ISA 2006 refuses VPN DHCP requests as spoofing

Question

I'm running ISA 2006 with PPTP VPN for my AD-controlled network. DHCP is located on the ISA server itself and authentication is done by RADIUS (NPS) located on the DC.

Right now my VPN clients can connect, access local DNS, and can ping ISA, the DC, and other clients.

Here's where it gets weird. I noticed that despite all this, ipconfig shows the following:

PPP adapter North Horizon VPN:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : North Horizon VPN
   Physical Address. . . . . . . . . :
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.42.4.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.255
   Default Gateway . . . . . . . . . : 0.0.0.0
   DNS Servers . . . . . . . . . . . : 10.42.1.10
   NetBIOS over Tcpip. . . . . . . . : Enabled

So I went over and checked my ISA logs for both DHCP requests and replies, only to find out that my VPN clients are being denied because ISA thinks its a spoof. Here's some relevant information from the log (the VPN subnet is 10.42.4.0/24):

Client IP: 10.42.4.6
Destination: 255.255.255.255:67
Client Username: (blank)
Protocol: DHCP (request)
Action: Denied Connection
Rule: (blank)
Source Network: VPN Clients
Destination Network: Local Host
Result Code: 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED
Network Interface: 10.42.4.11
---------------------------------------------------------
Original Client IP: 10.42.4.6
Destination: 10.42.1.1
Client Username: (valid user)
Protocol: PING
Action: Initiated Connection
Rule: Allow PING to ISA
Source Network: VPN Clients
Destination Network: Local Host
Result Code: 0x0 ERROR_SUCCESS
Network Interface: (blank)

I wasn't sure what this 10.42.4.11 network interface was - it certainly wasn't something I had setup - untill I saw it in Routing and Remote Access under IP Routing > General as an interface called "Internal" bound to the same IP address. I also noticed that since ISA takes blocks of 10 IP addresses from DHCP for VPN, it had reserved 10.42.4.2-11. I'm not sure if it means anything, though.

Thanks for your help.

score 1 · Answer 1 · answered Mar 03 '10 at 12:04

My understanding is that it takes up to 5 seconds for the routing table to be updated with the IP address for the new VPN client so packets received within that time are dropped as spoofed. See this forums.isaserver.org post.

The solution suggested there is to add this odd registry key:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RAT\Stingray\Debug\FWSRV]
"FWS_PNP_IPHELPER_QUITE_PERIOD"=dword:000005dc

I've disabled spoof detection in an ISA Server 2004 installation to get it working before.

score 0 · Answer 2 · answered Aug 19 '09 at 18:42

I don't see anything wrong with your ipconfig, isa server uses dhcp to get ip internally for vpn clients then it creates connection internally and hands it over to vpn client. So dhcp is just for internal purpose. So even though ip for vpn client was generated through dhcp it will appear as non dhcp as thats how it was hand over.

I hope I have correct understanding-:)

ISA 2006 refuses VPN DHCP requests as spoofing

2 Answers2