• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Non TCP Sessions from One IP (DC)Limit Exceeded

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 Firewall] >> General >> Non TCP Sessions from One IP (DC)Limit Exceeded Page: [1]
Login
Message << Older Topic   Newer Topic >>
Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 8:04:50 AM   
lycanwrath

 

Posts: 11
Joined: 25.Sep.2009
Status: offline
Hello to all,

I have an isa server that sometimes show some error "Non TCP Sessions from one IP address limit exceeded"
Decriptions: ISA Server disconnected a non TCP connection from 10.0.2.4 because the connection limit from this ip address was exceeded.

note : 10.0.2.4 is my DC and Active Directory and DNS

My ISA Server is configured as an EDGE Firewall

I have two NICs:-
One for the local (10.0.2.0 - 255)
One for external (on the same subnet as my router) (10.1.5.0 -255)

All PCs and Servers use the ISA server to go out to the internet.

Hope I can get some nice help :)
Post #: 1
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 8:09:04 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
This may be normal or could indicate a problem with the DC, hard to say...

I would monitor it and if it happens a lot, investigate the DC for virus/spyware etc.

If it becomes "normal behaviour" then increase the default threshold for the FM settings...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to lycanwrath)
Post #: 2
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 8:15:37 AM   
lycanwrath

 

Posts: 11
Joined: 25.Sep.2009
Status: offline
Thx for the answer Jason,

But when I have viewed the logs on ISA server i see that the bulk of requests from my DC is DNS to external.

This seems to be normal as my Clients (around 50) that use the internet will automatically make DNS queries to the DC and the DC automatically forwards the requests for websites (external) through the ISA Server

note: I have configured the forwarders tab on the DC (DNS).

Why does ISA Server 2006 not cope for such a "normal" setup. If this is a normal setup :)

< Message edited by lycanwrath -- 25.Sep.2009 8:20:34 AM >

(in reply to Jason Jones)
Post #: 3
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 8:26:56 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Your setup looks pretty normal...

I would define a filter in real-time logging with a source IP of the10.0.2.4 and then look at the protocols being used for any entries that have a result code that mentions "quota exceeded" or similar.

This should tell you which protocol(s) are causing the threshold to be reached. It may well be "normal" DNS UDP traffic, but it might not

BTW - Is "do not use recursion" enabled on your DNS server forwarding tab?

Cheers

JJ

< Message edited by Jason Jones -- 25.Sep.2009 8:28:12 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to lycanwrath)
Post #: 4
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 8:34:37 AM   
lycanwrath

 

Posts: 11
Joined: 25.Sep.2009
Status: offline
Thx for the help Jason,

I have looked at  real-time logging with the source IP 10.0.2.4

For one minute I have seen mostly DNS requests (Destination Port 53) to destination IP: 213.188.172.1 (the IP I set as forwarder on DNS)

Do not use recursion for this domain is not ticked. Should I tick it?

< Message edited by lycanwrath -- 25.Sep.2009 8:36:21 AM >

(in reply to Jason Jones)
Post #: 5
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 9:13:05 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ok, maybe keep an eye on it and have a look when you next get the FM error.

No, don't enable recursion, just curious

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to lycanwrath)
Post #: 6
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 25.Sep.2009 9:26:09 AM   
lycanwrath

 

Posts: 11
Joined: 25.Sep.2009
Status: offline
Oki will do that :-)

(in reply to Jason Jones)
Post #: 7
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 29.Sep.2009 4:56:31 AM   
lycanwrath

 

Posts: 11
Joined: 25.Sep.2009
Status: offline
I changed my forwarder on the DC, since then it seems the problem has gone away.
Maybe the forwarder was not working as it should, hence the multiple retries...

Anyways hope it will stay OK :)

(in reply to lycanwrath)
Post #: 8
RE: Non TCP Sessions from One IP (DC)Limit Exceeded - 29.Sep.2009 5:08:08 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Could be, good news!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to lycanwrath)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 Firewall] >> General >> Non TCP Sessions from One IP (DC)Limit Exceeded Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts