Authentication shows incorrect ip address in Event viewer

matedwards
matedwards used Ask the Experts™
on
We have a Windows 2012 R2 domain with 2 domain controllers. Users authenticate to the domain with no problems.

We have 2 subnets
LAN: 192.168.0.0/24
WLAN: 192.168.4.0/24

The WLAN traffic is routed through our Sophos XG230 Firewall/Router 192.168.0.1

Any user authenticating against one of the domain controllers (from the WLAN) shows  the ip address of the Firewall/Router, not its correct ip address of hte host they are on.

I can see this in the kerberos TGT in Event Viewer 4768.

This is only happening on 1 of the domain controllers.

Any ideas on how troubleshoot would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
bbaoIT Consultant

Commented:
do you mean the other DC can see the WAN IP addresses of those users authenticated from the WAN subnet? are the two DCs located on the same subnet on 0.0/24?

Author

Commented:
Thanks bbao.

Both DCs are on subnet 192.168.0.0/24

One of the DCs displays the correct ip address of the host (for example 192.168.4.121)

The other DC only sees the ip address of the firewall/router 192.168.0.1 (not the host 192.168.4.121) that the traffic has come through.

I hope that helps?
bbaoIT Consultant

Commented:
you may try use TREACERT command on both DCs against thr same IP address on the WAN such as 4.121, it will the difference how each DC reaches the target. i speculate one of them is via NAT hence the internal router’s IP is logged (shown).
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Author

Commented:
doing now.. many thanks, bbao..

Author

Commented:
Tracert and nslookup from the DC  to the host display the correct ip address of the host 192.168.4.121

It is only the authentication (kerberos) event 4768 in the Event Viewer log that is showing the wrong ip address

Commented:
Sure it's not some form of SNAT rule on your XG?

Author

Commented:
Thanks TechTop,

But why is it only effecting one DC not both?
possible there are two rules allowing DC access for the WLAN Clients and only one has "masquerading" enabled.

Author

Commented:
Great.. thanks Dirk.. will check..

Author

Commented:
BOOM.. Dirk nailed it!!

The 2nd domain controller was newly added. It had not been joined to the 'server group' in the XG.

The 'server group' in the XG has a rule allowing traffic with masquerading turned off.

Because the server was not in the group the rule was not applied and any traffic was masqueraded.

I added it to the server group in the XG and now the correct ip address in Event 4768 is showing.

Many thanks for all your help.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial