• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Bug? ISA 2004 Logging Tool - Rule sometimes blank

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> Bug? ISA 2004 Logging Tool - Rule sometimes blank Page: [1]
Login
Message << Older Topic   Newer Topic >>
Bug? ISA 2004 Logging Tool - Rule sometimes blank - 20.May2005 12:21:00 PM   
bmack500

 

Posts: 9
Joined: 13.May2005
Status: offline
When using the logging tool in ISA Server Enterprise 2004, the rule field is sometimes blank. If I don't know what rule it's hitting, how do I know why it was denied or accepted?
Is this a bug in the logging tool?

[ May 25, 2005, 09:18 AM: Message edited by: bmack ]
Post #: 1
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 1.Jun.2005 9:37:00 AM   
bmack500

 

Posts: 9
Joined: 13.May2005
Status: offline
Hmmm, it would seem these message boards are relatively worthless for answers...

(in reply to bmack500)
Post #: 2
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 3.Aug.2005 9:42:00 AM   
serpet

 

Posts: 5
Joined: 3.Aug.2005
Status: offline
Seems itsa bug. This quest asked already much times in various forms. Nobody still cant answer...
All rules exists. But logging still have records with empty rule field.

(in reply to bmack500)
Post #: 3
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 3.Aug.2005 2:39:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hey guys,

yep, I have seen this also and as far as I can remember it has always to do with HTTP traffic. Check out http://www.isaserver.org/articles/ISA2004_ConVerifiers.html section '4. HTTP Connect' for some more info. However, I have no explanation yet.

HTH,
Stefaan

(in reply to bmack500)
Post #: 4
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 4.Aug.2005 7:11:00 AM   
serpet

 

Posts: 5
Joined: 3.Aug.2005
Status: offline
Unfortunately not only http traffic have strangeness. I trying make VPN connection ISA 2004 with ISA 2000 and here is result:


(in reply to bmack500)
Post #: 5
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 4.Aug.2005 7:41:00 PM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
In my experience (there are exceptions), a rule is not displayed when the first 2 of 3 requirements for access are not met, or one of ISA's safeguards is restricting the traffic.

For the first part, the 3 criteria for access are...

1. A requestor's address does not exist in a Network object
2. A requestor's address does not exist in a Network object that is in a Network Rule defining the Route/NAT relationship from a given Source/Destination Network
3. A requestor's address does not exist in a Firewall Policy Access Rule that allows that source IP to the intended destination.

Since we can tell that a Network object is defined for this particular traffic (there is a proper name for the source of the communications - "SKLAD1") what Network Rule is defined for the Source/Destination pair?

Failing the "triumvirate" of access (how often do you get to use that word?), the Rule field can also be blank if the client is hitting the "Connection Limit" safeguard of ISA.

This is where Standard Edition is lame - you have to add the "Result Code" field (from the View menu Add/Remove Columns option) to really see why the traffic is getting denied. If the client has met the "Connection Limit" it will only show up in the Result Code field as "Connection Limit Exceeded".

As I said, there are exceptions to these general observations, but for the initial troubleshooting process, they help a lot.

In your scenario, the system that is showing up without a rule for the traffic, is always 10.0.0.1 - what Network does this IP fall under? SKLAD1? What is the Network Rule that defines the Route/NAT relationship for this IP?

What is this 10.0.0.1 system performing for your network? Is it some type of Load Balancer that sends out constant PINGs as a keep-alive mechanism? Why is it sending out the PINGs? It doesn't really matter, but can help clue us in on the blank rule.

[ August 04, 2005, 07:46 PM: Message edited by: ClintD ]

(in reply to bmack500)
Post #: 6
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 5.Aug.2005 7:04:00 AM   
serpet

 

Posts: 5
Joined: 3.Aug.2005
Status: offline
Thank you for great tip. You are so right:



It is ISA 2004 standard edition.
Sklad1 - VPN network. RRAS connected in both ways.
I have 2 Network Rules Sklad1->Internal & Internal->Sklad1. I experimented in compositions route/nat - it not help.
I turned off Connection Limit and both Intrusion Detection (Common Attacks and DNS Attacks). But ISA still block "spoofing" & "tcpipdrop" as you see in log. Cant understand why it is spoof and why ISA still block it...

Internal: 10.1.0.0-10.1.0.255
Sklad1: 10.0.0.0-10.0.0.255
incomin VPN clients on Internal side: 10.1.1.1-10.1.1.254
10.0.0.107 - address of Internal ISA 2004 on Sklad1 ISA 2000 as VPN client.
10.0.0.1 - just a computer on Sklad1 side. I use it for test pings.
10.1.0.4 - computer on Internal side for test pings.

