Hi experts, i have a problem with a ISA Server 2006! The Firewall Service sometimes terminates with the following events in eventlog:
Event ID 14057 The Firewall service stopped because an application filter module %PROGRAMFILES%\Microsoft ISA Server\SCWebFilter2004.dll generated an exception code C0000005 in address 06D66514 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service
Event ID 14079 Due to an unexpected error, the service fwsrv stopped responding to all requests. Stop the service or the corresponding process if it does not respond, and then start it again. Check for related error messages.
On the ISA Server there is installed a webfilter called Surfcontrol Webfilter and for symantec anti virus to protect the isa server self!
I excluded the following folders and files to be scanned by symantec real time scan: *.mdf *.ldf %PROGRAMFILES%\Microsoft ISA Server %PROGRAMFILES%\Microsoft SQL Server %PROGRAMFILES%\SurfControl
When i disable the SurfControl webfilter services, it seems to work...but that isnt a solution for me, cause else i have no filtering!!!
All articels and solutions from Microsoft are for ISA Server 2004.
CRAP! No, the link did NOT work. Okay, go to http://kb.surfcontrol.com, change the thingie to search by article number. The article number you want to search for is 2064 "Hotfix 2 for Web Filter for ISA server 5.5"
Hope that fixes it for you!
< Message edited by Jassyca -- 15.Mar.2007 1:56:41 PM >
From the first error message, it sounded to me like the Surf Control web filter is the problem and when it dies, it takes the ISA's firewall service with it. Too bad that hot fix didn't fix it for you. At this point, I would say call Surf Control's tech support. They will know their product better than any of us and might even know why it's running into trouble. Call them, don't email. Email might take a day before you get a response. But before you call, plan as if you are going to be on hold for at least 30 to 40 minutes. So don't call if you've got a meeting to go to or some other pending deadline. (I always make sure I visit the bathroom before making any support call! )
Good luck! And if they fix it, would you come back here and let us know what they found? Never know when fellow Surf Control web filter administrator might run into the same problem and come here hoping to find an answer.
UPDATE!!! The hotfix did the job. There was a problem with registering the ScWebFilter2004.dll in the eventlog. So i started the SurfControl & M$ Firewall Service and registered the dll in running state...now the M$ Firewall Service is running 3 hours....I think that solved the problem...i hope so :)
I wouuld strongly recommend that you remove the AV to protect the ISA Firewall itself. Unless you are not competently managing the ISA Firewall, there are no vectors of attack. Of course, if you're using the ISA Firewall as a workstation and running the browser, mail client, and Bittorrent on the ISA Firewall, then you would need it. But no well managed ISA Firewall I've ever enountered needed a host AV program. All you do with that is increase the attack surface and reduce performance -- two things I typically think are bad.
Event ID: 7034 The Microsoft Firewall service terminated unexpectedly. It has done this X time(s).
And this here: The description for Event ID ( 14079 ) in Source ( Microsoft ISA Server Control ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: fwsrv.
hi tshinder, u always make those nice whitepapers right? :) I excluded the complete ISA Server folder under C:\program files to be scanned by symantec, did u meant this? greetz!
No! I remove the AV product from the ISA Firewall. You don't need it, and it just sits there creating performance and security issues, since it effectively increases the attack surface of the ISA Firewall.
Are there messages before or after the "Event ID (14079)"? For example, do you see any errors about the Surf Control filter like you mentioned in your first message? If the firewall service is still dying but you no longer see any errors about Surf Control in Event Viewer, then it sounds like we have a different problem.
For Event ID 14079, what little I can find on Microsoft's support site (http://support.microsoft.com) seems to point the finger at ISA server's cache, again and again. That the cache is corrupted or the server has some other problem (the cache is on a bad spot on the local hard drive or a drive controller is dying or some antivirus scanner did naughty things to the cache, etc. etc.) So how about we try a little test? Logon to your ISA Server then start the ISA manager utility. Go to "Your Server" --> Configuration --> Cache. You will probably see something listed under "Cache size on NTFS drives (MB)". Take note of the settings then click it once so it's highlighted and click the "Disable Caching" (over on the bottom right). Cacheing is a "nice to have". It helps ISA work more quickly and more efficiently but ISA can work without it. It just won't be very fast. At this point, since the firewall service is totally dying, "slow" is better than "no-go"! Disabling cacheing will tell us whether or not the reason the firewall service is crashing is because of a problem with ISA's cache. (Note: if there's more than one cache configured, disable all of them. But be sure you note how each was configured before you disable each one.) Save your changes. Restart the firewall service. Open Event Viewer and watch the Application log, occasionally press the [F5] key (refresh) to see if any new errors occur.
I've also got this problem with one of my ISA-2006 servers.
There is no 3rd party software, it's a dedicated stand-alone firewall (albeit member of a domain).
There is no cache configured (it causes too many problems with my websites) and the default cache rule is disabled.
The firewall has been totally reliable until the last week, and there is only one thing that I've done recently... installed Windows2003-SP2... it's been troublesome since.
However, the complicating issue is that I have another 2 ISA-2006 firewalls, also updated to W2003-SP2 and giving no problems.
The primary difference for the troublesome server is that it publishes Web and Mail servers with their public addresses as listener IPs
It's got me stumped just now... and the firewall service is crashing once a day with EventID 14057 (and precious little information in the event log) ...leaving the websites and mail servers off-line, and causing my customers some amount of heartburn.
I'm not sure where to go next, as a total re-install of ISA is not my first choice for a solution.
I'd appreciate any feedback others might have on this.
Since you have two other ISA servers, as a test, could you give one of them the job of publishing those websites? And if you do, does the problem follow? Or would that be too hard to do? (Like, maybe you have to change too much stuff: rules, network cards, network cables, IP addresses and on and on.)
Anything is possible, it's just that MS don't adequately describe the cause of the problem other than "replace the recently installed filter"... so there is precious little to give you a hint as to why/where the hardware would be involved.
< Message edited by mikeb99 -- 25.Apr.2007 6:06:58 PM >