Welcome to ISAserver.org

"Failed Connection Attempt" Status - 995

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> General >> "Failed Connection Attempt" Status - 995

Page: [1]

Message

<< Older Topic Newer Topic >>

"Failed Connection Attempt" Status - 995 - 27.Jun.2007 1:07:05 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

I have two ISA 2004 servers with one at SP2 and the other at SP3. Using either server I am getting some puzzling 995 "The I/O operation has been aborted because of either a threat exit or application request" error messages. It is always an SSL-Tunnel error. One site in particular that I have been using for testing to generate the errors is www.dell.com and premier.dell.com. So needless to say the errors are consistent but are not generated with all web sites.

I remember Dr. Shinder mentioning somewhere that a 995 error was kind of a catch all for network related issues. I have done some diagnostics but have not found any tell-tale evidence of network issues. DNS resolving okay, ping time acceptable, firewall utilization acceptable, no other errors in logs on ISA or within DNS.

Anyway, I have done the following in my troubleshooting but have not yet found a solution.

1. Tried using our secondary ISA server
2. Enabled/Disabled the Firewall Client
3. Attempted to use both IE and Mozilla both with and without add-ons
4. Toggled the compression on and off on ISA.
5. Cleared the local and server cache
6. Disabled the cache on ISA
7. Rearranged and trimmed down my rulesets
8. Ran a DNS test and it passed all also ran log in debug mode (no errors found)
9. Cleared DNS cache and tried rearranging my DNS forwarder IPs to see if one of my ISP's servers was just over loaded
10. Viewed CPU and network utilization (cpu purring and net utilization not spiking much past 2.5%)
11. Double checked interface configurations per ISA recommendations.

Very Basic Configuration:

Internet/ISP > Primary Firewall > ISA > Firewall Client/Workstation

ISA 2004 w/ SP2 and SP3
Dual nics
DNS caching only server on ISA box
HTTP 1.1 enabled through proxy on clients

Any ideas or things I may have overlooked in my troubleshooting?

Post #: 1

Featured Links*

RE: "Failed Connection Attempt" Status - 995 - 27.Jun.2007 2:31:35 PM

Rotorblade

Posts: 1001
Joined: 27.Feb.2007
Status: offline

Hi,

Sounds like an upstream issue with the hardware at the perimeter firewall or your ISP�s premises equipment. Can you by-pass the perimeter FW to see if the problem still exists?

HTH
RB

(in reply to jmilito)

Post #: 2

RE: "Failed Connection Attempt" Status - 995 - 27.Jun.2007 3:28:17 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

Unfortunately I cannot direct connect the servers because I would have to schedule an outage while I fussed with the settings. I guess I will have to setup a virtual machine. That could take a little time... Instead I will see if we can configure Solarwinds to monitor the connection and report back.

(in reply to Rotorblade)

Post #: 3

RE: "Failed Connection Attempt" Status - 995 - 28.Jun.2007 10:02:26 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

No problems were detected upstream... We also just had our bandwidth increased and looking at logs we are not spiked out. We have 6 Mb up and down for only 120 users and 5 VPN connections. ISA is not dropping tons of packets either. DNS seems to be working well too. <shrug> SSL errors are still persistent.

On another notes users are complaining more and more about slow web browsing, time outs, images not appearing, etc. Funny thing is unchecking HTTP 1.1 through Proxy seems to fix MOST of the problems. One of the big fixes for the 1.1 was Yahoo. ALL the other problems seem to be fixed by using Mozilla through the firewall client. So that fact seems to reconfirm our connection and ISA is okay...right? Does that mean the problem is IE or a misconfigured group policy? I am leaning towards an IE patch or misconfiguration. Any ideas?

(in reply to jmilito)

Post #: 4

RE: "Failed Connection Attempt" Status - 995 - 29.Jun.2007 1:36:07 PM

jmilito

Posts: 321
Joined: 10.Oct.2006
From: MICHIGAN, US
Status: offline

Seem to be solving this one myself. The problem was only with IE connections which led me to believe something in the settings or group policy. I narrowed it down to two things "Do not save encrypted pages to disk" was checked. I disabled this group policy after seeing a slight performance increase gain. However after visiting my problematic site again I noticed there were still major issues. Looking at a TCP analyzer on the client side I noticed the problematic https website opened a whole bunch of connections that hung in a Time_Wait state. If I killed the connections manually the page would immediately load. I increased the number of TCP connections the clients could open from 100 to 200 on ISA and the most notable performance issues went away. I still get a few 995 SSL Tunnel errors but they are greatly reduced.