• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Weird Behavior

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Weird Behavior Page: [1]
Message << Older Topic   Newer Topic >>
Weird Behavior - 15.Apr.2010 6:50:56 PM   


Posts: 12
Joined: 14.Jan.2009
Status: offline
Please can anyone help with this. Even if you arent sure, please reply. I have tried everything I can think of and this is driving me crazy.

Internet -> ISA Server 2006 with external and internal nic -> Procurve Core switch with Layer3 Routing

External Nic
Has external IP address, default gateway

Internal Nic
Has Internal IP address, DNS pointed to Internal DNS Server

My Internal DNS Server forwards to external DNS Servers

Everything was working fine untill probably last 2 months. All of a sudden the internet will go down. I can not ping or RDP to the ISA Server. I also can not ping anything external. If I physically goto the ISA server, it also has no internet and can not ping anything external but I can RDP out to internal computers. The only Events I see and not all the time say "ISA Server disconnected a non-TCP connection from my internal DNS Server ip address" I have upped the non-TCP Connections per minue from 1000 to 1500 but it made no difference. Sometimes, the internet will come back after about 2 minutes but most the time it wont come back at all. I check to make sure all services are running that should be like Microsoft Firewall and Routing and Remote Access. After many reboots and many disabling and reenableing of NIC cards eventually it will come back. Once it comes back up I can ping and RDP to ISA server no problem. No ryhme or reason. I have noticed in reports that we get up around 400,000 DNS requests a day. I thought that was high but wasnt sure as we are supporting internet for a 300 room hotel and about another 125 desktop computers. It almost seems like the ISA server is possibly being overloaded with so many connections and requests and just shutting down.

Please can anyone offer anything that I might can check or anything.

Thanks in advanced.

< Message edited by BradleyGZ -- 15.Apr.2010 8:32:34 PM >
Post #: 1
RE: Weird Behavior - 15.Apr.2010 8:40:10 PM   


Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline

first thing you should do is configure your ISA NICs properly: http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Paulo Oliveira.


Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to BradleyGZ)
Post #: 2
RE: Weird Behavior - 16.Apr.2010 9:27:11 AM   


Posts: 12
Joined: 14.Jan.2009
Status: offline
Thanks paulo.oliveira That was very helpful.

I edited my original post at the same time you were replying to mine. I changed that I had DNS configured on my Internal NIC and not the External. I checked all my settings and they are configured as they should be.

Last night the Internet went down and after about 45 min it came back by itself without me having to do anything. I checked the Event Viewer and the only entry this time was:

"The number of denied connections from the source IP address exceeded the configured limit. This may indicate that the host is infected or is attempting an attack on the ISA Server computer."

That computer is my Kaspersky AntiVirus Admin Server and my Windows Server Update Services Server. I checked ISA Logs and I saw Hundreds of Netbios Name Service Denials and that was pretty much it as far as Denials go.

(in reply to paulo.oliveira)
Post #: 3
RE: Weird Behavior - 16.Apr.2010 4:38:38 PM   


Posts: 12
Joined: 14.Jan.2009
Status: offline
Ok I believe I have fixed the problem.

I had an access rule that had All Outbound Protocols and it contained the Domain Name Sets. Come to find out that if you have any Domain Name Sets you can not have All Outbound Protocols. You have to have only HTTP, HTTPS or FTP. If you have all selected it will create a back log of DNS requests and will overload the ISA Server and shut it down so it can finish the backlog of requests. That also explains why I would have upwards or 400,000 DNS requests a day. All is working well for now.

(in reply to BradleyGZ)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Weird Behavior Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts