Troubleshooting 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED error

When you run into 0xc0040014 FWX_E_FWE_SPOOFING_PACKET_DROPPED error on ISA it means that IP traffic is being forwarded to the network interface that is not expecting traffic from that IP address range. If you are using only physical network cards this should be easy to troubleshoot because ISA will log the interface name that is receiving network packets.

If you are using Enterprise networks on ISA Server Enterprise Edition and you run into spoofing problem on one of enterprise networks ISA will list name enterprise network which may not be directly linked to physical address.

In our case we have two possible paths (routes) that packet could take to reach the ISA server.

To figure out which router was forwarding the packets to the wrong interface I started Wireshark and made a network capture. For clarity I filtered the traffic by IP addresses of remote site that we wire connecting.

In network capture we can see MAC address of the router that is forwarding the network packets to the wrong network card (network card that is not expecting those IP packets). We can now use arp -a command on server to find out which IP address the MAC address belongs to and with this we tracked down the router.

Now that we knew which device was forwarding the packets we were able to fix the routes to ISA server and solve the problem.

Add comment