Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
RE: Discussion of 2003 SP1 Final Release w/ISA2004
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 2:57:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Alebur,
Are you implying that there is no entry in the AD DNS for the ISA firewall and that's what's causing the problem?
Thanks!
Tom
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 5:08:00 AM
|
|
|
Alebur
Posts: 2
Joined: 6.May2005
Status: offline
|
Hi Tom,
I had problem after SP1 (win2k3 and ISA2004).
Error mesages:
EventID 7, 5719,5783,1030 etc. appeared after restart PC.
My ISA server member of domain, I removed domain suffix (.local) apply and reboot machine.
After restart no erorrs appear.
So, it mean after SP ISA server lost path to sysvolfolder on the domain controller.
After removed domain suffix or join to domain again - ISA refreshed this path.
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 7:51:00 AM
|
|
|
md3v
Posts: 308
Joined: 22.Jan.2002
Status: offline
|
Hi,
We tried changing/removing/re-adding the DNS suffix. This does not work/resolve/fix the situation.
Tom -- what email address do you want the XML config export sent to?
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 7:52:00 AM
|
|
|
md3v
Posts: 308
Joined: 22.Jan.2002
Status: offline
|
Hi,
We tried changing/removing/re-adding the DNS suffix. This does not work/resolve/fix the situation.
Tom -- what email address do you want the XML config export sent to?
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 11:28:00 AM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
Just tried to call Microsoft Support for the hotfix. They're closed today, so I haven't been able to test it.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.May2005 1:10:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by m:
Hi,
We tried changing/removing/re-adding the DNS suffix. This does not work/resolve/fix the situation.
Tom -- what email address do you want the XML config export sent to?
Hi M,
Send it to tshinder@isaserver.org
Make sure to let me know the IP address configuration of the ISA firewall, the machine name, and if there are any custom security configurations in the AD Group Policy for the domain to which the ISA firewall is joined and if this policy is applied to the ISA firewall.
Thanks!
Tom
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 9.May2005 8:28:00 AM
|
|
|
md3v
Posts: 308
Joined: 22.Jan.2002
Status: offline
|
Tom,
FYI -- I have emailed our configuration to you.
m.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 9.May2005 12:51:00 PM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
quote:
Originally posted by interflex:
Site-to-site routing issue
Hello Dennis,
It is possible that MS05-19 is causing it, so far we still do not have official hot fix for it, we do have private builds that we are extensively testing before public release.
File affected is ipnat.sys, final release of the hotfix should be ready within 10 days.
Regards,
[name]
Technical Lead - Enterprise Platforms Support
Windows NT/2000/2003/ISA Server - Networking Specialty
I just installed the hotfix. This didn't solve my problems with IPSEC tunnels.
ipnat.sys hasn't been changed with this hotfix.
Best regards,
Dennis.
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 9.May2005 12:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hey guys,
I want to thank the person who sent me a sample config. I haven't repro'd the entire config in the test lab yet, but I noticed that the was more than one DNS server on the ISA firewall. Remember, the ISA firewall should NEVER EVER have an external DNS server configured on any of its interfaces.
HTH,
Tom
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 13.May2005 3:57:00 PM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Klas,
You should have ONLY ONE setting for DNS, and that is on the internal interface of the ISA firewall, and that DNS server must be able to resolve Internet host names.
HTH,
Tom
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 19.May2005 7:43:00 PM
|
|
|
telccl
Posts: 18
Joined: 8.May2003
Status: offline
|
Installed 2003 SP1 on ISA 2004 SP1 and only issue is RRAS won't start. Getting "RRAS terminated with service specific error 127" after trying to start from ISA management console.
Any ideas?
Thx...
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 24.May2005 5:16:00 AM
|
|
|
nngabriel
Posts: 1
Joined: 18.May2005
From: Argentina
Status: offline
|
I'm also having the same issue on a client deployment. I have checked that KB
"You cannot log on or you experience a long delay on a domain controller or on a member computer that is running Windows 2000, Windows XP, or Windows Server 2003"
And seems to be the problem, but WHY it brokes after the SP installation ??
