When using the logging tool in ISA Server Enterprise 2004, the rule field is sometimes blank. If I don't know what rule it's hitting, how do I know why it was denied or accepted? Is this a bug in the logging tool?
In my experience (there are exceptions), a rule is not displayed when the first 2 of 3 requirements for access are not met, or one of ISA's safeguards is restricting the traffic.
For the first part, the 3 criteria for access are...
1. A requestor's address does not exist in a Network object 2. A requestor's address does not exist in a Network object that is in a Network Rule defining the Route/NAT relationship from a given Source/Destination Network 3. A requestor's address does not exist in a Firewall Policy Access Rule that allows that source IP to the intended destination.
Since we can tell that a Network object is defined for this particular traffic (there is a proper name for the source of the communications - "SKLAD1") what Network Rule is defined for the Source/Destination pair?
Failing the "triumvirate" of access (how often do you get to use that word?), the Rule field can also be blank if the client is hitting the "Connection Limit" safeguard of ISA.
This is where Standard Edition is lame - you have to add the "Result Code" field (from the View menu Add/Remove Columns option) to really see why the traffic is getting denied. If the client has met the "Connection Limit" it will only show up in the Result Code field as "Connection Limit Exceeded".
As I said, there are exceptions to these general observations, but for the initial troubleshooting process, they help a lot.
In your scenario, the system that is showing up without a rule for the traffic, is always 10.0.0.1 - what Network does this IP fall under? SKLAD1? What is the Network Rule that defines the Route/NAT relationship for this IP?
What is this 10.0.0.1 system performing for your network? Is it some type of Load Balancer that sends out constant PINGs as a keep-alive mechanism? Why is it sending out the PINGs? It doesn't really matter, but can help clue us in on the blank rule.
It is ISA 2004 standard edition. Sklad1 - VPN network. RRAS connected in both ways. I have 2 Network Rules Sklad1->Internal & Internal->Sklad1. I experimented in compositions route/nat - it not help. I turned off Connection Limit and both Intrusion Detection (Common Attacks and DNS Attacks). But ISA still block "spoofing" & "tcpipdrop" as you see in log. Cant understand why it is spoof and why ISA still block it...
Internal: 10.1.0.0-10.1.0.255 Sklad1: 10.0.0.0-10.0.0.255 incomin VPN clients on Internal side: 10.1.1.1-10.1.1.254 10.0.0.107 - address of Internal ISA 2004 on Sklad1 ISA 2000 as VPN client. 10.0.0.1 - just a computer on Sklad1 side. I use it for test pings. 10.1.0.4 - computer on Internal side for test pings.