Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2629 Views 21 Replies Latest reply: Dec 10, 2013 6:34 PM by woodsjw RSS 1 2 3 Previous Next
edburns Newcomer 16 posts since
Jan 4, 2013
Currently Being Moderated

May 30, 2013 3:11 PM

MVM scan engine with multiple IP addresses (static routes)

Hi all,

 

Wondering if any other customers have encountered a similar issue?

 

One of our DMZ scan engines (Windows Server 2008 VM) has two IP addresses & 1 default gateway.  I then entered static routes on the server to direct certain traffic to the appropriate gateway address.  Running a ping from the server to the target is successful, however scanning that same target IP from this scan engine shows no active IP addresses.  Here's an example of the setup:

 

IP 1: 192.168.0.100 / 24

IP 2: 172.16.0.100 /24

Default Gateway: 192.168.0.1 /24

 

Static routes:

 

Network destination: 172.16.30.0 /24

Gateway: 172.16.0.1 /24

 

- This destination network is only accessible via 172.16.0.1 and not 192.168.0.1

 

Testing:

 

- ping 172.16.30.100 is successful

- tracert 172.16.30.100 shows proper next hop of 172.16.0.1

- ping -S 192.168.0.100 172.16.30.100 is not successful

 

Assumptions:

 

What appears to be happening is that MVM is reading the network configuration of the server and determines there is 1 default gateway (192.168.0.1) it is then attempting to send all traffic to this gateway & not honouring the local routing table on the Windows server itself.  This is problematic as at this time it is not feasible to include a secondary NIC, nor should it be necessary.  Adding a secondary default gateway does not resolve the problem either and conflicts with configuration policies we have in place.

 

Thanks & would appreciate any feedback if others have a similar setup

  • zaid Newcomer 3 posts since
    Jun 5, 2013

    Tracert won't help here, you should print the route table by "route print" and see if the static route you added is using the interface with IP "172.16.0.100" and it should have less metric value than the default gateway.

     

    If not delete that static route and add it again as below:

     

    Route add 172.16.0.100 MASK 255.255.255.0 172.16.0.1 METRIC 2 IF (put the interface number) -p

     

    Also, Make sure you enabled the ICMP for that interface if you want to ping it. you can do that in WF.msc

  • zaid Newcomer 3 posts since
    Jun 5, 2013

    Edburn, can you pm me with your routing table.

    The way I see it is you are having issues with routing. the routing table will confirm this, you can show the routing table by "route print"

  • zaid Newcomer 3 posts since
    Jun 5, 2013

    MVM uses system network configuration, so if you are able to reach the target from the server, MVM should be able to reach the target. unless there are some Firewall rules that prevent MVM services to reach the target. So If you are convinced that the network configuration are correct, I suggest next step to check firewall rules. You can do that by writing wf.msc in run.

  • dmease729 Champion 267 posts since
    Jul 22, 2011

    Im with zaid on this - I very much doubt this is an issue with MVM.  To confirm it to yourself you need to see exactly what is happening, so I would suggest using Wireshark or windump - if you run a basic discovery scan against a test host and capture the packets, you should see which interface the packets are leaving on.  If you actually *see* the packets leaving the wrong interface, then you know something is wrong (I doubt this will happen) and this is the only real test.  You can look at all the configuration in the world, but the best troubleshooting method is actually seeing what is happening, not what you believe is happening or is supposed to happen (with regard to the latter, wierd things can happen in IT!)

     

    Hope this helps,

  • dmease729 Champion 267 posts since
    Jul 22, 2011

    What the....?  Certainly not what I was expecting and certainly not the way it is meant to work.  I have used multiple NICs before and not come across any issues such as this.  Just out of curiosity, when the packets are sent out of the wrong interface is the source IP the interface that the packet is being sent out of, or the correct source IP but out of the wrong interface (if that makes sense!).  Likely the former, but the latter is actually possible.  The only thing I can suggest now is raising an SR (and hopefully keeping us up to date as this is a puzzler!) - remember to gather and provide the MER output from the scanner itself, along with details of tests and observations so far, and this should make the support case a lot faster!

1 2 3 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points