Welcome to ISAserver.org

SecureNAT and SP2 (try everything and nothing works)

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> General >> SecureNAT and SP2 (try everything and nothing works)

Page: [1]

Message

<< Older Topic Newer Topic >>

SecureNAT and SP2 (try everything and nothing works) - 12.May2008 12:53:53 PM

Tinchito

Posts: 34
Joined: 16.Nov.2001
Status: offline

I really don't know what else try now...

This is my scenario

DC... exchange... isa... dmz... cisco... internet

The dmz is adminitrated by a cisco firewall, so it's an external network to isa server.

Once I aplied SP2 to isa box (2k3 server r2) the traffic is ramdomly rejected.

The isa box can't comunicate with anything, including DC, DNS, etc.

The main problem is the mail traffic.

When an internal user create a mail to an external address, the mail server (192.168.10.10) sends it to the relay host at the dmz (10.10.10.10), through the isa box (192.168.10.1).

Sometimes, this traffic can pass normally and sometimes it can't.

The isa logs shows the following:

Log type: Firewall service
Status:
Rule: Mailserver
Source: Internal (mailserver.domain.local 192.168.10.10:58628)
Destination: External (relayhost.dmz.local 10.10.10.10:25)
Protocol: SMTP
User:
Additional information
Number of bytes sent: 184 Number of bytes received: 48
Processing time: 16ms Original Client IP: 192.168.10.10
Client agent:

So... the rule permits the connection, but the traffic is discarded.

I can't telnet from the mail server to the relay host at port 25 when this happend (no connection).

I can't ping at this moment too.

But, a couple of minutes (or hours) before it works without any problems.

Isa box is a Dell Poweredge 860 with 2gb of ram, and network cards are Broadcom Netxtreme (not Netxtreme II).

I disabled RSS, TCPA and TCPChimmey. Nothing works.

Try to disable RSS from network adapter settings, but I don't have the option to do it.

Format the server, reinstall ISA WITHOUT 2k3 sp2, and works great, but when I apply sp2, everything goes weird.

Aditionally, in the application log of isa box, sometimes appears this error:

Windows cannot obtain the domain controller name for your computer network. (An unexpected network error occurred. ). Group Policy processing aborted.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So, ISA is blocking (or discarding) traffic from the isa box itself to the internal network, including DC's.

Please... I really, really, really, need help with this... :(

Any advice/tip would be so much appreciated.

PS: Sorry about my bad english.

Post #: 1

Featured Links*

RE: SecureNAT and SP2 (try everything and nothing works) - 19.May2008 11:53:56 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Open Regedit

Go to:

HKLM/SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Adjust the following. If they don't exits, create them as REG_DWORD values

DisableTaskOffload = 1
EnableRSS = 0
EnableTCPA = 0
EnableTCPChimney = 0

May want to reboot.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to Tinchito)