• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

mysterious event log error

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> mysterious event log error Page: [1]
Login
Message << Older Topic   Newer Topic >>
mysterious event log error - 18.Nov.2008 12:04:29 PM   
WindyRuss

 

Posts: 4
Joined: 18.Nov.2008
Status: offline
First post, although I've spent some time on the Forum. Excellent site well done and thankyou for providing such a useful resource.

Here's my problem.

I have a uni-homed 2006 (SP1) ISA Server which is occasionaly jsut dropping clients connections, they report this as a freeze (ie6) where they just get a page not found ( not ISA server but MS connection settings one) and have to untick the use proxy server box in IE to continue browsing.

I have noticed that when this happens I also get the following event log Error event ID 21285

"The number of HTTP requests per minute from the source IP address 10.1.4.38 exceeded the configured limit. ISA Server will block new HTTP requests sent from this IP address.  This event indicates that this IP address probably belongs to an infected host.  See the product documentation for more information about ISA Server flood resiliency. "

This server is running uni-homed and so the firewall is obviously just the local firewall service. Any ideas on how to get round this?

Post #: 1
RE: mysterious event log error - 18.Nov.2008 12:41:35 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Is this happening for all clients?

Basically, this error is caused by the Flood Mitigation feature of ISA detecting that a client is reaching a defined threshold of HTTP requests within a certain time period. You can modify this default threshold or create exceptions. If you look in the ISA alerts tab in monitoring, you should see an associated alert. Flood Mitigation configuration can be found under the 'Configuration=>General=>Configure Flood Mitigation Settings' link.

Is there anything strange about the machines that would generate a large number of HTTP requests? I assume your systems are clean from malware/spyware/worms that could be generating these types of requests?

I wouldn't normally expect to see this type of alert for client machines unless something was wrong or some local software was legitimately generating a large number of HTTP requests for a valid reason.

You can increase the threshold, but I think it may be prudent to investigate why the threshold is being reached, as it isn't normal for client systems IMHO.

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to WindyRuss)
Post #: 2
RE: mysterious event log error - 19.Nov.2008 7:40:12 AM   
WindyRuss

 

Posts: 4
Joined: 18.Nov.2008
Status: offline
JJ, thanks for the quick response. You were bang on the money, there is a GPO which opens the inhouse developed intranet. I just did some testing and moving around the intranet and filtering the login tab I was able to see it stop working. I also did a comparsion to see if opening msn.com produced less Get requests, although it didn't seem to.

I've also taken your 2nd point into consideration. We can route round the intranet however what is the impact of it needing all these get requests? As I've set the ISA up using a unihomed template ( includes every private range in internal network set) is this causing the issue or should I be asking the Dev team to check their code?

Thanks again for the help.

(in reply to Jason Jones)
Post #: 3
RE: mysterious event log error - 19.Nov.2008 10:52:29 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ideally, you should be bypassing ISA for all internal web servers as this is unnecessary and ineffiecient. ISA should only need to see traffic which is destined for the Internet, not all internal HTTP traffic as well...even so, I would be surprised that this type of thing would trigger the alert so easily...maybe the intranet code is just doing something weird!

You can configure the bypass with IE exception lists or using the Direct Access feature of ISA.

I would bet that once you get the bypass sorted, all of the Flood Mitigation errors will go away

Cheers

JJ 

< Message edited by Jason Jones -- 19.Nov.2008 10:55:22 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to WindyRuss)
Post #: 4
RE: mysterious event log error - 19.Nov.2008 12:15:11 PM   
WindyRuss

 

Posts: 4
Joined: 18.Nov.2008
Status: offline
Ok, great and thanks for the help. I wonder what kind of bandwith issues our fantastic inhouse developed Intranet is causing? Oh well as suggested I will bypass internally.

(in reply to WindyRuss)
Post #: 5
RE: mysterious event log error - 19.Nov.2008 3:26:31 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Cool, report back if this helps...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to WindyRuss)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Web Proxy] >> Unihomed >> mysterious event log error Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts