Welcome to ISAserver.org

WINS Proxy and/or 0xc0040014 ?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> WINS Proxy and/or 0xc0040014 ?

Page: [1]

Message

<< Older Topic Newer Topic >>

WINS Proxy and/or 0xc0040014 ? - 10.Sep.2004 5:49:00 PM

grinn253

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline

Hello again! "[Smile]"

Appears that our ISA 2k4 setup may almost be close to completion. Here is the setup:

External NIC = 128.208.125.85 /26
Internal NIC = 128.208.125.19 /26
Clients NIC = 192.168.125.100 /24

Every NIC for ISA is on its own network, we have put the client workstations on the 'Client network' and the servers on the 'internal network' So far traffic/policy is working pleasureful between the internal/external/client networks.

Except that when client workstations broadcast what i believe is a name query to 192.168.125.255, ISA denies the conection (port 138) with a result code of:

quote:
0xc0040014 FWX_EFWE_SPOOFING_PACKET_DROPPED

What then happens is when viewing a file such as a .doc that is stored on a network file server, the connection is lost (ISA produces the 0xc0040014 code) and Word, asks the user to reconnect to the server or exit.

So, I created a Lmhosts file for workstations that #PRE and #DOM the fileservers and also has \0x1b \0x1d entries for a DC.

The workstations still wanted to broadcast (bypassing lmhosts file?) but nbtstat -c shows that indeed the lmhosts file is being parsed correctly (determined by life -1)

Finally, would someone be kind to let me know how isa can allow the 192.168.125.255 broadcast traffic? I'm going to regedit ISA to enable it as a WINS Proxy to see if that helps, in the mean time, thank you for your time! "[Razz]"

Edgardo

p.s. a good article on WINS Proxy: "[Wink]"

WINS Proxy

[ September 10, 2004, 05:51 PM: Message edited by: grinn253 ]

Post #: 1

Featured Links*

RE: WINS Proxy and/or 0xc0040014 ? - 13.Sep.2004 7:48:00 PM

grinn253

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline

Setting ISA as WINS Proxy did nothing to accept the broadcasts to 192.168.125.255.

I'm also noticing:

quote:
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

when clients 192.168.x.x. are accessing internal 128.208.125.x

[Embarrassed]

However by changing the broadcast address in the registry to 128.208.125.255, ISA passes the broadcasts [Big Grin]

and the client workstations appear to hold their connections to MS Word documents longer. Originally was timing out ~5 seconds to 5 minutes. Now seems to time out more often when saving, rather than just during typing, or viewing of the file.

I'm now going to try editing keepalivetime & sessionkeepalive time in the registry on client workstations to see if it will keep communications with ISA (when MS Word/documents are open) active.

Goodbye,
Edgardo

(in reply to grinn253)

Post #: 2

RE: WINS Proxy and/or 0xc0040014 ? - 14.Sep.2004 7:55:00 PM

penrose.l@2college.nl

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline

Hey Grinn,

Let me guess you have a NAT relationship ?
check this out. I spent 4 weeks to find where this error originates.

KB 301673 � �You Cannot Make More Than One Client Connection Over a NAT Device� describes the issue. See http://support.microsoft.com/default.aspx?scid=kb;en-us;301673 for more details

This should definately be a sticky ( tom ? ) because it's a big problem with ISA.

Lex P.

(in reply to grinn253)

Post #: 3

RE: WINS Proxy and/or 0xc0040014 ? - 15.Sep.2004 4:29:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Lex,

Why not just disable NetBIOS on the clients and use DNS? Or how about just using a WINS server to get rid of the broadcasts, and finally, disable the dreaded browser service on all hosts.

HTH,
Tom

(in reply to grinn253)

Post #: 4

RE: WINS Proxy and/or 0xc0040014 ? - 15.Sep.2004 4:31:00 AM

tshinder

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline

quote:
Originally posted by Lex Penrose:
Hey Grinn,

Let me guess you have a NAT relationship ?
check this out. I spent 4 weeks to find where this error originates.

KB 301673 � �You Cannot Make More Than One Client Connection Over a NAT Device� describes the issue. See http://support.microsoft.com/default.aspx?scid=kb;en-us;301673 for more details

This should definately be a sticky ( tom ? ) because it's a big problem with ISA.

Lex P.

Hi Lex,

All Internal networks should be routed, so that NAT issue isn't an issue. Are you NATing between internal networks? If so, why? There are a lot of disadvatages and few if any advantages.

HTH,
Tom

(in reply to grinn253)

Post #: 5

RE: WINS Proxy and/or 0xc0040014 ? - 15.Sep.2004 7:22:00 PM

grinn253

Posts: 76
Joined: 12.Jul.2004
From: Seattle
Status: offline

quote:
Originally posted by tshinder:
Why not just disable NetBIOS on the clients and use DNS? Or how about just using a WINS server to get rid of the broadcasts, and finally, disable the dreaded browser service on all hosts.

Hello, yes disabling NetBIOS on the clients also appears to work, however a machine we connect to via trust, is still on NT 4.0 so traffic to that machine isn't able to only use port 445 [Frown]

Browser service is already disabled on client workstations, WINS server already in place as well.

Lex, thanks a lot for your link! So far looks good, i'll relay a little more when a little more tests are run.

Edgardo

(in reply to grinn253)

Post #: 6

RE: WINS Proxy and/or 0xc0040014 ? - 16.Sep.2004 10:45:00 PM

penrose.l@2college.nl

Posts: 474
Joined: 29.Jan.2004
From: Netherlands
Status: offline

hi ,

I remember something deep in my head that disabling netbios is bad. Something with GPO processing if I remember well.

anyway , if it helps it helps [Smile]

LexP

ps : NAT = for publishing other than websites internally on the ISA

(in reply to grinn253)

Post #: 7