(in reply to bmack500)
Post #: 7
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 5.Aug.2005 9:04:00 AM   
ClintD

 

Posts: 1848
Joined: 26.Jan.2001
From: Keller, TX
Status: offline
o...k... [Smile]

Real quick - could you clarify this?

quote:
10.0.0.107 - address of Internal ISA 2004 on Sklad1 ISA 2000 as VPN client.
Is 10.0.0.107 a system with ISA 2004 installed that is logically behind an ISA 2000 system. This ISA 2000 system, in turn, is the endpoint of the Site to Site connection?

For the Network Rule, let's just leave it as Route for now. Just to be clear, when a Network Rule is set to Route for A-B, it is implied that B-A is also routed so you don't need 2 Network Rules.

Can you fill in the gaps below? Also, double-check each of the Network objects to make sure only the addreses below are listed.

Local ISA
Internal Network - 10.1.0.0 through 10.1.0.255

VPN Address Assignment - Static Pool or DHCP?

RRAS "Internal" Adapter IP - Run IPCONFIG /ALL to see the IP address - it will be listed as Incoming PPP Adapter

Remote ISA
Internal network - 10.0.0.0 through 10.0.0.255

VPN Address Assignment - Static Pool or DHCP?

RRAS "Internal" Adapter IP - Run IPCONFIG /ALL to see the IP address - it will be listed as Incoming PPP Adapter

(in reply to bmack500)
Post #: 8
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 9.Aug.2005 6:25:00 AM   
serpet

 

Posts: 5
Joined: 3.Aug.2005
Status: offline
I made 1 network rule Internal-Sklad1 as route.

Local Network
ISA 2004. Static pool: 10.1.0.0-10.1.0.255
VPN Address Assignment: static pool 10.1.1.1 - 10.1.1.254

Remote network
ISA 2000. Static pool: 10.0.0.0-10.0.0.255
VPN Address Assignment: static pool 10.0.0.105-10.0.0.108

IP config ISA 2004 (internal):

Ethernet adapter Local Area Connection:
Description . . . . . . . . . . . : Intel(R) PRO/100 VE Network Connectiond
IP Address. . . . . . . . . . . . : 192.168.0.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 10.1.0.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
PPP adapter RAS Server (Dial In) Interface:
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interfaced
IP Address. . . . . . . . . . . . : 10.1.1.1
Subnet Mask . . . . . . . . . . . : 255.255.255.255
PPP adapter Sklad1:
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
IP Address. . . . . . . . . . . . : 10.0.0.107
Subnet Mask . . . . . . . . . . . : 255.255.255.255

IP config ISA 2000 (sklad1):

Ethernet adapter Local Area Connection:
Description . . . . . . . . . . . : Intel(R) PRO/100 S Desktop Adapter
IP Address. . . . . . . . . . . . : 10.0.0.104
Subnet Mask . . . . . . . . . . . : 255.255.255.0
PPP adapter RAS Server (Dial In) Interface:
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
IP Address. . . . . . . . . . . . : 10.0.0.105
Subnet Mask . . . . . . . . . . . : 255.255.255.255
PPP adapter s1-office-quantum:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface
IP Address. . . . . . . . . . . . : 10.1.1.2
Subnet Mask . . . . . . . . . . . : 255.255.255.255

Ping from Internal to Sklad1 and back not work.



At the same time ping from ISA 2004 to Sklad1 computer and from ISA 2000 to Internal work.



It was ISA 2000 to ISA 2000 VPN. It worked fine.
Now I trying just replace Internal ISA for 2004...

(in reply to bmack500)
Post #: 9
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 11.Aug.2005 6:25:00 AM   
serpet

 

Posts: 5
Joined: 3.Aug.2005
Status: offline
It was necessary to disable spoof detection in Windows...
OMG it solved this problem! (but added other... [Big Grin] )

[ August 11, 2005, 06:26 AM: Message edited by: serpet ]

(in reply to bmack500)
Post #: 10
RE: Bug? ISA 2004 Logging Tool - Rule sometimes blank - 7.Sep.2005 2:29:00 AM   
henrikw

 

Posts: 9
Joined: 23.Aug.2005
From: Denmark
Status: offline
in my case, i got the error because there was not defined a route between the networks

(in reply to bmack500)
Post #: 11

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Logging and Reporting >> Bug? ISA 2004 Logging Tool - Rule sometimes blank Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts