machine agrees with that doing the authentication
-If the user's password has changed and is still logged into another machine with the old password
-If there is a scheduled event on the local machine trying to access/authenticate to the server using an old account or conflicting account
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16554893
The time syncs up with the logon script, and I haven't seen any errors saying it failed in the event log.  The password is synced properly too, and there should not be any scheduled events.

I was messing around with the server security this morning on the "digitaly encrypt client"/"Server" connection under domain security policy.  None of that was set, but I changed it to "when possible" and we'll see what that does.

The other complaint I'm hearing is that it takes forever to open files.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16555182
one more thing, I just ran nslookup on my workstation (not the laptop) and I got this:

P:\>nslookup
*** Can't find server name for address 192.168.1.100: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.168.1.100

this doesn't look right to me.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16556246
The above inability to resolve and slow opening of files would tend to indicate a DNS issue. Assuming the above is when the VPN is connected;
-Is the laptop a member of the Domain? If not try adding the domain name and suffix to the DNS tab of the network adapter's DNS configuration under advanced TCP/IP properties
-If not already there, add the corporate DNS server as the primary DNS serve in the network adapters TCP/IP properties
-Is 192.168.1.100 your DNS server or a router? Perhaps DNS is pointing to the wrong device.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16556831
1.100 is the DNS server, DHCP server, WINS server (which I don't think I need), and the 2000 active directory Domain Controller.  So it's doing a lot...

I will add the name and suffix to the advanced properties tab and will have to report back.
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16585768
Okay all the above did not yeild any faster of a connection.  from all the checks that have been done all the DNS should be set up correctly.  I am truely stumped.
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16591206
The nslookup failure would almost definately indicate a DNS issue of some sort, though I too have no other ideas. You could try running the netdiag utility fom the windows resource kit, on the workstaion's in question. It often points out connection or DNS issues. Also available from:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/netdiag.exe
0
 
LVL 1

Author Comment

by:mrjking2000
ID: 16597447
well I can't thank you enough for the ideas.  I am going to post a new question to see if we can get this sped up a bit.  I have spoke with other companies that I know in town and their VPNs are super fast.  So we have something that I just can't find hiding in a setting somewhere.

Thanks again!
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16597505
Very welcome. New question is a good idea, it will stir up some new answers by others.
Good luck,
--Rob
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 16597762
mrjking2000, saw your new question in the VPN topic area. Try adding a 20 point "pointer question" in the networking TA. Mention the DNS issue, you will probably get a lot more responses.
http://www.experts-exchange.com/help.jsp#hi262
--Rob
0

Featured Post

Become an Android App Developer

Ready to kick start your career in 2018? Learn how to build an Android app in January’s Course of the Month and open the door to new opportunities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
How do you create a user-centered user experience on your website? And what are some things you should consider in the process?
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
How can you see what you are working on when you want to see it while you to save a copy? Add a "Save As" icon to the Quick Access Toolbar, or QAT. That way, when you save a copy of a query, form, report, or other object you are modifying, you…

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question