Non TCP Sessions from One IP (DC)Limit Exceeded (Full Version)

All Forums >> [ISA 2006 Firewall] >> General



Message


lycanwrath -> Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 8:04:50 AM)

Hello to all,

I have an isa server that sometimes show some error "Non TCP Sessions from one IP address limit exceeded"
Decriptions: ISA Server disconnected a non TCP connection from 10.0.2.4 because the connection limit from this ip address was exceeded.

note : 10.0.2.4 is my DC and Active Directory and DNS

My ISA Server is configured as an EDGE Firewall

I have two NICs:-
One for the local (10.0.2.0 - 255)
One for external (on the same subnet as my router) (10.1.5.0 -255)

All PCs and Servers use the ISA server to go out to the internet.

Hope I can get some nice help :)




Jason Jones -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 8:09:04 AM)

This may be normal or could indicate a problem with the DC, hard to say...

I would monitor it and if it happens a lot, investigate the DC for virus/spyware etc.

If it becomes "normal behaviour" then increase the default threshold for the FM settings...

Cheers

JJ




lycanwrath -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 8:15:37 AM)

Thx for the answer Jason,

But when I have viewed the logs on ISA server i see that the bulk of requests from my DC is DNS to external.

This seems to be normal as my Clients (around 50) that use the internet will automatically make DNS queries to the DC and the DC automatically forwards the requests for websites (external) through the ISA Server

note: I have configured the forwarders tab on the DC (DNS).

Why does ISA Server 2006 not cope for such a "normal" setup. If this is a normal setup :)




Jason Jones -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 8:26:56 AM)

Your setup looks pretty normal...

I would define a filter in real-time logging with a source IP of the10.0.2.4 and then look at the protocols being used for any entries that have a result code that mentions "quota exceeded" or similar.

This should tell you which protocol(s) are causing the threshold to be reached. It may well be "normal" DNS UDP traffic, but it might not [;)]

BTW - Is "do not use recursion" enabled on your DNS server forwarding tab?

Cheers

JJ




lycanwrath -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 8:34:37 AM)

Thx for the help Jason,

I have looked at  real-time logging with the source IP 10.0.2.4

For one minute I have seen mostly DNS requests (Destination Port 53) to destination IP: 213.188.172.1 (the IP I set as forwarder on DNS)

Do not use recursion for this domain is not ticked. Should I tick it?




Jason Jones -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 9:13:05 AM)

Ok, maybe keep an eye on it and have a look when you next get the FM error.

No, don't enable recursion, just curious [;)]




lycanwrath -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (25.Sep.2009 9:26:09 AM)

Oki will do that :-)




lycanwrath -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (29.Sep.2009 4:56:31 AM)

I changed my forwarder on the DC, since then it seems the problem has gone away.
Maybe the forwarder was not working as it should, hence the multiple retries...

Anyways hope it will stay OK :)




Jason Jones -> RE: Non TCP Sessions from One IP (DC)Limit Exceeded (29.Sep.2009 5:08:08 AM)

Could be, good news! [:)]




Page: [1]