ISA Server detected network elements that contain overlapping address ranges - Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address

Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address_ranges.Rule (Rule)

This Rule generates alerts when ISA Server detected network elements that contain overlapping address ranges

Knowledge Base article:

Summary

ISA Server detected routes through a network adapter that do not correlate with the network to which this adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The event description contains both the name of the network adapter and the IP address ranges in conflict.

Causes

Every subnet connected to the ISA Server computer must be contained in a single network. The conflicting route crosses the network boundaries.

Resolutions

If you recently created a remote site network, check if the event recurs. If it does not, you may safely ignore this message.

Fix the network and/or the routing table to make these IP address ranges consistent; they should be in both or in neither.

Element properties:

Target	Microsoft.ISAServer.2006.ServerRole
Category	EventCollection
Enabled	True
Alert Generate	False
Remotable	True

Member Modules:

ID	Module Type	TypeId	RunAs
DS	DataSource	Microsoft.ISAServer.2006.Rule.AlertGenerate.DS	Default
WA	WriteAction	Microsoft.ISAServer.2006.Rule.AlertGenerate.WA	Default

Module Type

TypeId

RunAs

DataSource

Microsoft.ISAServer.2006.Rule.AlertGenerate.DS

Default

WriteAction

Microsoft.ISAServer.2006.Rule.AlertGenerate.WA

Default

Source Code:

<Rule ID="Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address_ranges.Rule" Enabled="onEssentialMonitoring" Target="Microsoft.ISAServer.2006.ServerRole" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100"> <Category>EventCollection</Category> <DataSources> <DataSource ID="DS" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.DS"> <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName> <LogName>Application</LogName> <EventsPattern>^(21097)$</EventsPattern> <EventType>1</EventType> <SourcePattern>Microsoft Firewall</SourcePattern> </DataSource> </DataSources> <WriteActions> <WriteAction ID="WA" TypeID="Microsoft.ISAServer.2006.Rule.AlertGenerate.WA"> <AlertMessageId>$MPElement[Name="Microsoft.ISAServer.2006.ISA_Server_detected_network_elements_that_contain_overlapping_address_ranges.AlertMessage"]$</AlertMessageId> <DomainName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/DomainDnsName$</DomainName> <Priority>2</Priority> <Severity>2</Severity> </WriteAction> </WriteActions> </Rule>