The routing table for a network adapter includes IP address ranges that are not included in the array level network to which it is bound - Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is

Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is_bound.Rule (Rule)

This Rule generates alerts when The routing table for a network adapter includes IP address ranges that are not included in the array level network to which it is bound

Knowledge Base article:

Summary

The routing table for one of the network adapters includes IP address ranges that are not included in the array-level network to which it is bound. As a result, packets arriving at this network adapter from these IP address ranges or sent to these IP address ranges via this network adapter will be dropped as spoofed.

The first parameter of the event indicates the name of the network adapter, and the second parameter of the event indicates the IP address ranges.

Causes

For every IP address range in the routing table of a network adapter, there should be a corresponding IP address in the array-level network for that network adapter. Otherwise, packets sent to the array-level network will be considered spoofed and therefore dropped. This could result in loss of connectivity.

If you recently changed the NLB configuration, check if the event recurs. If it does not, you may safely ignore this alert.

Resolutions

Add the missing IP address ranges to the array-level network.

Element properties:

Target	Microsoft.Forefront.TMG.Server
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.Forefront.TMG.Rule.AlertGenerate.DS	Default
WA	WriteAction	Microsoft.Forefront.TMG.Rule.AlertGenerate.WA	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.Forefront.TMG.Rule.AlertGenerate.DS

Default

WriteAction

Microsoft.Forefront.TMG.Rule.AlertGenerate.WA

Default

Source Code:

<Rule ID="Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is_bound.Rule" Enabled="true" Target="Microsoft.Forefront.TMG.Server" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>EventCollection</Category> <DataSources> <DataSource ID="DS" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.DS"> <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <EventsPattern>^(21265)$</EventsPattern> <EventType>1</EventType> <SourcePattern>Microsoft Forefront TMG Firewall</SourcePattern> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="Microsoft.Forefront.TMG.Rule.AlertGenerate.WA"> <AlertMessageId>$MPElement[Name="Microsoft.Forefront.TMG.The_routing_table_for_a_network_adaptor_includes_IP_address_ranges_that_are_not_included_in_the_array_level_network_to_which_it_is_bound.AlertMessage"]$</AlertMessageId> <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName> <Priority>1</Priority> <Severity>2</Severity> </WriteAction> </WriteActions> </Rule>