I am irregularly getting Event 14147 "ISA Server detected routes through adapter "adapter name" that do not correlation with the network element to which this adapter belongs.  the address ranges in conflict are: 192.0.0.192 - 192.0.0.192...  The adapter in question is my internal adapter.

I consulted the KB article 884496 "Client Computers cannot access external resources, and event ID 14147 appears in the Application log in ISA Server 2004.  This does not really apply to me as my clients can access external resources, and other then the event message I see no symptoms.  In addition, I never manually added IP address ranges to the adapter, as the article states might have been the problem. 

Could this be a spoof attack?  And if so, what steps should I take?  I see this address range in my routing table, but in the dynamic, not in the persistent, stack.  I tried to delete it but because it wasn't persistent I off course couldn't!

 

Ze'ev

Ze'ev,

 

I haven't seen this error before but it does seme to indicate that the routing table is messed up. Did you happen to change NIC's in thes server or change which one is the external adapter? I'm assuming here, that you have 2 nics.

I do have 2 NICS - one for the LAN, one for the WAN (I am connected via a Cable Modem directly out).  I did not change NICs recently - this is a new built server, not an upgrade or a swing server.

Hi Ze'ev,

 

Can you post the ipconfig/all from the server please? Was ISA upgraded from 2000?

I've reproduced the output from ipconfig /all below.  This was not an upgrade, but a fresh install on new hardware with SBS 2003 & ISA 2004.

 ============================

Windows IP Configuration

   Host Name . . . . . . . . . . . . : zi-server
   Primary Dns Suffix  . . . . . . . : MENDZ.LOCAL
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : Yes
   DNS Suffix Search List. . . . . . : MENDZ.LOCAL
                                       oawh1.on.cogeco.ca

Ethernet adapter Server Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Linksys LNE100TX Fast Ethernet Adapter(LNE100TX v4)
   Physical Address. . . . . . . . . : 00-0C-41-1C-0A-F0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.16.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   Primary WINS Server . . . . . . . : 192.168.16.2

Ethernet adapter Network Connection:

   Connection-specific DNS Suffix  . : oawh1.on.cogeco.ca
   Description . . . . . . . . . . . : Intel(R) PRO/1000 CT Network Connection
   Physical Address. . . . . . . . . : 00-11-11-60-77-12
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : No
   IP Address. . . . . . . . . . . . : 24.141.37.132
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   Default Gateway . . . . . . . . . : 24.141.32.1
   DHCP Server . . . . . . . . . . . : 24.226.1.121
   DNS Servers . . . . . . . . . . . : 192.168.16.2
   NetBIOS over Tcpip. . . . . . . . : Disabled
   Lease Obtained. . . . . . . . . . : November 6, 2005 1:40:57 PM
   Lease Expires . . . . . . . . . . : November 13, 2005 1:40:57 PM

Hi Ze'ev,

 

You would do better to get yourself a router and put that between the external nic and the cable modem. You are now getting the foreign DNS in the suffix search list.

I don't see anything wrong with your IP configuration on this server. It's coming from the inside. I'll go out on a limb and say that you've got a printer with a web interface (many do these day) that is in the 192.0.0 range. Let me know if I'm correct.

Hi Amy,

 

Although it doesn't explain the error Ze'ev is getting, that ipconfig is not good with that foreign dns suffix.

I will get (already ordered) a router, but that doesn't explain why the errant message shows up on the internal adapter side of things.

 

AMY - I checked just to confirm, but as expected the only printer that has a web page is on my normal subnet of 192.168.16.0 ... 192.168.16.255.

 

Thanks to both of you!

Ze'ev

Hi Ze'ev,

 

Well, if I ping to 192.0.0.192 on my laptop, it is giving me the message that it is used for printservices discovery. So are you sure you haven't got a printserver hanging around?

Now that's interesting!!  I've pinged before, but did not try -a parameter.  Did that now, and got the same message back ("Pinging 192.0.0.0-is-used-for-printservices-discovery----illegally.iana.net 𖐸
.0.0.192] with 32 bytes of data:").  I have a printer (HP) attached to the network using a Jet Direct Card.  This is the one configured to a "regular" ip address.  But I've also installed the HP Jet Direct software that does a "discovery" to find printers.  I wonder if that's somehow generating this message?

Hi Ze'ev,

 

Remove that Jet Direct software from the server, you don't need it anyway, and see if that does the trick.

Checked the HP Jet Admin "readme file" (you mean you're actually supposed to read this stuff!! ) and found the following:

 21. Question: What is the Remote Discovery Agent (RDA) feature?
         
            Solution: RDA allows HP Web Jetadmin to discover unconfigured HP devices (IP addresses of 192.0.0.192) on remote TCP/IP subnets. HP Web Jetadmin has the ability to push a piece of software to a PC on the remote subnet. This software will then run as a service (under Windows) or as a process (under Unix/Linux), discovering unconfigured devices and passing this information back to HP Web Jetadmin.
           
            RDA is now configurable with HP Web Jetadmin. Different discovery mechanisms can be selected and scheduled.

Now to find out where this service has been installed, and if it's been pushed to any of the other desktops!  Fascinating, what you find when you actually RTFM.

 

Thanks very much!  Feel much better knowing that the dangerous hacker attacking my systems is me!

 

Ze'ev

Hi Graham,

 

If you only have 1 nic in the server, it doesn't make much sense to use ISA. Have you considered adding a second nic and let that connect to a router which can do the dial up for you?

Thanks for the quick reply.
 
We've had ISA 2000 for 3 years under this ISDN dial-on-demand arrangement - initially with SBS 2000 and later with SBS 2003 and it's never been a problem. In all other respects, SBS supports dial-on-demand very well and ISA does provide all the same benefits as using two NICs and a router. We applied SBS 2003 Service Pack 1 (which includes an upgrade from ISA 2000 to ISA 2004) on the weekend and noticed these 14147 messages only today.
 
We haven't looked into ISDN routers yet. At the moment we use a "Telstra NT1 Plus II" ISDN interface box that was supplied by the telco. This interfaces with SBS through a USB port. We only have one twisted pair into the building so this NT1 is quite good in that it provides shared telephone, fax and Internet access over the one phone line. The box has two analogue ports where one connects to a telephone and the other to a modem on the server for send/receive fax transmissions. When the server connects to the Internet, it uses both ISDN channels to achieve 128K speed. If a phone call comes in on one channel or an fax comes in on the other while the server is on-line, the NT1 box drops one channel to the USB port resulting in 64K connection to the Internet and the other channel is made active for voice or fax call. When the telephone call finishes, the NT 1 box re-establishes a connection on the second channel so the speed of the Internet connection is increased back to 128K - all without the active connection being interrupted. I'm not sure if an ISDN router will do all of this - although I'll do some research.

Unfortunately we can't get ADSL or cable at this location so ISDN is our only option. Since this is charged by the second, we have to limit the time on-line. We can't get an permanent IP address under our ISP contract.

I suspect the same problem would occur if our Internet access was dial-on-demand through an analogue modem. This would also get a different IP on each dial.

We had cable up until 3 years ago and connected to that using a second NIC. However we found with that the IP address rarely changed - maybe  once every 6 months or so when the Telco changed something. I suspect ISA would report the same 14147 message when this happens on cable customers  - but because its rare it probably doesn't get reported as a problem.

As mentioned before, ISA does everything it's supposed to do and does provide all the same benefits as a server with a permanent Internet connection through a second NIC or outer - so maybe we can simply ignore the config errors?

Graham Keen

Hi Stephen,