hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?
well, actually i don't get your first question, but my ISA FW is denying connections that were previously established without specifying me the reason for that, i mean, which rule raised the violation. My ISA server is only configured as a FW. I disabled the web proxy filter for HTTP. I'm using ISA in a 3-leg scheme.
Hard to say it just like that. Higly possible its not your ISA server denying those packets. It could be the server you are connecting is denying the packets. Network Trace on ISA could verify that. You need to check the RESET Flag. check which server is actually RESETing the Flag
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: gsandorx
hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?
Thanks and regards, sandor
What is shown in the Result Code column for these entries?
It is probably an FWX_E_TCP_NOT_SYN_PACKET_DROPPED error. These are common when previous sessions need to start a new TCP/IP three-way handshake. This error code normally indicates that ISA received TCP traffic (e.g. not a SYN packet) on a connection that wasn't opened, or that was already closed. So, if a connection is abortively closed (e.g. reset packet) and the client sendstraffic on that connection, ISA may complain that this data is being sent for a connection that doesn't exist; hence TCP_NOT_SYN.
Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Guys, When ISA denies traffic without any "Rule",...it is being denied based on System Policy.
The one thing that has never been revealed here is What Packets? Doing what? For what? From where? Going where? There was one breif hint that it was HTTP but that was it...
Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:
ORIGINAL: pwindell
Guys, When ISA denies traffic without any "Rule",...it is being denied based on System Policy.
Not true.
One example is given above, others include Network Rules (FWX_E_NETWORK_RULES_DENIED) and things like Flood Mitigation (FWX_E_RULE_QUOTA_EXCEEDED_DROPPED).
IIRC, System Policy denies will show [System] <System Policy Rule Name> in the rules column.
Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
quote:
ORIGINAL: pwindell
Guys, When ISA denies traffic without any "Rule",...it is being denied based on System Policy.
The one thing that has never been revealed here is What Packets? Doing what? For what? From where? Going where? There was one breif hint that it was HTTP but that was it...
Er.. no. System policies are also rules.
When ISA or TMG deny packets without quoting a rulke, it's one of two things: 1. Network rule decision 2. Packet filter action (non-syn, flood, etc.)