regisdaniel
asked on
Isa Server 2004 - Routing Correlation Error (EventID 14147)
I'm running on 14147 Error on MS IsaServer2004... I tried a lot of workaround to solve this problem, but not success... I never changed the system's default routing table so, I really don't know why these error happen. My Isa Server also acts as VPN Server and these errors are logged only when a VPN User estabilish a connection. Above there are examples of errors that is logged:
>>>>EXAMPLE 01
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:49 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Wireless Network Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.103-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
>>>>EXAMPLE 02
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:49 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Loopback that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.103-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
>>>>EXAMPLE 03
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:50 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Wireless Network Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.255-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How could I solve this error once for all?
Thanks a lot!!!
>>>>EXAMPLE 01
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:49 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Wireless Network Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.103-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
>>>>EXAMPLE 02
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:49 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Loopback that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.103-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
>>>>EXAMPLE 03
Event Type: Error
Event Source: Microsoft Firewall
Event Category: None
Event ID: 14147
Date: 2/15/2007
Time: 11:48:50 AM
User: N/A
Computer: NETSERVER02
Description:
ISA Server detected routes through adapter Wireless Network Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.) The address ranges in conflict are: 192.168.21.255-192.168.21.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
How could I solve this error once for all?
Thanks a lot!!!
ASKER
Hi!
Thanks a lot for your answer...
I installed the DHCP Relay Agent, but I'm still having the same messages... I suspicious that my DHCP Relay Agent is not working as expected... How could I know if it is working fine?
Thanks a lot for your answer...
I installed the DHCP Relay Agent, but I'm still having the same messages... I suspicious that my DHCP Relay Agent is not working as expected... How could I know if it is working fine?
ASKER
When I estabilish a VPN connection, IPConfig /all shows me the following information:
Adaptador VPN:
Sufixo DNS específico de conexão . :
Descrição . . . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Endereço físico . . . . . . . . . . : 00-53-45-00-00-00
DHCP ativado. . . . . . . . . . . . : Não
Endereço IP . . . . . . . . . . . . : 192.168.112.21
Máscara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padrão. . . . . . . . . . . : 192.168.112.21
Servidores DNS. . . . . . . . . . . : 192.168.112.205
Servidor WINS primário. . . . . . . : 192.168.112.205
Does the DNS and WINS config applied by DHCP means that the relay is working???
Adaptador VPN:
Sufixo DNS específico de conexão . :
Descrição . . . . . . . . . . . . . : WAN (PPP/SLIP) Interface
Endereço físico . . . . . . . . . . : 00-53-45-00-00-00
DHCP ativado. . . . . . . . . . . . : Não
Endereço IP . . . . . . . . . . . . : 192.168.112.21
Máscara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padrão. . . . . . . . . . . : 192.168.112.21
Servidores DNS. . . . . . . . . . . : 192.168.112.205
Servidor WINS primário. . . . . . . : 192.168.112.205
Does the DNS and WINS config applied by DHCP means that the relay is working???
actually not.
The problem we face is that ISA separates the Local Host (which is the ISA server, shown as a separate network in the networks tab ) from the whole network , even in the same subnet. That's why we use DHCP relay agent to carry the data between the Local Host network and the Internal network where the DHCP server should be .
Make sure that the VPN users configuaration get dynamic IPs from the DHCP server , so that they can connect to the network .
I guess at the begining u had the DHCP server but not the agent on the ISA . ...
Now it appears to be something completely different. Want more comments on the VPN user. Which is probable a VPN site here .
I thought at first the VPN user had a real IP .
But the user in ur error message already has a Private IP Address Range 192.x.x.x , And ur network uses the same private address range too !!!!
We have a two solutions now :
Solution A : I suppose here that a full remote site is connecting :-
. First : If u can change the address range assigned by the DHCP server to the VPN to be a different subnet other than ur internal network , like 10.x.x.x
. Second , reconfigure your rounting tables to route the new network 10.x.x.x (assigned by the vpn) to ur internal network (192.x.x.x)
The second solution :-
If u have only one VPN user , u can assign him a static IP address on you ISA VPN configuration , and make sure then that the IP address has the same network ID as your internal network and also make sure that this address is NOT duplicated with any one else , like exceptioning it from your internal network scope , or making a DHCP address reservation for that user on the DHCP instead of using the static address.
PLz more comments if my solution doesn't work ..
Good Luck !!
The problem we face is that ISA separates the Local Host (which is the ISA server, shown as a separate network in the networks tab ) from the whole network , even in the same subnet. That's why we use DHCP relay agent to carry the data between the Local Host network and the Internal network where the DHCP server should be .
Make sure that the VPN users configuaration get dynamic IPs from the DHCP server , so that they can connect to the network .
I guess at the begining u had the DHCP server but not the agent on the ISA . ...
Now it appears to be something completely different. Want more comments on the VPN user. Which is probable a VPN site here .
I thought at first the VPN user had a real IP .
But the user in ur error message already has a Private IP Address Range 192.x.x.x , And ur network uses the same private address range too !!!!
We have a two solutions now :
Solution A : I suppose here that a full remote site is connecting :-
. First : If u can change the address range assigned by the DHCP server to the VPN to be a different subnet other than ur internal network , like 10.x.x.x
. Second , reconfigure your rounting tables to route the new network 10.x.x.x (assigned by the vpn) to ur internal network (192.x.x.x)
The second solution :-
If u have only one VPN user , u can assign him a static IP address on you ISA VPN configuration , and make sure then that the IP address has the same network ID as your internal network and also make sure that this address is NOT duplicated with any one else , like exceptioning it from your internal network scope , or making a DHCP address reservation for that user on the DHCP instead of using the static address.
PLz more comments if my solution doesn't work ..
Good Luck !!
Cople of things here just 6to get straight in my own mind.
1. Have you got the SP2 and add-on patches installed?
2. Can you clarify the addresses you have put in the Local Address Table for each network card that the ISA is aware of? ie each nic in the ISA box will have addresses associated with them and the ip address ranges that they cover. The definition of these is derived by pretending that you are sitting on the ISA server. The internal NIC LAT on the ISA (configuration - networks - internal - properties - addresses) should only have the ip addresses that can be seen through the internal NIC. This MUST include also the network ID and the broadcast adrress.
For example, if the internal NIC ip is 192.168.10.1, then the internal network LAT would show 192.168.10.0 - 192.168.10.255. If there are other subnets internal (accessible through a router for example on the internal LAN, these must also be added in full). Any address that is not added is assumed, within a two network card ISA server, to be accessible only through the external NIC.
This can cause problems with VPN's as ISA uses the RRAS service so:
3. Is the VPN a site-to-site or do you have vpn clients connecting to the ISA server using the MS or a third-party client?
I would agree about the dhcp-relay comments but are you using a static pool from the internal network addresses for the clients or a totally seperate subnet for them?
If its a site to site VPN, what addresses do the remote site use outside of the VPN? Are these overlapping your own somehow?
The conflict messages you mention appear when ISA sees a network/ip address appear on a NIC when the LAT table says it should be coming in on a different NIC
1. Have you got the SP2 and add-on patches installed?
2. Can you clarify the addresses you have put in the Local Address Table for each network card that the ISA is aware of? ie each nic in the ISA box will have addresses associated with them and the ip address ranges that they cover. The definition of these is derived by pretending that you are sitting on the ISA server. The internal NIC LAT on the ISA (configuration - networks - internal - properties - addresses) should only have the ip addresses that can be seen through the internal NIC. This MUST include also the network ID and the broadcast adrress.
For example, if the internal NIC ip is 192.168.10.1, then the internal network LAT would show 192.168.10.0 - 192.168.10.255. If there are other subnets internal (accessible through a router for example on the internal LAN, these must also be added in full). Any address that is not added is assumed, within a two network card ISA server, to be accessible only through the external NIC.
This can cause problems with VPN's as ISA uses the RRAS service so:
3. Is the VPN a site-to-site or do you have vpn clients connecting to the ISA server using the MS or a third-party client?
I would agree about the dhcp-relay comments but are you using a static pool from the internal network addresses for the clients or a totally seperate subnet for them?
If its a site to site VPN, what addresses do the remote site use outside of the VPN? Are these overlapping your own somehow?
The conflict messages you mention appear when ISA sees a network/ip address appear on a NIC when the LAT table says it should be coming in on a different NIC
ASKER
Hi drtoto82, keith_alabaster. Thanks a lot for your help.
