Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

0xc0040017 FWX E TCP NOT SYN PACKET DROPPED

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED Page: [1]
Login
Message << Older Topic   Newer Topic >>
0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 30.Aug.2004 1:05:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		Anyone know what causes this and how it can be resolved ? ( I'm hoping MSFT ppl read this ).
We are not using NLB ( anymore ) so this can be excluded. We are getting these messages when we copy large files ( 20 MB ) from client to server thru the ISA.

LExP
Post #: 1
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 30.Aug.2004 4:42:00 PM   
ClintD

 

Posts: 1833
Joined: 26.Jan.2001
From: Keller, TX
Status: offline 		Do you have a diagram of the setup?

My personal opinion of this error is that it is caused by ISA 2004 blocking ICMP redirects to one of the systems, but I haven't tested out all configurations.

When I see this error, I have a server on the same subnet as ISA and the client is on a subnet accessible internally through a router - the router has an interface on the Internal subnet of ISA.

When the client talks to the server, the packet gets sent directly to the server, but the server, since it has no explicit route for the client, sends it to it's Default Gateway - ISA Server.

Now this is where I think the problem is - if the ISA Server has a route to that subnet, Windows will try to send back an ICMP Redirect to the server telling it that the client is accessible through the router. The problem is that ISA 2004 doesn't allow ICMP Redirects to be sent out - at least nowhere that I've seen in the System Policy. Since Windows can't redirect the client, ISA processes the packet and sees it as a TCP_NOT_SYN packet trying to traverse the ISA Server.

I've created new protocols with the properties of...

Protocol : ICMP
Type : 5
Code : 0 (also 1 could be used)

I then created a Access Rule allowing this protocol from Local Host to Internal.

Reference 170292 Internet Control Message Protocol (ICMP) Basics.

I haven't had time to test this out, but logically, this is what sounds like happens.

Apologies if your scenario is completely different.

Is there anyway you can get a network capture from the client or server and see if the destination MAC address changes? Is this a single ISA Server or are there multiple ISAs involved?

[ August 30, 2004, 04:48 PM: Message edited by: ClintD ]

(in reply to penrose.l@2college.nl)
Post #: 2
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 21.Sep.2004 10:20:00 PM   
Guest
 Hello,

we have similar configuration and ISA 2004 is blocking ICMP redirects. But your solution does not work. ISA 2000 worked fine.

Our ISA has IP 192.168.1.1. There is a router with 192.168.1.30. ISA has route for 192.168.2.0/24 to 192.168.1.30.

Now client 192.168.2.81 tries to send HTTP packet to 192.168.1.15. Forward direction is ok (I can see it in the network monitor on 192.168.1.15) - 192.168.2.81 => something => 192.168.1.30 => 192.168.1.15. But reply goes this way: 192.168.1.15 => 192.168.1.1 (default gateway) => denied with FWX_E_TCP_NOT_SYN_PACKET_DROPPED.

ISA computer should send ICMP redirect and then the packet can continue to 192.168.1.30 => something => 192.168.2.81.

I cannot see redirect packet in traces from 192.168.1.1 interface [Frown]

Do you have some solution? Thanks in advance.

(in reply to penrose.l@2college.nl)
  Post #: 3
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 21.Sep.2004 10:50:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline 		Hi,

I have a configuration where my internal routers do not route to ISA Server.

I had set up an internal web server with the default gateway pointed at ISA Server's internal interface (a SecureNAT client).

Here's what was happening: A client behind another router was getting to the web server without touching the ISA Server at all. The problem was when the web server replied to the requests.

Since the web server's default gateway was set to the ISA Server, ISA Server did not know that its responses were valid requests (ISA Server did not see them come in) and denied them. Since web server replies can be outgoing traffic on random high ports, ISA Server simply saw the web server sending out unidentifiable traffic and denied it.

Solutions: Configure static routing on the web server to inform it of the internal networks (just like on the ISA Server), or reconfigure the web server's default gateway to point at the internal router. Either way, ISA Server doesn't get involved in the traffic and things work as needed.

HTH,

Bill

(in reply to penrose.l@2college.nl)
Post #: 4
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 22.Sep.2004 9:19:00 AM   
Guest
 This solution is unacceptable for us. All clients in 192.168.1.0/24 have to communicate with clients in 192.168.2.0/24. That means setting static route on all of them ... (too much work and on some devices it is impossible).

Gateway must be set to 192.168.1.1.

Why was this setup working with ISA 2000 (ICMP redirects sending was ok) and now it doesnt work with ISA 2004?

(in reply to penrose.l@2college.nl)
  Post #: 5
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 22.Sep.2004 9:47:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		This problem has been resolved it was an SMB issue with 2003 server. It has been posted in another thread on this forum.

LEx P

(in reply to penrose.l@2college.nl)
Post #: 6
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 22.Sep.2004 11:15:00 PM   
Guest
 I cannot find the right thread, could you give me URL or thread topic? Thanks.

Is it really caused by SMB? I am testing it with HTTP connections ...

(in reply to penrose.l@2college.nl)
  Post #: 7
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 24.Sep.2004 1:56:00 PM   
pmark1974

 

Posts: 4
Joined: 23.Sep.2004
From: Greece
Status: offline 		Well I have a similar problem using ftp with isa 2004. I disabled folder view in IE and now i cannot connect to ftp sites. On the webproxy log I see the result code "0xc0040017 FWX E TCP NOT SYN PACKET DROPPED" when the remote ftp server tries to communicate with isa server?
Anyone can help?

(in reply to penrose.l@2college.nl)
Post #: 8
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 24.Sep.2004 8:10:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		sure.. here from another thread :
==========
hi ,

your problem is related to SMB error in windows 2003. It was solved before see http://support.microsoft.com/default.aspx?scid=kb;en-us;301673

Tom , this should definately be a sticky this is the 5th one in 3 days

Lex P.
==============
Kind regards,
Lex P.

(in reply to penrose.l@2college.nl)
Post #: 9
RE: 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED - 24.Sep.2004 9:13:00 PM   
AbqBill

 

Posts: 478
Joined: 3.Jun.2003
From: Albuquerque NM USA
Status: offline 		Hi Lex,

Maybe I misunderstand, but the problem we're discussing here does not seem to have anything to do with NAT.

See the following thread:

http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000100

HTH,

Bill

(in reply to penrose.l@2college.nl)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> 0xc0040017 FWX E TCP NOT SYN PACKET DROPPED Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts