Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
LAN Nodes Falling off Network behind ISA Server
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
LAN Nodes Falling off Network behind ISA Server - 26.Sep.2007 3:54:04 PM
|
|
|
tzonarin
Posts: 12
Joined: 25.Sep.2007
Status: offline
|
Network Layout
The ISA Server right now is set up as an edge firewall and a member of the domain.
External IP : 10.0.0.101/24
Gateway: 10.0.0.1
DNS: (not configured - per tom  )
Internal IP: 192.168.1.254/24
Gateway: (not configured - per tom )
DNS: 192.168.1.3
AD DDNS 192.168.1.3 - forwards to two ISP DNS servers
Symptom
Internal network nodes (workstation computers), without warning, drop off the local LAN after a certain amount of time, usually around 10-15 minutes, sometimes more, sometimes less. Dropped nodes can no longer ping the PDC, the ISA Server, or the Internet. The only fix to put them back on the net is resetting the link, either by doing a Disable/Enable in XP or rebooting the machine altogether.
Indications
Prior to installation of the ISA server, the LAN connected to the upstream T-1 through an small ethernet router. There were never any connection issues when using the router (and currently operates as I try to sort this issue).
When the machines start falling from the network, the ISA server is still able to remain online and operating normally. In fact, the ISA never shows any indication of a problem, even while network nodes fail.
Workstation nodes connected through the ISA firewall are using the Firewall Client and the Web Proxy, although I am seeing some attempts by the ISA server itself to connect via SecureNAT.
Part of me believes that it's one central thing, since the problem is touching all workstations in the same way. I had configured the machines to use the PDC as its only DNS server (and using forwarders in DNS to forward to the ISP's DNS)
It doesn't appear to be a configuration of the Firewall Rules, since the system works for a while and then dies.
Any ideas on what I might be dealing with here?
Thanks in advance
Tzonarin
|
|
|
|
|
RE: LAN Nodes Falling off Network behind ISA Server - 26.Sep.2007 6:46:36 PM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
quote:
Part of me believes that it's one central thing, since the problem is touching all workstations in the same way. I had configured the machines to use the PDC as its only DNS server (and using forwarders in DNS to forward to the ISP's DNS)
and how they were configured before ??
did u set your Internal DNS Server as a SecureNet client ?
check this http://www.elmajdal.net/isaserver/Internal_DNS_Forwarding.aspx
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: LAN Nodes Falling off Network behind ISA Server - 26.Sep.2007 7:31:45 PM
|
|
|
tzonarin
Posts: 12
Joined: 25.Sep.2007
Status: offline
|
quote:
and how they were configured before ??
I had started configuring them the same way, all nodes pointing to the Internal DNS only. After seeing nodes fall off, and not resolving right, I put the ISP's DNS to the workstations and while it perceivably improved things, in the end, there was no change. It seemed like machines fall off with after a little longer space of time.
quote:
did u set your Internal DNS Server as a SecureNet client ?
Yes, it is. Originally, everything was set up as SecureNAT but I thought things might improve for me by using the Firewall client. I have workstations now on the FWC, but the server, for now, still would connect SecureNAT. There was no change in the symptom in any case.
I had a look at your tutorial and I believe I had this going in one rule. Out of desparation to try to find a solution, I had set up an All Open rule (yes, Tom, I know...). It was set up as permissive as it could be, even - "Allow all outbound from Internal to External for All Users". This should have also allowed DNS to go out to the ISP as well as all Internet traffic. But after 10-15 minutes, I was getting bumped off the net, having to reset my adapter to get back online.
Any other thoughts?
Tzo
|
|
|
|
|
RE: LAN Nodes Falling off Network behind ISA Server - 27.Sep.2007 2:06:12 AM
|
|
|
elmajdal
Posts: 5074
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: online
|
ISA Server, DNS Servers are Win 2003 SP2 ?
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: LAN Nodes Falling off Network behind ISA Server - 27.Sep.2007 10:08:09 AM
|
|
|
tzonarin
Posts: 12
Joined: 25.Sep.2007
Status: offline
|
quote:
ISA Server, DNS Servers are Win 2003 SP2 ?
The ISA Server is Win 2003 R2 Enterprise - SP2. The DNS Server is also acting as a Windows DC and is running Win 2000 SP4.
The Network itself is a small network, just seven workstations on the LAN, with one DC for file services. Even if I just put one machine behind ISA, it still fails after about 10 minutes.
I'm going to run Ethereal and see if I can see anything interesting that may be causing this, but if anyone here comes up with any insights, I'll be monitoring this channel too.
Something tells me this is one of those 'undocumented features' that MS typically puts in their products to give admins migraines...
Tzo
|
|
|
|
|
RE: LAN Nodes Falling off Network behind ISA Server - 28.Sep.2007 12:07:53 PM
|
|
|
tzonarin
Posts: 12
Joined: 25.Sep.2007
Status: offline
|
I guess I'll never know why.
So, I decided, just for giggles, use a completely different machine. So that's what I did. I picked up this tiny little Gateway SFF - 700MHz PIII, 384MB of RAM, 40GB HDD and set up ISA 2006 on it. It's not nearly as fast as the machine I had previously set up to use, but, wouldn't you know it, it works. So far, it's been cranking for over 12 hours without skipping a beat. I'm getting VPN set up and going through the 2003 hardening procedure now. Needless to say, I'm much happier than I have been in a couple days - I just may have to have a beer tonight even!
In any case, I appreciate the tips and all the content on this site. I guess it was something in hardware. In any case, I will run the ISA on my little 700MHz box and repurpose the other machine for something else, which is a bonus in hardware reuse.
Best
T'zonarin
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