Drtoto82, my Isa Server is in the same network as my Internal Network. Actually, the ISA Server handles both Site-to-Site and VPN Clients connections. Also, there is a rule that allow all traffic from Internal / LocalHost to Internal / LocalHost network, and also a rule that permit all trafic from VPN_Network to Internal and Internal to VPN_Network.
I also alreary tried to specify a static network address to my VPN Clientes, but I got the same errors...
Keith_alabaster, the server contains all servicepacks and patches installed. The networks also have the NetworkID and Broadcast address as you said. Below you can see the address configured for each Server:
Server1:
LocalIP: 192.168.112.200/24
Internal Network: 192.168.112.0 - 192.168.112.255
VPN_Branch: 192.168.113.0 - 192.168.113.255
VPN Server get IP configuration from: INTERNAL DHCP Server.
Server2:
LocalIP: 192.168.113.200/24
Internal Network: 192.168.113.0 - 192.168.113.155
VPN_Main: 192.168.112.0 - 192.168.112.255
VPN Server get IP configuration from: INTERNAL DHCP Server.
I think that a forgot to comment that these errors are logged on both servers and, I also was getting there errors before configuring a Site-to-Site connection, in others words, when I only had VPN Users. I also rebuild the server from scratch, thinking that the erros was being caused by a registry error or something else, but not worked...
Another thing that is important to know is that on majority errors, the conflict ranges are the Address assigned to the RRas Server. Eg:
Before estabilish a VPN Connection, if i try to define my Internal NIC LAT on the ISA (configuration - networks - internal - properties - addresses) , it gets the correct range (192.168.112.0 - 192.168.112.255 for Server1). After starting RRas and allowing a client to estabilish a connection (and after the server alerts about the error) if a try to do the same task, my Internal NIC LAT is filled with the Range (192.168.112.0 - 192.168.112. 98; 192.168.112.100 - 192.168.112.255) and RRas get as Internal Address 192.168.112.99, in other words, the address that was excluded from the range and also showed in one of the Alerts generated.
If you have same other suggestions, I'll be very grateful!!!
Thanks a lot for your help!!!
Drtoto82, my Isa Server is in the same network as my Internal Network. Actually, the ISA Server handles both Site-to-Site and VPN Clients connections. Also, there is a rule that allow all traffic from Internal / LocalHost to Internal / LocalHost network, and also a rule that permit all trafic from VPN_Network to Internal and Internal to VPN_Network.
I also alreary tried to specify a static network address to my VPN Clientes, but I got the same errors...
Keith_alabaster, the server contains all servicepacks and patches installed. The networks also have the NetworkID and Broadcast address as you said. Below you can see the address configured for each Server:
Server1:
LocalIP: 192.168.112.200/24
Internal Network: 192.168.112.0 - 192.168.112.255
VPN_Branch: 192.168.113.0 - 192.168.113.255
VPN Server get IP configuration from: INTERNAL DHCP Server.
Server2:
LocalIP: 192.168.113.200/24
Internal Network: 192.168.113.0 - 192.168.113.155
VPN_Main: 192.168.112.0 - 192.168.112.255
VPN Server get IP configuration from: INTERNAL DHCP Server.
I think that a forgot to comment that these errors are logged on both servers and, I also was getting there errors before configuring a Site-to-Site connection, in others words, when I only had VPN Users. I also rebuild the server from scratch, thinking that the erros was being caused by a registry error or something else, but not worked...
Another thing that is important to know is that on majority errors, the conflict ranges are the Address assigned to the RRas Server. Eg:
Before estabilish a VPN Connection, if i try to define my Internal NIC LAT on the ISA (configuration - networks - internal - properties - addresses) , it gets the correct range (192.168.112.0 - 192.168.112.255 for Server1). After starting RRas and allowing a client to estabilish a connection (and after the server alerts about the error) if a try to do the same task, my Internal NIC LAT is filled with the Range (192.168.112.0 - 192.168.112. 98; 192.168.112.100 - 192.168.112.255) and RRas get as Internal Address 192.168.112.99, in other words, the address that was excluded from the range and also showed in one of the Alerts generated.
If you have same other suggestions, I'll be very grateful!!!
Thanks a lot for your help!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Thanks :)
If the problem still exists , just send me more deailts. ...