Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
What "Failed Connection Attempt" means with SSL access in ISA log?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
What "Failed Connection Attempt" means with S... - 20.Jul.2007 10:50:43 AM
|
|
|
soimer
Posts: 8
Joined: 9.Apr.2007
Status: offline
|
Recently, when analyzing an ISA report, I got a question:
I need to find out what user actually did during a certain time, from internal to an external secure site; but in the filtered log, I see more than 80% activities related to https or SSL show "Failed Connection Attempt" (with HTTP status code 64 or 995). I want to know what these failed attempts mean. Are these connections really failed, more than 80% of them? or this is just the feature in SSL communication because ISA cannot determine what happened in the tunnel?
Or, I think my question is, did user actually get connected to the secure site even the log shows failed connection attempts?
The followings are two samples in the log. Thanks!
Client Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MSDigitalLocker; SU 3.004; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2....
Authenticated Client : Yes
Service : Proxy
Destination Host Name : www.destination.com
Transport : TCP
Object Source : Internet
Filter Information : Req ID: 0718xxx3; Compression: client=No, server=No, compress rate=0% decompress rate=0%
GMT Log Time : 1x/07/2007 x:57
Bytes Sent : 1313
Bytes Received : 2989
Cache Information : 0x0
Error Information : 0x1
Log Time : 13/07/2007 x:57
Client IP : 10.x.x.150
Destination IP : x.x.x.32
Destination Port : 443
Protocol : SSL-tunnel
Action : Failed Connection Attempt
Rule : Allow unauthenticated Web access to certain sites
HTTP Status Code : 64
Client Username : anonymous
Source Network : Internal
Destination Network : External
URL : www.destination.com:443
Server Name : ISA02
Log Record Type : Web Proxy Filter
Client Agent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Authenticated Client : Yes
Service : Proxy
Destination Host Name : www.destination.com
Transport : TCP
Object Source : Internet
Filter Information : Req ID: 0718xxx7; Compression: client=No, server=No, compress rate=0% decompress rate=0%
GMT Log Time : 1x/07/2007 x:57
Bytes Sent : 1694
Bytes Received : 4167
Cache Information : 0x0
Error Information : 0x8
Log Time : 13/07/2007 x:57
Client IP : 10.x.x.119
Destination IP : x.x.x.32
Destination Port : 443
Protocol : SSL-tunnel
Action : Failed Connection Attempt
Rule : Allow unauthenticated Web access to certain sites
HTTP Status Code : 995
Client Username : anonymous
Source Network : Internal
Destination Network : External
URL : www.destination.com:443
Server Name : ISA02
Log Record Type : Web Proxy Filter
|
|
|
|
RE: What "Failed Connection Attempt" means wi... - 20.Jul.2007 12:24:10 PM
|
|
|
ferrix
Posts: 363
Joined: 16.Mar.2005
Status: offline
|
Without seeing whole log, just an opinion: 64 looks to me like it couldn't find the server name (like, an invalid url or a dns error) and then 995 is for aborting the connection.
You won't normally see these items during a successful ssl proxy connection, although it's certainly true that ISA's native ability to inspect SSL is very limited (unless you use ClearTunnel)
Info about the errors from MS
ERROR_NETNAME_DELETED
64 The specified network name is no longer available.
ERROR_OPERATION_ABORTED
995 The I/O operation has been aborted because of either a thread exit or an application request.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
