The ISA Server services cannot create a packet filter 217.8.25.249. This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict.

Which is the external interface of my ISA Server.

Why???

My Lat:
From To Description
10.0.0.0 10.255.255.255
169.254.0.0 169.254.255.255
172.16.0.0 172.31.255.255
172.16.1.0 172.16.1.255
172.16.2.0 172.16.2.255
172.16.3.0 172.16.3.255
172.16.4.0 172.16.4.255
172.16.5.0 172.16.5.255
172.16.255.255 172.16.255.255
192.168.0.0 192.168.255.255

My ISA Server Routing Table:H:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 b0 d0 3b bc fe ...... 3Com EtherLink PCI (Microsoft's Packet Scheduler
)
0x3 ...00 01 02 b9 23 0f ...... 3Com EtherLink PCI (Microsoft's Packet Scheduler
)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 217.8.25.250 217.8.25.249 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
172.16.1.0 255.255.255.0 172.16.2.1 172.16.2.4 2
172.16.2.0 255.255.255.0 172.16.2.4 172.16.2.4 1
172.16.2.4 255.255.255.255 127.0.0.1 127.0.0.1 1
172.16.3.0 255.255.255.0 172.16.2.1 172.16.2.4 2
172.16.4.0 255.255.255.0 172.16.2.1 172.16.2.4 2
172.16.5.0 255.255.255.0 172.16.2.1 172.16.2.4 2
172.16.255.255 255.255.255.255 172.16.2.4 172.16.2.4 1
217.8.25.248 255.255.255.252 217.8.25.249 217.8.25.249 1
217.8.25.249 255.255.255.255 127.0.0.1 127.0.0.1 1
217.8.25.255 255.255.255.255 217.8.25.249 217.8.25.249 1
224.0.0.0 224.0.0.0 172.16.2.4 172.16.2.4 1
224.0.0.0 224.0.0.0 217.8.25.249 217.8.25.249 1
255.255.255.255 255.255.255.255 172.16.2.4 172.16.2.4 1
Default Gateway: 217.8.25.250
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
172.16.1.0 255.255.255.0 172.16.2.1 2
172.16.2.0 255.255.255.0 172.16.2.1 2
172.16.3.0 255.255.255.0 172.16.2.1 2
172.16.4.0 255.255.255.0 172.16.2.1 2
172.16.5.0 255.255.255.0 172.16.2.1 2

The external interface is the NIC that is hooked up to the Internet. The internal interface is the NIC hooked up to your internal network.

The LAT should NEVER contain anything pertaining to your external interface or people can "walk right through" and ISA is no good. For instance, my LAT is 192.168.0.0 to 192.168.255.255 and that gives me PLENTY of internal IPs for my client machines. However, you'll notice that my external NICs IP is absent...and with good reason...

Ultraman

My LAT is correct. There's nothing wrong there.

------------------
Cliff Dabbs

You're a victim of the dreaded 14120 error. Many a fine admin has tried to come up with a unifying hypothesis on how to fix this error. Sometimes it works, sometimes it doesn't, and sometimes it works for a while and then stops working

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get it Here!

So if your FQDN is www.external.com, and that resolves to 217.8.25.249. Any internal client the browses to www.external.com will generate an event, every time ISA creates a new connection object to the internal site.

The error is benign, but to avoid it, create an new DNS forward lookup zone for external.com and have www.external.com resolve to the internal IP address of the web site. Also see my other reply in the "ISA Server General - General Issues" forum - topic "Event ID 14120".

/Lars

Cliff

I think you are onto something here!

Here's what I did to make the error go away, and then make it come back again:

I published an internal site using the IP address of the internal site in the publishing rule. When I used the IP address, I got the dreaded 14120 error.

After getting the dreaded error, I changed the publishing rule so that instead of using the IP address, I used the internal server's FQDN on the internal network. Note that I *did NOT* use an external FQDN, but rather the FQDN the server uses on the internal network.

After making this change, NO MORE dreaded 14120 error.

Interesting, but again, it fails to provide a unifying hypothesis, esp. for the errors that external clients get when accessing the server.

Thanks!

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Get It Here

I have only seen this error in two scenarios and both happen when ISA creates the dynamic packet filters for outgoing Web Proxy traffic.
1. Internal clients access a Web Published site by external IP address or FQDN that resolves to the external IP. The event is logged every time the connection object to the internal web server is created. I think the normal timeout for that object is ~2-5 min.
2. ISA is installed in Integrated mode with only one NIC and no dial-up adapter. Default installation for ISA in this mode is to have packet filtering enabled. ISA will log an event for each request, filling the eventlog fairly quick.
The 14120 event is accurate here as the IP address is in the LAT.
Installing ISA in Integrated mode requires two interfaces per documentation. Either 2 NICs or 1 NIC and 1 dial-up adapter. ISA will not complain during installation, but will act very strange. The correct installation with only one NIC is Cache mode.

Since this event is related to Web Publishing and creation of PFs for outgoing web requests, I cant think of any other scenario like reverse proxy or Server Publishing that can cause this. All events are caused by internal client activity.

If you find any other scenario where you can trigger these event then let me know by e-mail.

Solution for scenario 1 is to create a forward lookup zone on the internal DNS server. So internal requests resolve the external FQDN to the internal IP address of the web published server.

Scenario 2 is a bad installation and should be fixed by either re-installing in Cache mode or adding a 2nd NIC to the machine and then re-configure it.

/Lars

You're saying this is a problem when only one network card is in use and packet filtering is switched on.

My Installation has 2 NICs, one interal and one external.

Scenario 2 is a bad installation, because you need two interfaces for IP packet filtering.

The events you are seeing is probably caused by what I have described in scenario 1.

/Lars

/Lars

I have tried everything, certificates look fine, moreover, the HTTPs site that I am publishing and it works from INTRANET (internally), but when I try from outside, I get "Page Not found error"

My Event log shows:

The ISA Server services cannot create a packet filter 206.x.x.x This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict.

If you have solution, please help. Also my LAT table has only my internal Private addresses, which is what it is suppose to have. (10.0.0.0 - 10.255.255.255)

I have however removed the SSL Certificates etc. I still cannot publish through the ISA Server with a certificate, but I think that is resolveable if I work out what to do with the certificate configuration.

Cliff Dabbs