Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

FWX_E_TCP_NOT_SYN_PACKET_DROPPED

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> FWX_E_TCP_NOT_SYN_PACKET_DROPPED Page: [1]
Login
Message << Older Topic   Newer Topic >>
FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Dec.2005 8:07:30 AM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi,

When I filter my logging on Denied Conenctions I see a lot of result codes with FWX_E_TCP_NOT_SYN_PACKET_DROPPED. Is this normal or does anyone know what to do about it? I think is may have something to do with unicast traffic on a Cisco Catalyst switch, am I wrong?

Boudewijn
Post #: 1
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 1.Jan.2006 4:17:26 PM   
tshinder

 

Posts: 47408
Joined: 10.Jan.2001
From: Texas
Status: offline 		I see that a lot when connection limits are being exceeded.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to wbplomp)
Post #: 2
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 25.Jan.2006 8:19:31 PM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi Tom,

I still don't have a solution to this problem. One of my colleges at another company has the same issue. I was at the Microsoft office today in The Nederlands, but unforunally I wasn't able to talk to one of the support specialists. Do you have any suggestions regarding FWX_E_TCP_NOT_SYN_PACKET_DROPPED ?

Greetings,

Boudewijn

(in reply to tshinder)
Post #: 3
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 25.Jan.2006 9:36:24 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Boudewijn,

check out http://www.microsoft.com/technet/community/columns/sectip/default.mspx.

HTH,
Stefaan

(in reply to wbplomp)
Post #: 4
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 26.Jan.2006 10:34:37 PM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi,

Thanks for the link, but nothing is related to this error.

Boudewijn

(in reply to spouseele)
Post #: 5
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 28.Jan.2006 2:12:35 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Boudewijn, 

not directly but the same principles regarding impatient applications and delayed responses are valid here too. Take a netmon trace and compare it with the ISA loggging if you want to find out what is the exact cause of those denied connections due to FWX_E_TCP_NOT_SYN_PACKET_DROPPED.

HTH,
Stefaan

(in reply to wbplomp)
Post #: 6
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Jan.2006 7:28:54 PM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi Stefaan,

I think I have found the problem. I think it has something to do with ICMP Redirect. ISA Server is not compatible with ICMP Redirect. We have a central switch that is also a router. The router IP Address is used as a default gateway wich forwards all traffic to ISA Server on the same subnet. But all servers seem to learn that path from the central switch/router by ICMP Redirect. ISA Server does not like that at all. But even that is an issue, because inbound traffic is passed directly to the servers by ISA Server, without ICMP enabled on the server, the server repsond not directly. I hope you can follow it. See this microsoft Knowledge Base article related to this issue. (my only concern is that it only discribes ISA Server 2004 Standard Edition.

ISA Server 2004 does not support traffic redirection
http://support.microsoft.com/default.aspx/kb/888042

Greetings,

Boudewijn


(in reply to spouseele)
Post #: 7
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Jan.2006 7:46:19 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Boudewijn, 

from http://www.isaserver.org/tutorials/2004bestpractices-p1.html :
quote:


Network within a network scenario The network within a Network scenario is when you have multiple network IDs located behind the same ISA firewall network interface. It’s a simple concept, but it deviates quite a bit from how the ISA 2000 firewall worked. Check out these two articles by Clint Denham and myself: Network Behind A Network (2004) - v1.1 by Clint Denham http://isaserver.org/articles/2004netinnet.html and Understanding ISA Firewall Networks by me at http://isaserver.org/articles/2004isafirewallnetworks.html 

HTH,
Stefaan

(in reply to wbplomp)
Post #: 8
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Jan.2006 8:06:14 PM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi Stefaan,

I've read these articles. But I cannot find al solution related to this issue. Or am I wrong?

HTH,
Boudewijn

(in reply to spouseele)
Post #: 9
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Jan.2006 8:54:35 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Boudewijn, 

I always use the following design when I have multiple internal subnets:

Subnet#1 --------+
                 !
Subnet#2 --- [Layer-3 Device] --- [ISA] --- Internet
   .             !            ^^^
   .             !         Stub Subnet
   .             !
Subnet#N --------+

The key point in the above design is what I call the Stub Subnet. That is a subnet only used as a transit network. So, no other devices but the ISA Server and the layer-3 device should be connected to that subnet. In others words, all subnets has their own default gateway and the routing is therefore very clean with no ICMP redirects at all.

HTH,
Stefaan

(in reply to wbplomp)
Post #: 10
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 30.Jan.2006 9:02:11 PM   
wbplomp

 

Posts: 138
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline 		Hi Stefaan,

Exactly, that should give you the best result. In my case we have a Cisco 3500 layer 3 switch. On this switch serveral, for about 8 gateways and 4 servers are directly connected in the same subnet. The IP Address of the switch is the default gateway for every device, wich sends every route the ISA Servers with NLB as it's default gateway. But server seem to learn a shorter path directly to the ISA Servers. The only thing is, it should be possible. I did some testing with static routers, but it does not seem to work. I only have the problem with NLB enabled.

Do you have spcecial configurations on your layer 3 swtich?
Do you use Cisco? If you do, do you have spanning-tree portfast enabled on some ports?

HTH,
Boudewijn

(in reply to spouseele)
Post #: 11
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 31.Jan.2006 7:41:39 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi Boudewijn, 

oops... NLB ?!?! I can't advice you in that matter because I have zero experience with it.

HTH,
Stefaan

(in reply to wbplomp)
Post #: 12
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 12.Feb.2006 8:00:53 PM   
adenhaan

 

Posts: 35
Joined: 15.Jul.2005
Status: offline 		Boudewijn,

The following suggests incompatibility between W3K NLB and Layer-3 Switches :
http://download.microsoft.com/download/3/2/3/32386822-8fc5-4cf1-b81d-4ee136cca2c5/NLB_Troubleshooting_Guide.htm#_4.3.5_Cause:_Switch_is_operating_in

I experienced the TCP_NOT_SYN_PACKET_DROPPED myself, and for me the reason was indeed another router on the network which caused the routes from host A to host B to be different  routes from host B to Host A. In other words, Host A was able to directly access host B (Sending a SYN without going through default gateway / ISA), however host B could only reach host A through ISA (causing the reply to the SYN to be rejected by ISA, because ISA never saw the SYN). Note that in this scenareo, hosts can Ping eachother, however can not establish tcp connections.

in either case the doc might give you additional hints, it's worth putting in your favourites.

G'luck, Andre.

< Message edited by adenhaan -- 12.Feb.2006 8:02:25 PM >

(in reply to wbplomp)
Post #: 13
RE: FWX_E_TCP_NOT_SYN_PACKET_DROPPED - 28.Nov.2007 8:54:02 AM   
geeked4Scuba

 

Posts: 1
Joined: 28.Nov.2007
Status: offline 		We were getting this same error last night.     We are using ISA 2006 and the user's PC is not part of our domain and was running IE7.  The user does have account on the domain.  

   We unchecked the "Enable Intergrated Windows Authenication"  in IE 7.   It can be found in IE7, Tools, Internet Options, Advacned, (scoll down near buttom, just above Phishing filter).
    Now he gets prompted to Authenicate before the ISA server allows the traffic.   It didn't seem like the error and fix had anything to do with each other, but I had both PCs (my and the users) sitting side by side.   When I unchecked the check box, everything started working as planned and no errors in the ISA monitoring of his IP address.

_____________________________

Your Dog can not eat your homework if you don't do it ahead of time.

(in reply to wbplomp)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> FWX_E_TCP_NOT_SYN_PACKET_DROPPED Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts