• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

What "Failed Connection Attempt" means with SSL access in ISA log?

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> What "Failed Connection Attempt" means with SSL access in ISA log? Page: [1]
Login
Message << Older Topic   Newer Topic >>
What "Failed Connection Attempt" means with S... - 20.Jul.2007 10:50:43 AM   
soimer

 

Posts: 10
Joined: 9.Apr.2007
Status: offline
Recently, when analyzing an ISA report, I got a question:
I need to find out what user actually did during a certain time, from internal to an external secure site; but in the filtered log, I see more than 80% activities related to https or SSL show "Failed Connection Attempt" (with HTTP status code 64 or 995).  I want to know what these failed attempts mean.  Are these connections really failed, more than 80% of them?  or this is just the feature in SSL communication because ISA cannot determine what happened in the tunnel?
Or, I think my question is, did user actually get connected to the secure site even the log shows failed connection attempts?
The followings are two samples in the log.  Thanks!


Client Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MSDigitalLocker; SU 3.004; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2....
Authenticated Client : Yes
Service : Proxy
Destination Host Name :
www.destination.com
Transport : TCP
Object Source : Internet
Filter Information : Req ID: 0718xxx3; Compression: client=No, server=No, compress rate=0% decompress rate=0%
GMT Log Time : 1x/07/2007 x:57
Bytes Sent : 1313
Bytes Received : 2989
Cache Information : 0x0
Error Information : 0x1
Log Time : 13/07/2007 x:57
Client IP : 10.x.x.150
Destination IP : x.x.x.32
Destination Port : 443
Protocol : SSL-tunnel
Action : Failed Connection Attempt
Rule : Allow unauthenticated Web access to certain sites
HTTP Status Code : 64
Client Username : anonymous
Source Network : Internal
Destination Network : External
URL :
www.destination.com:443
Server Name : ISA02
Log Record Type : Web Proxy Filter

 
 
Client Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Authenticated Client : Yes
Service : Proxy
Destination Host Name :
www.destination.com
Transport : TCP
Object Source : Internet
Filter Information : Req ID: 0718xxx7; Compression: client=No, server=No, compress rate=0% decompress rate=0%
GMT Log Time : 1x/07/2007 x:57
Bytes Sent : 1694
Bytes Received : 4167
Cache Information : 0x0
Error Information : 0x8
Log Time : 13/07/2007 x:57
Client IP : 10.x.x.119
Destination IP : x.x.x.32
Destination Port : 443
Protocol : SSL-tunnel
Action : Failed Connection Attempt
Rule : Allow unauthenticated Web access to certain sites
HTTP Status Code : 995
Client Username : anonymous
Source Network : Internal
Destination Network : External
URL :
www.destination.com:443
Server Name : ISA02
Log Record Type : Web Proxy Filter



Post #: 1
RE: What "Failed Connection Attempt" means wi... - 20.Jul.2007 12:24:10 PM   
ferrix

 

Posts: 547
Joined: 16.Mar.2005
Status: offline
Without seeing whole log, just an opinion: 64 looks to me like it couldn't find the server name (like, an invalid url or a dns error) and then 995 is for aborting the connection.

You won't normally see these items during a successful ssl proxy connection, although it's certainly true that ISA's native ability to inspect SSL is very limited (unless you use ClearTunnel)

Info about the errors from MS
ERROR_NETNAME_DELETED
64 The specified network name is no longer available.

ERROR_OPERATION_ABORTED
995 The I/O operation has been aborted because of either a thread exit or an application request.

(in reply to soimer)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Logging and Reporting >> What "Failed Connection Attempt" means with SSL access in ISA log? Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts