Authentication shows incorrect ip address in Event viewer

We have a Windows 2012 R2 domain with 2 domain controllers. Users authenticate to the domain with no problems.

We have 2 subnets

The WLAN traffic is routed through our Sophos XG230 Firewall/Router

Any user authenticating against one of the domain controllers (from the WLAN) shows  the ip address of the Firewall/Router, not its correct ip address of hte host they are on.

I can see this in the kerberos TGT in Event Viewer 4768.

This is only happening on 1 of the domain controllers.

Any ideas on how troubleshoot would be greatly appreciated.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bbaoIT ConsultantCommented:
do you mean the other DC can see the WAN IP addresses of those users authenticated from the WAN subnet? are the two DCs located on the same subnet on 0.0/24?
matedwardsAuthor Commented:
Thanks bbao.

Both DCs are on subnet

One of the DCs displays the correct ip address of the host (for example

The other DC only sees the ip address of the firewall/router (not the host that the traffic has come through.

I hope that helps?
bbaoIT ConsultantCommented:
you may try use TREACERT command on both DCs against thr same IP address on the WAN such as 4.121, it will the difference how each DC reaches the target. i speculate one of them is via NAT hence the internal router’s IP is logged (shown).
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

matedwardsAuthor Commented:
doing now.. many thanks, bbao..
matedwardsAuthor Commented:
Tracert and nslookup from the DC  to the host display the correct ip address of the host

It is only the authentication (kerberos) event 4768 in the Event Viewer log that is showing the wrong ip address
Tech TopCommented:
Sure it's not some form of SNAT rule on your XG?
matedwardsAuthor Commented:
Thanks TechTop,

But why is it only effecting one DC not both?
Dirk KotteSECommented:
possible there are two rules allowing DC access for the WLAN Clients and only one has "masquerading" enabled.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
matedwardsAuthor Commented:
Great.. thanks Dirk.. will check..
matedwardsAuthor Commented:
BOOM.. Dirk nailed it!!

The 2nd domain controller was newly added. It had not been joined to the 'server group' in the XG.

The 'server group' in the XG has a rule allowing traffic with masquerading turned off.

Because the server was not in the group the rule was not applied and any traffic was masqueraded.

I added it to the server group in the XG and now the correct ip address in Event 4768 is showing.

Many thanks for all your help.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.