Having a weird problem. When a packet is sent to a nonexistent IP (no device at that IP) on the internal network to another internal network it is being routed to the DMZ segment and shows as a spoofed packet on Internet facing firewall. If the packet is destined for a IP of a live device it routes just fine.
Some background, two sites, linked by site to site VPN, both sites use TMG2010, all TMG2010 servers under Hyper-V
Network layout: (All subnets 255.255.0.0)
-Site A-
Internal Subnets: 10.1.x.x, 10.4.x.x (each subnet has own virtual NIC)
TMG 2010 (10.1.0.17: DMZ facing firewall) <From DHCP: 10.1.0.103 - Site to site VPN endpoint and subnets routing>
DMZ Subnet: 10.10.x.x
TMG 2010 (10.10.0.7: DMZ to Internet firewall)
<<Internet>>
-Site B-
TMG 2010 (10.20.0.1: Internet facing firewall)
DMZ subnet: 10.20.x.x
TMG2010 (10.2.0.14: DMZ facing firewall) <DHCP: 10.2.0.117 - Site to site VPN endpoint and subnets routing>
Internal Subnets: 10.2.x.x, 10.3.x.x (each subnet has own virtual NIC)
Example:
Live device ping to 10.2.6.20 from 10.1.1.11
10.1.1.11 à 10.1.0.17 (TMG 2010-Site A) DMZ facing firewall à Site to site VPN (From DHCP IP 10.1.0.103 – 10.2.0117) à 10.2.0.14 (TMG 2010-Site B) DMZ facing firewall à 10.2.6.20 (Live device) Works just fine!
Nonexistent device ping to 10.2.0.100 from 10.1.1.11
10.1.1.11 à 10.1.0.17 (TMG 2010-Site A) DMZ facing firewall à Site to site VPN (DHCP IP 10.1.0.103 – 10.2.0117) à 10.2.0.14 (TMG 2010-Site B) DMZ facing firewall à 10.20.0.1 (TMG 2010-Site B) Internet facing firewall * See’s ping to 10.2.0.100 as spoofed packet, why is the packet even here in the 10.20.x.x subnet?
Ping result for nonexistent device from 10.1.1.11
C:\Users\admaster>ping 10.2.0.100
Pinging 10.2.0.100 with 32 bytes of data:
Reply from 10.1.0.103: Destination host unreachable.
Request timed out.
Request timed out.
Request timed out.
NOTE: The first ping gets it right, Destination host unreachable, however the three remaining pings show up at Site B’s outer firewall as spoofed packets.
Even more info:
The following tracerts show that this behavior is inconsistent, the first tracert is to a live device on the 10.2.x.x subnet from the 10.1.x.x subnet works just fine.
The second tracert is to a nonexistent device and works the first time indicating that the device is unreachable.
The third tracert is the same as the second but routes incorrectly and results as a spoofed packet on the outer firewall.
These tracert’s were done in quick succession (see below)
C:\Users\admaster>Tracert 10.2.6.20
Tracing route to <edited out> [10.2.6.20]
over a maximum of 30 hops:
1 * * * Request timed out.
2 <1 ms * * <edited out> [10.1.0.17]
3 25 ms 24 ms 23 ms <edited out> [10.2.6.20]
Trace complete.
C:\Users\admaster>Tracert 10.2.0.100
Tracing route to <edited out> [10.2.0.100]
over a maximum of 30 hops:
1 * * * Request timed out.
2 <1 ms * * arlvproxy.local.iihs.org [10.1.0.17]
3 24 ms vrcvproxy1.local.iihs.org [10.1.0.103] reports: Destination host unreachable.
Trace complete.
C:\Users\admaster>Tracert 10.2.0.100
Tracing route to <edited out> [10.2.0.100]
over a maximum of 30 hops:
1 <1 ms * <1 ms arlvproxy.local.iihs.org [10.1.0.17]
2 23 ms * 22 ms vrcvproxy1.local.iihs.org [10.1.0.103]
3 * * * Request timed out.
4 * *
Lastly I can substitute sites or internal subnets as target or destination and reproduce the same result (ie. Site A to B, Site B to A, etc.)
How do I fix this? Thanks!