[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

IP Route on Domain Controller

Posted on 2009-05-08
5
Medium Priority
?
1,059 Views
Last Modified: 2013-11-16
Below is an Intrusion Prevention alert from our SonicWall Firewall. The intrusion is happening because the Source IP (169.254.99.56) is not in our subnet range, so the firewall is freaking out thinking this is a "spoofed" IP. I have traced this IP address and MAC address to one of our connections (GB1000 Unplugged - network cable) on our DC. As you can see in the attached picture, it looks like it is disabled/unplugged, but I think there could be some routing involved.

I do not have enough knowledge in this area to figure out what is routing, so I provided the routing table below: The GB1000 connection in the picture has the (169.254.99.56). I tried setting it to a static IP that would fall under our subnet, but it crashed the entire network connection, and I could no longer ping the server by its normal IP (10.81.2.3) nor by the new static IP I tried to assign (10.81.2.4).

I have no idea what those other connections are, Virtual or Main. This is an older server and everything is working fine except this IP spoofing. My goal is to put things back to normal, where there is one connection "Local Area Connection". Any ideas are helpful and welcome, thank you.

========================================================
Time: 05/07/2009 11:26:03
Priority: Alert
Category: Intrusion Prevention
Message: IP spoof dropped
Source: 169.254.99.56, 137, LAN
Destination: 10.83.32.8, 137, WAN, ws100098.bcr.local
Notes: MAC address: 00:02:b3:d8:bd:a2

This SonicWall is connected via site-to-site VPN to another office.
Local Network: 10.81.0.1 / 255.255.0.0
Remote Network via site-to-site VPN: 10.83.0.1 / 255.255.0.0
========================================================
IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 02 b3 d8 bd a2 ...... TEAM : Main
0x10004 ...00 1b 21 03 59 2e ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.81.1.2        10.81.2.3     20
        10.81.0.0      255.255.0.0        10.81.2.3        10.81.2.3     20
        10.81.2.3  255.255.255.255        127.0.0.1        127.0.0.1     20
   10.255.255.255  255.255.255.255        10.81.2.3        10.81.2.3     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      169.254.0.0      255.255.0.0    169.254.99.56    169.254.99.56     10
    169.254.99.56  255.255.255.255        127.0.0.1        127.0.0.1     10
  169.254.255.255  255.255.255.255    169.254.99.56    169.254.99.56     10
        224.0.0.0        240.0.0.0        10.81.2.3        10.81.2.3     20
        224.0.0.0        240.0.0.0    169.254.99.56    169.254.99.56     10
  255.255.255.255  255.255.255.255        10.81.2.3        10.81.2.3      1
  255.255.255.255  255.255.255.255    169.254.99.56    169.254.99.56      1
Default Gateway:         10.81.1.2
===========================================================================
Persistent Routes:
  None

Open in new window

prtscrn.bmp
0
Comment
Question by:pzozulka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 16

Accepted Solution

by:
Blaz earned 600 total points
ID: 24340248
169.254.0.0 network is a network where Windows Automatic IP Addressing (APIPA) assigns addresses. If the computer is not able to connect to a DHCP server on boot it gets an address from this range.

It seems that some process on the server assigned itself the wrong IP of the server (169.254.99.56 instead of 10.81.1.2) and tried to browse the network (windows file sharing - port 137). As the network card was not connected the packet was routed through the other interface to your FW.

Try to disable the unneeded network card (GB1000 - right click -> disable).
0
 
LVL 10

Assisted Solution

by:lanboyo
lanboyo earned 600 total points
ID: 24350003
It looks like there is a network teamed interface and another interface that is configured for DHCP.  You can not assign the interface an address in the same subnet, this will confuse the server. configure interface teaming or disable the gigabit interface.
0
 
LVL 8

Author Comment

by:pzozulka
ID: 24351908
Can you provide further details about interface teaming. I have never heard of this before. This methodology is not frequently used right?

I would be very greatful if you can provide more material or links to good resources on this topic. I would like to know more.

Thank you.
0
 
LVL 5

Assisted Solution

by:qf3l3k
qf3l3k earned 800 total points
ID: 24359093
Network interface teaming is in fact quite popular for servers with high level of data transmission to outside world.
This might be in regards to file servers or vmware servers.
In simple words it means that you have one network adapter with multiple ports (each 100Mb/s or more) or you have multiple adapters (same type and vendor) and you can consolidate all physical interfaces into one logical interface which will have IP address assigned.
Finally you can multiply bandwidth for your server by consolidating links. All adapters are plugged-in into same switch and vlan to allow all of them to communicate in the same IP segment.

More detailed explanation you can find here:
http://en.wikipedia.org/wiki/Link_aggregation
0
 
LVL 5

Assisted Solution

by:qf3l3k
qf3l3k earned 800 total points
ID: 24359152
In addition you might want to check that link:
http://www.intel.com/support/network/sb/cs-009747.htm#Features

as it covers features of Intel adapters you have. The only question is if you will be able to team Desktop version of Intel adapter (from screenshot looks like there is something teamed aleady) as I never tried that.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question