Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Unidentified IP Traffic - Denied Connection, NON-SYN Packets
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Unidentified IP Traffic - Denied Connection, NON-SYN Pa... - 19.Feb.2008 8:12:42 PM
|
|
|
acarra
Posts: 6
Joined: 11.Feb.2008
Status: offline
|
Configuration:
Have been running ISA2000 for 3 years now without issue, just replaced the server with ISA2004.
ISA Server 2004 with SP3 on Win2k3 server with SP2
ISA Server Best Practice Analyzer returns no errors
Edge Network configuration, WAN card repsonds to 28 public IP addresses.
Each public IP address is publishing a website, or being a SMTP mail server.
Also have an internal Exchange server on one of the IP addresses publishing OWA, and OMA.
Netgear GA302T Gigabit card on Local LAN interface
Intel Pro100 NIC on the WAN Interface
The Issue:
The ISA server is basically working. Outbound access to the Internet is ok and Inbound public access to the websites works, except some customers are reporting bad web sessions to our web servers. Outbound web access works, but sometimes you get the brown proxy error page appear, hit refresh in IE and it goes to the page. (If was just on support.microsoft.com, got the proxy error, a refresh displayed the page).
The ISA log is reporting many errors, with an error appearing every 2 seconds on average.
Most errors are 'Denied Connection', Protocol: 'Unidentified IP Traffic'.
I am also seeing many 'A non-SYN packet was dropped because it was sent by a source that does not have an established connection with the ISA Server computer' errors again from public IP's to the External Interface.
The errors are all between the External Interface and the Internet.
They seem to occur for all traffic type, whether its HTTP outbound web traffic, or SSL OMA traffic.
It seems that the ISA server has decided in the middle of a session with an external Internet computer that some packets of the session are no longer valid (it seems as if its forgoten the session).
Should you expect this rate and type of errors appearing in the ISA log ?
Before submitting this issue, I did some searching and found Microsofts Support Article KB 936594, and some articles in the Microsoft Partners ISA server Managed Newsgroups.
These articles poiunted to issues with Receive Side Scaling and TCP/IP Offloading issues causing failures as I have noticed.
I have installed hotfix KB936594.
I have change the registry settings, disabling Receive Side Scaling, EnableTCPA and EnableRSS.
All NIC device drivers are running their latest version.
The Max MTU for both NICs are 1500 bytes.
Thanks, Andrew
|
|
|
|
|
RE: Unidentified IP Traffic - Denied Connection, NON-SY... - 19.Feb.2008 8:40:05 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Andrew,
Although the NIC drivers are latest version you most likely need to uninstall them and reinstall. Applying the RSS work around does not usually fix it until doing so.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Unidentified IP Traffic - Denied Connection, NON-SY... - 20.Feb.2008 6:45:07 PM
|
|
|
acarra
Posts: 6
Joined: 11.Feb.2008
Status: offline
|
RB,
In your experience does the RSS issue cause the issues I have identitied?
Thanks, Andrew
< Message edited by acarra -- 20.Feb.2008 9:33:56 PM >
|
|
|
|
|
RE: Unidentified IP Traffic - Denied Connection, NON-SY... - 21.Feb.2008 7:07:08 PM
|
|
|
Rotorblade
Posts: 1002
Joined: 27.Feb.2007
Status: offline
|
Yes, I’ve seen similar issues that intermittently occur like in your issue. Connections issues with OWA, SSL sites and VPN issues just to name a few. A good packet trace may help lead you to the problem. TCP resets will occur and that sounds like what is happening. It could be related to other issues with your setup but because it is only occurring intermittently leads me to believe it’s related to RSS. Even though you did all the workarounds, uninstalling and reinstalling the NIC drivers is sometimes necessary to get things working.
HTH
RB
_____________________________
David Melvin
Ohio
MCSE: Security 2003, MCSA:Security 2003
|
|
|
|
|
RE: Unidentified IP Traffic - Denied Connection, NON-SY... - 6.Mar.2008 4:17:05 PM
|
|
|
randy_ray
Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
|
I'm having this same problem but my ISA2k4 sp3 server does NOT have W2k3 Ser Ent sp2, it is only sp1. The system does not have RSS, TCPA in registry and the HP adapters do not have Receive Side Scaling options.
On a second server I have ISA2k4 sp3 and W2k3 Ser Ent with sp2 and have the RSS, TCPA in disabled in registry; but just like my production server, the HP NC7170 Dual Gigabit and HP NC7781 Gigabit adapters do not have Receive Side Scaling as an option. So the "fix" I keep finding is not the solution.
|
|
|
|
|
RE: Unidentified IP Traffic - Denied Connection, NON-SY... - 6.Mar.2008 9:49:23 PM
|
|
|
acarra
Posts: 6
Joined: 11.Feb.2008
Status: offline
|
I am still having exactly the issue you noted.
I had a Netgear NIC on the LAN and an Intel On-Motherboard Server 100BaseT NIC for the WAN.
Removed the NetGear NIC, and used the two onboard Intel Server 100BaseT NIC on the Motherboard. Removed the drivers, install new drivers.
Ensured RSS and TCPA was disabled.
Still the same issues.
I was planning on swapping the NIC's to an HPNC7170 Dula NIC card.
I'll still try this...
Anyone got any further ideas.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
