Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Isa 2004 denied http connection

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Isa 2004 denied http connection Page: [1]
Login
Message << Older Topic   Newer Topic >>
Isa 2004 denied http connection - 22.Oct.2004 2:23:00 PM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline 		hi.

I have a very simple test edge firewall setup which i'm having some problems with or at least I think itĘs a problem..

195.215.5.64 is external ip
192.168.150.1 is internal ip
192.168.150.5 is the web server.

I published the web server via the web server publishing guide

The problem I have is if you monitor the http connections you will see that the isa are
Denying some connection..

Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL
80.164.159.162 HP-M3TQ01JEV81B - TCP - - 54728 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall 22-10-2004 14:13:25 195.215.5.64 80 HTTP Denied Connection 80.164.159.162 External Local Host - -

"the web server are using the isa as gateway and i set >requests appear to come from original client client<"

Any ideas ??
Post #: 1
RE: Isa 2004 denied http connection - 22.Oct.2004 2:56:00 PM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		These are likely people just trying to fingerprint you:

http://www.tech-archive.net/Archive/ISA/microsoft.public.isaserver/2004-08/0464.html

ISA is doing it's job! [Smile]

The 80.X range is normally NTL broadband - hence script kiddie domain [Wink]

JJ

[ October 22, 2004, 02:57 PM: Message edited by: Jason Jones ]

(in reply to speedhost)
Post #: 2
RE: Isa 2004 denied http connection - 22.Oct.2004 4:43:00 PM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline 		hi jj

thanks for the reply..

i don't think this is an attack..

if you go though the logs you will see the following pattern:

83.73.0.107 - 16:21:55 - Initiated Connection
0.0.0.0 - 16:21:55 - Allowed Connection - http://192.168.150.5/dummy.asp?website_id=56571&secID=545156
0.0.0.0 - 16:21:59 - Allowed Connection - http://192.168.150.5/dummy.asp?website_id=59685&secID=987561
83.73.0.107 - 16:23:01 - HTTP closed Connection
83.73.0.107 - 16:23:11 - 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

is the isa server ending the connections prematuraly

cheers Brian

(in reply to speedhost)
Post #: 3
RE: Isa 2004 denied http connection - 22.Oct.2004 8:22:00 PM   
Jason Jones

 

Posts: 2154
Joined: 30.Jul.2002
From: United Kingdom
Status: offline 		Ah right, you didn't say the error was from the same source as the previous allowed connection. In that case then I am not sure, but could be a bug I guess...

Is the website working properly?? If so, either dont worry about it or place a call with MS.

I had a similar thing with errors during RPC over HTTP traffic and spoke to MS - they said "oh yes, we know it does that, but you can just ignore them as they are cosmetic errors due to how ISA is handling the requests"

Maybe it is the same???

JJ

[ October 22, 2004, 08:26 PM: Message edited by: Jason Jones ]

(in reply to speedhost)
Post #: 4
RE: Isa 2004 denied http connection - 5.Feb.2005 5:00:00 PM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline 		Hi all..

has anyone else experienced the same problem and found a solution..?

we dropped the isa because of this but I would like to get back on an application layer firewall

Cheers
Brian

(in reply to speedhost)
Post #: 5
RE: Isa 2004 denied http connection - 5.Feb.2005 10:27:00 PM   
penrose.l@2college.nl

 

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline 		"tcp not syn" very well known problem that was solved here about 20 times before you should try to search on the forums.

Lex P

(in reply to speedhost)
Post #: 6
RE: Isa 2004 denied http connection - 6.Feb.2005 11:06:00 AM   
speedhost

 

Posts: 14
Joined: 24.Apr.2002
From: DK
Status: offline 		Hi lex..

thanks for posting but i don't really agree..

I have searched the message board and i do see that you make two statements.

1. you should add the regfix in windows 2003
2. You are saying that it's because that i use NAT where it should have been route..

Your own problem where a file copying between a client and a server. and yes there are a problem here. But as the kb states : This fix applies only to the SMB protocol traffic over TCP NetBIOS port 139 .

As you can see from the above i'm having the problem on a web server.

if you take your second statement: You should use route instead of NAT.

In this Egde firewall in have 2 nic's
Wan having 1 public ip address
Lan having multiple (private) ip adresses

If i'm connecting muliple lan clients though a single ip/interface I am only left with the NAT solution..

or am I messing something here ??

Cheers
Brian

Ps: I have looked though the 29 threads about tcp not syn but i don't really see people saying it was solved with the above?

pps: My own personal oppinion is that it might be a bug in the HTTP filters.
with Verify normalization & block high bit characters enabled i get 2-3 times more "tcp not syn".

Why would it do that when still calling the same asp page [Confused] (not being an http filter guru at all)

(in reply to speedhost)
Post #: 7
RE: Isa 2004 denied http connection - 19.Nov.2005 2:45:46 PM   
cmeilicke

 

Posts: 6
Joined: 14.Oct.2005
From: Paraguay
Status: offline 		I'm having the same problem with two networks connected trough an ISA server with two NICs. Both NICs are part of the internal network, the rule is setted to allow all traffic, but i guess the server is still filtering something.

(in reply to speedhost)
Post #: 8
RE: Isa 2004 denied http connection - 19.Nov.2005 3:05:32 PM   
spouseele

 

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline 		Hi cmeilicke,

I don't think it is the *same* problem. The 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED is given if ISA receives a packet that don't belong to an existent connection, at least from the point of view of the ISA server.

In the case of Brian, the ISA log shows
quote:

83.73.0.107 - 16:21:55 - Initiated Connection
0.0.0.0 - 16:21:55 - Allowed Connection - http://192.168.150.5/dummy.asp?website_id=56571&secID=545156
0.0.0.0 - 16:21:59 - Allowed Connection - http://192.168.150.5/dummy.asp?website_id=59685&secID=987561
83.73.0.107 - 16:23:01 - HTTP closed Connection
83.73.0.107 - 16:23:11 - 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

As you can see, the HTTP connection was already closed from the point of view of ISA. So, this is a cosmitic problem due to the way ISA and the browser closes the connection. Nothing to be worried about in this case.

However, in your case you said
quote:

Both NICs are part of the internal network

Now, that's an illegal and not-supported configuration. Each ISA interface should be on his own Network ID. So, you'll have to redesign your ISA network setup to solve that problem.

HTH,
Stefaan

(in reply to cmeilicke)
Post #: 9
RE: Isa 2004 denied http connection - 4.Jan.2008 12:35:38 PM   
IanP

 

Posts: 1
Joined: 9.Jan.2007
Status: offline 		I'm having the same issue on both HTTP and HTTPS and not just from a single Client IP Address.  The pattern is similar, if not the same as mentioned above.  We get a successful connection 0x0 as the status, followed by 0x80074e21 (FWX_E_ABORTIVE_SHUTDOWN) then the 0xc0040017 (FWX_E_TCP_NOT_SYN_PACKET_DROPPED)...  I might have the errors round the wrong as I've staring at this all day.  This seems to happen in 1 out of 100 connections and even during an active session when the page is changed in the client's browser.  The logs seem to imply that our web listener isn't responding to the connection and ISA is just terminating it.  We're using ISA 2006 Standard with two network cards (one internal and one external) and NAT.

Can anyone shed any light on this please?

Thanks

(in reply to spouseele)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Web Publishing >> Isa 2004 denied http connection Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts