I have an ISA2000 system on Server2003 system. Everything has been working fine. I suddenly am getting client errors on all my firewall clients with : < Server suddenly disconnected Possible Cause: The client version may not be supported version of client software. > As far as I know - no changes were made to the configuration or updates - unless there is some autoupdate feature turned on that I am unaware of. I need help fast. My whole network is down and I don't have a clue where to start.
ISA is uptodate (SP2). I have narrowed down the cause to my SMTP service on another 2003 system. I have no idea why, but if I stop the SMTP service on that other system, the firewall clients will update (connect) fine. If I start the service then the update button in the client configure applet returns the aforementioned wierd error. Any ideas?
From: Sydney, Australia
If stopping the SMPT service on another box corrected this issue, could it perhaps be that one of your clients is virus infected and was using that SMTP server to replicate itself out by sending dozens/hundreds/thousands of e-mail messages? And the SMTP server was essentially using all the resources of ISA and not allowing valid traffic?
Along these liens I once had one of my guys bring in a relatives laptop that was "running slow". He plugged it into out network and started working on it then wandered away for a while. The laptop had a bazillion viruses/trojans on it and (the segment) where it was plugged in gave the laptop IP details and the default gateway was the ISA machine, so this laptop started doing port scans of external IP's. ISA denied the request but the laptop kept trying and basically sucked up the 65565 available ports on the ISA very quickly.. and no legitimate traffic could then get through ISA. Action: Unplug laptop, beat user about the head for plugging into our network, change default gateway so it won't happen again!
Thanks for the reply man. I did some more reading and noticed my AD user accounts were all being locked which told me I was either being hacked or had some sort of virus. I turned on account auditing on logon failures and was able to track down which machines were locking accounts. Once I narrowed it down to what machines it was on, I created a new Client Address Set for the contaminated servers and blocked all access to the ISA server from them. That actually worked quite well until I was able to clean the machines.
As it turns out, I had a few instances of the W32.Randex trojan running on some development test machines which the developers are in charge of patching (windowsudpate) and keeping clean since it's their "test environment".
After this incident, I informed the lead programmer they no longer have this luxury and I will be maintaining their machines whether it breaks their code or not.
Our office was down for the majority of the day due to the lack of attention to these machines. LOL
Anyway, thanks for the replies and I hope my experience with this helps a few people. There's not alot of documented cases with solutions online that I was able to find.
[ December 10, 2004, 05:07 PM: Message edited by: raw ]