• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

"Denied Access" with no rule

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> Access Policies >> "Denied Access" with no rule Page: [1]
Login
Message << Older Topic   Newer Topic >>
"Denied Access" with no rule - 27.May2009 5:33:23 PM   
gsandorx

 

Posts: 17
Joined: 27.Apr.2009
Status: offline
hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA  logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?

Thanks and regards,
sandor
Post #: 1
RE: "Denied Access" with no rule - 27.May2009 6:36:36 PM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
What packets are being denied?How is your web proxy configured?

_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to gsandorx)
Post #: 2
RE: "Denied Access" with no rule - 28.May2009 8:21:12 AM   
gsandorx

 

Posts: 17
Joined: 27.Apr.2009
Status: offline
well, actually i don't get your first question, but my ISA FW is denying connections that were previously established without specifying me the reason for that, i mean, which rule raised the violation.
My ISA server is only configured as a FW. I disabled the web proxy filter for HTTP. I'm using ISA in a 3-leg scheme.

Best regards,
sandor

(in reply to gsandorx)
Post #: 3
RE: "Denied Access" with no rule - 28.May2009 9:30:32 AM   
inderjeet

 

Posts: 463
Joined: 25.Nov.2008
Status: offline
Hard to say it just like that. Higly possible its not your ISA server denying those packets. It could be the server you are connecting is denying the packets. Network Trace on ISA could verify that. You need to check the RESET Flag. check which server is actually RESETing the Flag


_____________________________

Inderjeet (MSFT)
My Blog: http://isingh.spaces.live.com

If you are a Microsoft Gold Partner, Contact us for Advisory/Consulting Services, Check https://partner.microsoft.com/US/supportsecurity/40012316

(in reply to gsandorx)
Post #: 4
RE: "Denied Access" with no rule - 28.May2009 6:56:43 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: gsandorx

hi guys, my ISA server 2006 is denying packets without matching any of my FW rules. I mean, when query the ISA  logging, it prints "Denied Access" as usual, but without specifying any matching rule. What's is the reason for that behavior?

Thanks and regards,
sandor


What is shown in the Result Code column for these entries?

It is probably an FWX_E_TCP_NOT_SYN_PACKET_DROPPED error. These are common when previous sessions need to start a new TCP/IP three-way handshake. This error code normally indicates that ISA received TCP traffic (e.g. not a SYN packet) on a connection that wasn't opened, or that was already closed. So, if a connection is abortively closed (e.g. reset packet) and the client sendstraffic on that connection, ISA may complain that this data is being sent for a connection that doesn't exist; hence TCP_NOT_SYN.

http://msdn.microsoft.com/en-us/library/ms812624.aspx

Cheers

JJ

< Message edited by Jason Jones -- 28.May2009 7:06:46 PM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to gsandorx)
Post #: 5
RE: "Denied Access" with no rule - 29.May2009 7:58:11 AM   
gsandorx

 

Posts: 17
Joined: 27.Apr.2009
Status: offline
Thanks you all. That's probably the reason. I'll capture some packets at both sides of my ISA and tell you guys the results.

Cheers,
sandor

(in reply to gsandorx)
Post #: 6
RE: "Denied Access" with no rule - 29.May2009 9:09:31 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Please do...

It is hard to know sometimes if these errors are "normal" or related to a specific issue like this:

http://support.microsoft.com/kb/888042/en-us

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to gsandorx)
Post #: 7
RE: "Denied Access" with no rule - 29.May2009 9:57:01 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.

The one thing that has never been revealed here is What Packets?  Doing what? For what?  From where? Going where?  There was one breif hint that it was HTTP but that was it...

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 8
RE: "Denied Access" with no rule - 29.May2009 10:28:36 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: pwindell

Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.


Not true.

One example is given above, others include Network Rules (FWX_E_NETWORK_RULES_DENIED) and things like Flood Mitigation (FWX_E_RULE_QUOTA_EXCEEDED_DROPPED).

IIRC, System Policy denies will show [System] <System Policy Rule Name> in the rules column.

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 9
RE: "Denied Access" with no rule - 29.May2009 10:40:07 AM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Whatever.  I read it in something Jim wrote,...figured I could trust him.

_____________________________

Phillip Windell

(in reply to Jason Jones)
Post #: 10
RE: "Denied Access" with no rule - 29.May2009 10:52:21 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Open minded as ever Phil

Fire up logging on a busy ISA Server with a denied action filter enabled and have a look at the results. I'm sure Jim would tell you the same...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to pwindell)
Post #: 11
RE: "Denied Access" with no rule - 29.May2009 11:54:24 AM   
Jim Harrison

 

Posts: 271
Joined: 5.May2001
From: Redmond, WA
Status: offline
quote:

ORIGINAL: pwindell

Guys,
When ISA denies traffic without any "Rule",...it is being denied based on System Policy.

The one thing that has never been revealed here is What Packets?  Doing what? For what?  From where? Going where?  There was one breif hint that it was HTTP but that was it...


Er.. no. System policies are also rules.

When ISA or TMG deny packets without quoting a rulke, it's one of two things:
1. Network rule decision
2. Packet filter action (non-syn, flood, etc.)

_____________________________

Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site

(in reply to pwindell)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> Access Policies >> "Denied Access" with no rule Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts