FWX_E_GRACEFUL_SHUTDOWN (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message

tibob -> FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 9:51:42 AM)

When i try to connect to an application that required LDAP(389)

in the logging i got a line saying

ERROR_SUCCESS

on the seconde line i got
closed connection
FWX_E_GRACEFUL_SHUTDOWN

how can i resolve it



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 10:24:14 AM)

There is nothing to solve

1. It was a success
2. It shutdown gracefully



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 10:29:31 AM)

why it shutdown



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 10:35:17 AM)

Because it thought it was supposed to,...that it was time to shutdown,...it was "finished".   Probably because the Application that owned the session said,.."Ok,..I'm done,..good bye".

There is nothing more that can be said with the information that has been given.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 10:46:43 AM)

there is a way to find out why is disconnecting. when it pass outside the isa server its works but when it passing throught the isa server i got this error



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 10:49:29 AM)

We don't know what "it" is and have no idea what you are doing.  You need to to be more specific.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 11:01:21 AM)

its an desktop application called Entrust who call a web browser. When the webbrowser show up it made the connection to the governement of canada import export permit website

for that i need to open some ports to make it work.

like i said before without the isa server its work , with the isa server it doesnt work

i wondering if there a way to know what can differt between this two mode that make the connection close



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 11:11:28 AM)

there is what they asking for

Firewall/Proxy ports – open to new Entrust Certificate Authority URLs:
Authority=ca-ac.gss-spg.gc.ca+829             
Manager=ca-ac.gss-spg.gc.ca+709
Server=ldap.gss-spg.gc.ca+389



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 11:11:35 AM)

It probably won't work over a rule that requires authentication, so make it an "All Users" Rule.

Make sure the Firewall Client is installed on the EnTrust machine so it can handle LDAP.  It may also work as a SecureNAT Client instead of having the Firewall Client.  The point is that LDAP will not work with a Web Proxy "only" Client.

Create a Computer Object or a Computer Set that represents or contains the Server that runs EnTrust.

Create a Computer Object or Computer Set that represents or contains the Destination Computers (or IP Range, or subnet).

Then the Rule would look like this:

From: <source computer object>
To: <destination computer object
Protocol: HTTP, HTTPS, LDAP (not LDAP Server)
Users: All Users

Place this Rule "above" any other Rule using HTTP, HTTPS, LDAP that requires user authentication.


In the Monitoring Log set the filter to only show traffic from the EnTrust Computer IP#.  Watch for problems in the logs.



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 11:13:24 AM)

Authority=ca-ac.gss-spg.gc.ca+829             
Manager=ca-ac.gss-spg.gc.ca+709
Server=ldap.gss-spg.gc.ca+389

Have no idea what that means.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 11:55:24 AM)

i did what you said and its doesnt work



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 1:17:14 PM)

You have to use the MonitoringLog as I described to troubleshoot.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 2:09:32 PM)

yes but i just be able to reach someone from the software ( i was lucky)
and he told me that entrust modify packet and isa reject this packet because of that

so im waiting an answer from him

i hope it would work

thanks for your help



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 3:18:18 PM)

here what i get

he told me , you must configure isa server to not filter out EntrustId of the incoming packets

how can i do that



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 3:39:53 PM)

I think he is wrong.
What does "filter out EntrustId of the incoming packets"  even mean? What? Where? How?
You have to use the MonitoringLog as I described to troubleshoot.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 3:53:48 PM)

he told me that isa server his removing the entrust id from the incoming packet from the web server to my computer thats why i get security error missing token data

he told me that im not the first one and you have to do that.

you must specify isa server to not remove entrust id

what does it mean i dont know :)



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 3:58:12 PM)

Ok, well wait and see if any others here have any ideas. 
I would not have any idea.



tibob -> RE: FWX_E_GRACEFUL_SHUTDOWN (17.Jun.2008 4:03:34 PM)

there is a way to check the packets ?



paulo.oliveira -> RE: FWX_E_GRACEFUL_SHUTDOWN (18.Jun.2008 10:05:47 AM)

Hi,

if he said you´re not the first one, ask him what the others did to solve this issue. Did you try to google around?
You can check these packets using a net cap, like wireshark.

Regards,
Paulo Oliveira.



pwindell -> RE: FWX_E_GRACEFUL_SHUTDOWN (18.Jun.2008 10:21:41 AM)

My thoughts exactly.

The Tech should have documented what had to be done with the "others" so then when the next one came along he would have an answer for them.  That's what a tech support person is supposed to do when they support their products.



Page: [1]