DOCUMENT:Q175754 09-AUG-2001 [winnt] TITLE :FPNW Event ID 2025 and Packet Spoofing Information PRODUCT :Microsoft Windows NT PROD/VER:WinNT:3.51,4.0 OPER/SYS: KEYWORDS:kbinfo kbArtTypeINF ====================================================================== ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Windows NT Server versions 3.51, 4.0 - Microsoft File and Print Services for NetWare versions 3.51, 4.0 ------------------------------------------------------------------------------- IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe. SYMPTOMS ======== File and Print Services for NetWare (FPNW) is logging the following event: Event Id: 2025 Source: FPNWSrv Type: Warning Description: The server detected attempted packet spoofing for client "xxx" on connection "yyy". The connection has been closed. CAUSE ===== It is possible that a router on the LAN has been configured to spoof IPX, SPX, or NetBIOS over IPX to keep packets alive. The built-in security check of the FPNW server is detecting this spoof and closing the connection. This is by design. RESOLUTION ========== To resolve this problem, do one of the following: - Disable IPX/SPX packet spoofing on your routers -or- - Disable this behavior within FPNW by adding a registry entry. This entry is not in the registry by default, it must be added manually. To add this entry to the registry, perform the following steps: WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. 1. Run Registry Editor (Regedt32.exe), and go to the following subkey: HKEY_LOCAL_MACINE\SYSTEM\CurrentControlSet\Services \FPNWsrv\Parameters NOTE: The registry key above is all one path; it has been wrapped for readability. 2. On the Edit menu, click Add Value and type the following entry: Value Name: AllowableBadSequencePkts Data Type: REG_DWORD Value: 0 (Default: 10) 3. Stop and restart the FPNW server. MORE INFORMATION ================ In an IPX/SPX environment connections between hosts (clients and/or servers) may at times go idle. The following may occur: - With an IPX-based connection, a server will intermittently send IPX Watchdog packets to a connected client to ensure that the client is still connected. - With either an SPX- or NWLINK- (NetBIOS over IPX) based connection, both the client and the server (or two connected servers) will send probe packets to one another, ensuring that the other computer is still detecting the other computer. In a LAN environment, there is very little overhead associated with these keep-alive packets. In an environment where the cost of the WAN link is based on usage, these keep-alive packets may cause the WAN link to be opened frequently or possibly to remain up indefinitely, incurring very high costs. Some WAN routers have the ability to spoof these keep-alive packets. When the router sees that a keep-alive packet is to be forwarded over the WAN it silently discards the packet and responds to the originating server or client as though the router were the remote server or client. The WAN connection is not opened and no charges are incurred. When FPNW receives these spoofed packets, it will view them as a possible security breach by default and close the connection with the remote client or server. ====================================================================== Keywords : kbinfo kbArtTypeINF Technology : kbWinNTsearch kbWinNT351search kbWinNT400search kbWinNTSsearch kbWinNTS400search kbWinNTS400 kbWinNTS351 kbWinNTS351search kbServicesNetwareSearch kbFPNW351 kbFPNW400 Version : WinNT:3.51,4.0 Hardware : ALPHA x86 Issue type : kbprb ============================================================================= THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. Copyright Microsoft Corporation 2001.