Welcome to ISAserver.org

Urgent: Cannot save access rules changes to the ISA 2004 configuration file

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> General >> Urgent: Cannot save access rules changes to the ISA 2004 configuration file

Page: [1]

Message

<< Older Topic Newer Topic >>

Urgent: Cannot save access rules changes to the ISA 200... - 19.Sep.2006 9:38:46 PM

filipe

Posts: 26
Joined: 19.Sep.2006
Status: offline

Hi,

When i change a firewall rule in my isa 2004 Array console the following error occurs:

"The changes cannot be saved. Error 0x80070002. The system cannot find the file specified."

In event viewer it gives the errors:

" The ISA Server configuration agent was unable to upload the configuration to the ISA Server services. This could be due to a corrupt configuration. The ISA Server configuration agent is reverting the configuration back to the last known configuration. The service that failed to load the configuration is: fwsrv.
"
"
Configuration changes saved to the Configuration Storage server could not be applied to ISA Server services. After 5 attempts to apply the changes, ISA Server postpones any new attempts to apply these changes, and will only renew attempts when a new configuration is saved to the Configuration Storage server. Recent alerts may indicate the reason for this failure.
"
All services start with no errors and the last firewall good configuration rules are applied with no problem. When i change anything, and want to save, the error occurs!!

How can i solve this problem?

Any ideas??

Thanks in advance.

Filipe

Post #: 1

Featured Links*

RE: Urgent: Cannot save access rules changes to the ISA... - 2.Oct.2006 2:33:32 PM

GMoertle

Posts: 3
Joined: 2.Oct.2006
Status: offline

Filipe,

I encountered this problem just the other day, with ISA 2004 Standard Edition. What I found was that one of my Firewall Policies lost its settings, this was the cause of the files not found error.

You should try these steps.
Open ISA Server Management.
Go to Firewall Policies
Look for one of the Policies you entered that now has blank action, protocol, from, to, and/or condition.
Once you find the Policy like this, Delete it and then hit Apply.

This should fix your problem.

Atleast it did for me.

-Gary R. Moertle

(in reply to filipe)

Post #: 2

RE: Urgent: Cannot save access rules changes to the ISA... - 2.Jan.2008 9:14:47 AM

drpiet

Posts: 7
Joined: 8.Jul.2005
From: Pennsylvania
Status: offline

Well, I just have the same problem on ISA2006. Of course trying to delete the rule with issues is not helping at all.
I tried exporting the config, importing it back, then importing it after I manually remove the rule from the file, etc, etc, etc

Nothing seems to work, the problem is everything work fine, but nothing can be changed on between the rules (add, edit, delete).

Is there any super magic secret iupy trupy way to have it working back?

Thanks

(in reply to GMoertle)

Post #: 3

RE: Urgent: Cannot save access rules changes to the ISA... - 2.Jan.2008 1:03:19 PM

fry

Posts: 6
Joined: 1.Jan.2008
Status: offline

I have had a similar case, to get rid of the rule I had to open the registry to delete the corrupt rule.
HKLM\SOFTWARE\MICROSOFT\Fpc\Storage\Array-Root\Arrays\(GUID OF ARRAY)\ArrayPolicy\PolicyRules
scroll through thte GUIDs under PolicyRules till you find the one with the "msFPCName" of the corrupt rule and delete the folder for that GUID. Please note that you may want to make a backup of any registry key you are going to modify before you delete. After the rule is deleted make sure the ISA management console is closed and restart the Microsoft Firewall service from the Services managment console.

(in reply to drpiet)

Post #: 4

RE: Urgent: Cannot save access rules changes to the ISA... - 2.Jan.2008 2:53:29 PM

drpiet

Posts: 7
Joined: 8.Jul.2005
From: Pennsylvania
Status: offline

Hey tks for your reply.
The thing is I deleted the rules from the registry, but I'm deleting them from the array members not the CSS (which is the one holding the rules, right?).
So for me have sense to delete the rule from the CSS, but there are no rules on it registry, it looks like is keeping them on some other place, probably a DB or something.

Any idea?

(in reply to fry)

Post #: 5

RE: Urgent: Cannot save access rules changes to the ISA... - 2.Jan.2008 8:05:43 PM

fry

Posts: 6
Joined: 1.Jan.2008
Status: offline

The only place i can think of is C:\Program Files\Microsoft ISA Server\StgData
try and find the rules guid in there and delete it. But once the rules are removed from the Registry you have to restart the Firewall service to make the changes appear in the ISA management tool.

(in reply to drpiet)

Post #: 6

RE: Urgent: Cannot save access rules changes to the ISA... - 23.Apr.2008 7:49:58 PM

madburg

Posts: 1
Joined: 23.Apr.2008
Status: offline

Hey guys, having the EXACT issue, (2) ISA 2006 EE in ISA NLB mode, with CSS's servers (primary and backup, installed on each ISA server), (OS W2K3 R2 Sp2 EE). I created a firewall rule to publish a site. Then long story short, i ended up deleting it probably 5-10 mins. later, as the rule was no longer need.

Today I need to work on some new access rules, i can create, move, delete, etc.. none take affect. Scratch my head, as everything else is still up and running. Checked the OS Event logs and ISA Alerts, noticed 3 event id #21177 from Source "Microsoft ISA Server Web Proxy" followed by 1-2 event id #21209 and 21271 from source "Microsoft ISA Server Control", the descriptions are exactly like "filipe" who started the post. And like "GMoertle" stated "Look for one of the Policies you entered that now has blank action, protocol, from, to, and/or condition." is exactly my issue, it is the ONE rule that is corrupted (which is the last rule i created and thought I deleted successfully).

Now I do not know about ISA 2004, but in ISA 2006 the reg keys that hold the isa array policy information are in a different place (up higher in the registry). And it does nothing for you to delete them, because as soon as it reads from the CSS server which hold sthe corrupted information about that rule, boom right back in the registry.

You cannot "Delete the Selected Rule", you cannot view the properties of the rule, as soon as you try any of those actions or right click on the rule you receive a error message "ISA Server Error, The item selection could not be completed due to an unexpected error." in details " Error 0x80070002 The system cannot find the file specified.".

Real nice, ever look up that 0x800 error, most common error MS pipes out! Cannot find the file? Really? ISA doesnt work off flat files (thank god :))

So i am with "drpiet" it needs to be taken care of from the CSS level for ISA 2006, but how? the ".dat" files in the StgData sub directory of the ISA installation directory, look like binary or something. Not to meantion why copy the rule info in ISA 2006 into the registry? Would be nice to know for knowledge.

I did export the config out in XML, removed the bad rule out, but when you go to import, you get an import failed, under details same error code and message as when trying to delete the rule, which logic is telling me when it reaches that corrupted rule during import it bombs... sounds like what "drpiet" also did. So backup etc.. dont help here.

So really need help on this guys, please. This is a production ISA NLB setup, so I cannot lose it. I have the advantage I can take one node down to work on it at a time without affecting the business.

Otherwise ISA is not stable enough to be enterprise class. You cannot have a product that holds the key to the castle flip out like this and not let you fix the issue... Think of it this way, I get the business to buy into this, shell out the cash for not 1 but 2 servers for redundancy, load balancing is just a bonus. Install not one but 2 CSS servers for redundancy (granted they are installed on the actual isa servers, MS supports but does not like, but buying 2 more servers for CSS for a total of 4, i do not think so, not to meantion ISA cannot be touch with a 2 foot pole right?, so there should be no worries their.)

Call me, shoot me an email, post it here, HELP, please.

(in reply to fry)

Post #: 7