Wierd
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Aug.2005 2:53:00 AM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
quote:
Originally posted by dmutsaers:
quote:
Originally posted by interflex:
Site-to-site routing issue
Hello Dennis,
It is possible that MS05-19 is causing it, so far we still do not have official hot fix for it, we do have private builds that we are extensively testing before public release.
File affected is ipnat.sys, final release of the hotfix should be ready within 10 days.
Regards,
[name]
Technical Lead - Enterprise Platforms Support
Windows NT/2000/2003/ISA Server - Networking Specialty
I just installed the hotfix. This didn't solve my problems with IPSEC tunnels.
ipnat.sys hasn't been changed with this hotfix.
Best regards,
Dennis.
Hi,
I've created a case with MS for this problem, and it seems we're on the right track. This is what we've done so far. (a very short version of what we've done. The case hasn't been solved for 5 months now)
1. Remove ISA 2004 and create a pure IPSEC tunnel on W2K3/SP1. (Didn't resolve the problem, so it seems that ISA2004 isn't causing the problem)
2. Disable PFS & increasing SA (Security Association Idle timeout)*
Step 2 seems to solve the problem. The tunnel has been up for over 15 hours, where it used to drop every 5 to 8 minutes.
Since then I've re-enabled PFS but left the sa idle time out at 3600 seconds (default 300 seconds) The tunnel is still running after 1 hour. It seems that W2K3 SP1 does something with the sa idle timeout.
Best regards,
Dennis
* You can do it by creating the following registry value under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serviecs\IPSec
Value name: SAIdleTime
Data Type: REG_DWORD
Value data: 3600
[ August 06, 2005, 02:56 AM: Message edited by: dmutsaers ]
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 6.Aug.2005 9:35:00 AM
|
|
|
isawader
Posts: 420
Joined: 27.Apr.2005
Status: offline
|
Is there any real advantage in applying windows 2003 SP1 to any server?
I will wait for SP1a.
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 7.Aug.2005 4:12:00 AM
|
|
|
dmutsaers
Posts: 45
Joined: 1.Aug.2003
From: The Netherlands
Status: offline
|
I did some further testing this weekend and I do believe we've found a bug in W2K3 SP1 and/or ISA2004. After I've confirmed that the pure IPSec tunnel did work with the SAIdleTime registry setting in W2K3 SP1 I've changed all registry settings back to their default values and re-installed ISA2004. The tunnel drops again every 5 to 8 minutes (Is this the default SAIdleTime value of 300 seconds?).' When I change the SAIdleTime to 3600 seconds, the tunnel keeps connected.
The default value of both ISA2004 & Draytek Vigor have always been 3600 seconds. It looks like this value is forced to the default value of 300 seconds after installing W2K3 SP1. Maybe I had problems with this change because the minimum value on the Draytek Vigor is 600 seconds, where other 3rd party devices do support a value of 300 seconds. But that's all speculation on the assumption that the 'generate a new key every:' value in ISA2004 is the same setting as the 'SAIdleTime' in the registry and the "IKE phase 2 key lifetime" on the Draytek Vigor.
[ August 07, 2005, 10:20 AM: Message edited by: dmutsaers ]
|
|
|
|
|
RE: Discussion of 2003 SP1 Final Release w/ISA2004 - 7.Aug.2005 10:05:00 AM
|
|
|
tshinder
Posts: 47490
Joined: 10.Jan.2001
From: Texas
Status: offline
|
quote:
Originally posted by ISAwader:
Is there any real advantage in applying windows 2003 SP1 to any server?
I will wait for SP1a.
Hi ISAwader,
Good question. I certianly haven't been in a hurry to deploy it.
Thanks!
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Smile]](/image/smiles/smile.gif)
![[Wink]](/image/smiles/wink.gif)
