Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

Attempts to access published resources are logged as spoof attacks with event ID 15108 in ISA Server 2000


View products that this article applies to.

Symptoms

You cannot access a resource that is published by your Microsoft Internet Security and Acceleration (ISA) Server 2000 computer from the Internet. When you try to access the resource, ISA Server logs the following warning event to the application event log:

Event Type: Warning
Event Source: Microsoft ISA Server Control
Event Category: Packet filter
Event ID: 15108
Description:
ISA Server detected a spoof attack from Internet Protocol (IP) address IP_address. A spoof attack occurs when an IP address that is not reachable via the interface on which the packet was received. If logging for dropped packets is set, you can view details in the packet filter log.

When you view ISA Server alerts by using the ISA Management snap-in, the following IP spoofing alert message may appear in the Alert column:
The IP packet source address is not valid.

↑ Back to the top


Cause

This behavior may occur if both of the following conditions are true:
  • The internal network adapter on the ISA Server computer points to a default gateway address that is on the internal network.
  • The network adapter on the server that has the published resource points to the same internal default gateway address as the ISA Server computer.

↑ Back to the top


Resolution

To resolve this behavior, follow these steps:
  1. If there are other internal networks that send and receive traffic through the ISA Server computer, use the route add command with the -p switch to add a persistent static route to each internal network. When you specify the gateway address, point to the internal router that permits access to the other internal networks. Configure persistent static routes on the internal adapter of the ISA Server computer and on the server that has the published resource.

    For more information about how to use the route command, type route /? at a command prompt.
  2. Remove the default gateway address on the internal network adapter of the ISA Server computer. For ISA Server to function correctly, the internal network adapter should not have a default gateway specified.
    1. Click Start, point to Settings, and then click Network and Dial-up Connections.
    2. Right-click the internal adapter, and then click Properties.
    3. Click Internet Protocol (TCP/IP), and then click Properties.
    4. Remove the default gateway address in the Default gateway box, and then click OK two times.
  3. On the server that has the published resource, configure the default gateway address to point to the internal address of the ISA Server computer.
    1. Click Start, point to Settings, and then click Network and Dial-up Connections.
    2. Right-click the internal adapter, and then click Properties.
    3. Click Internet Protocol (TCP/IP), and then click Properties.
    4. In the Default gateway box, type the internal address of the ISA Server computer, and then click OK two times.

↑ Back to the top


More information

For additional information about how to add a static route, click the following article numbers to view the articles in the Microsoft Knowledge Base:
140859 TCP/IP routing basics for Windows NT

141383 "P" switch for Route command added in Windows


For additional information about another possible cause of event ID 15108, click the following article number to view the article in the Microsoft Knowledge Base:
326116 FIX: Cannot renew DHCP assigned IP address on external ISA interface

↑ Back to the top


Article Info
Article ID : 840681
Revision : 2
Created on : 1/1/0001
Published on : 1/1/0001
Exists online : False
Views : 302