• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: SSL-tunnel Failed connection attempt

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> General >> RE: SSL-tunnel Failed connection attempt Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: SSL-tunnel Failed connection attempt - 19.Aug.2005 4:49:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've narrowed it down to the firewall client. I installed a test ISA 2004 server and put on the same windows updates, third party software, and same services.

My client can connect through this new server, but not the live server. If I set my firewall client to use the test server, it works. The web proxy client does not seem to matter where it is directed. 100% of the time, if the firewall client is directed to go through my live server, SSL error 5 occurs. ISA 2000 also works.

Any ideas on what could be wrong with the firewall client on my ISA 2004 server??

tjcarst

(in reply to tjcarst)
Post #: 21
RE: SSL-tunnel Failed connection attempt - 19.Aug.2005 5:06:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
Now I'm not so sure its the firewall client.

If I don't have a firewall client enabled, I get an error stating there is no route to the specified subnet. If I enable the firewall client to the live server, I get the error no third party ssl provider error 5.

I disabled the firewall client and put route statements on my client that specified the remote ip address and gateway of ISA. I get the same third party ssl provider error 5 even with the firewall client disabled.

tjcarsst

(in reply to tjcarst)
Post #: 22
RE: SSL-tunnel Failed connection attempt - 19.Aug.2005 5:10:00 PM   
spouseele

 

Posts: 12830
Joined: 1.Jun.2001
From: Belgium
Status: offline
Hi Terri,

did you already try the Firewall Client Tool for ISA Server 2004 ( http://www.microsoft.com/downloads/details.aspx?familyid=f20f6267-273d-4870-b1e8-799b261b4786&displaylang=en ). You can read with that the Firewall client configuration.

HTH,
Stefaan

(in reply to tjcarst)
Post #: 23
RE: SSL-tunnel Failed connection attempt - 24.Aug.2005 2:04:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
No, I have not, but will do so and post my findings. Thank you.

(in reply to tjcarst)
Post #: 24
RE: SSL-tunnel Failed connection attempt - 24.Aug.2005 2:14:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I ran the Enable, TestAutodetect and EnableBrowserAutoconfig, with no errors. When being redirected to an SSL site today, I had a blank page returned when I had the Automatically Detect ISA server and Use Autoconfig Routing Script settings enalbed in IE. When I disabled them, the page came up fine. This does not always happen. I tried it now with the settings enabled and it worked fine.

I have also had users recently report that they are intermittently prompted for logins to ISA even though they are not using an application on the internet. This is new since starting troubleshooting the access to bryanlgh.org. The only thing I can think that has changed is setting direct access on the Web Browser in ISA to include 172.16.0.0 - 172.16.255.255 and 127.0.0.0 to 127.0.0.255. Before I just specified my domain name.

(in reply to tjcarst)
Post #: 25
RE: SSL-tunnel Failed connection attempt - 20.Sep.2005 12:21:00 PM   
tjcarst

 

Posts: 184
Joined: 6.May2004
From: Lincoln, NE
Status: offline
I've given up for now and am allowing about a dozen users who need access to the site to go through my old ISA 2000 server. If anyone happens upon this thread and has any suggestions on how to get to the site on ISA 2004, it would be appreciated. Thanks.

(in reply to tjcarst)
Post #: 26
RE: SSL-tunnel Failed connection attempt - 3.Apr.2006 9:18:07 PM   
wendylou

 

Posts: 18
Joined: 6.May2003
From: Minnesota
Status: offline
Hi,
Was this resolved?  I have same issue with Citrix Metaframe connection.  When the user launch an application, the ISA 2004 shows either error 1460 or 995.

We contacted Citrix support, and they said some clients have trouble and some don't.  I cannot get any details out of them.  It seems to me some people made it working.  Just wonder if anyone could share it.

Thanks!

(in reply to tjcarst)
Post #: 27
RE: SSL-tunnel Failed connection attempt - 13.Apr.2006 12:17:41 AM   
gquitugua

 

Posts: 6
Joined: 12.Aug.2005
From: Arizona
Status: offline
Ran across this and not sure this would apply but figured it might be good info:

http://knowledgebase.citrix.com/article/CTX104998&printable=true

(in reply to tjcarst)
Post #: 28
RE: SSL-tunnel Failed connection attempt - 13.Apr.2006 4:01:10 PM   
wendylou

 

Posts: 18
Joined: 6.May2003
From: Minnesota
Status: offline
Thanks gguitugua for the information.  I have thought about this also.  However, the traffic I monitored was on port 443.  The Citrix people also told me that it was on port 443.

(in reply to gquitugua)
Post #: 29
RE: SSL-tunnel Failed connection attempt - 22.May2006 10:38:15 AM   
wbplomp

 

Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi,

I have exactly the same problem with ISA Server 2004 Enterprise Edition. In my case, we use two array members, wich are behind a CheckPoint firewall. I'm not sure if this problem started since SP2 and the HTTP filter update. I'm sure we didn't have it before.

Almost any request regarding SSL-tunnel report "Failed Connection Attempt", even some 8080 connections.

Through the logging on the CheckPoint firewall we can see that all packets pass through the CheckPoint.

Did you find a solution for this???

Boudewijn

(in reply to tjcarst)
Post #: 30
RE: SSL-tunnel Failed connection attempt - 24.May2006 6:33:18 PM   
wbplomp

 

Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi,

Did you find a solution for this problem???

Greetings,

Boudewijn
The Netherlands

(in reply to tjcarst)
Post #: 31
RE: SSL-tunnel Failed connection attempt - 24.May2006 10:37:05 PM   
wbplomp

 

Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hi,

Did you find the solution for this problem? I have exactly the same problem. Everything seems to work fine, but I have a bad feeling about it. Hope to hear from you.

Greetings,

Boudewijn

(in reply to tjcarst)
Post #: 32
RE: SSL-tunnel Failed connection attempt - 9.Aug.2006 5:42:36 PM   
LexPenrose

 

Posts: 2
Joined: 9.Aug.2006
Status: offline
Hey there fellow ISA companions,

Long time since I visited these forums , must have been what... 2 years or so...? Still remember the good old ISA 2004 standard edition beta's :) Ok.. enough chitchat :)
The solution... is simple :

SSL errors almost always relate to going out 1 way , and coming back another way, hence not completing the handshake. In normal words : you probably have a different default gateway than your proxy server.

So, how do you solve this ? Go to a command prompt on the CLIENT PC :

route ADD <IP OF SSL SITE> MASK 255.255.255.255 <IP OF ISA SERVER> -p

so for instance :

route ADD 67.19.217.274 MASK 255.255.255.255 10.242.6.240 -p

*the ip's are totally random

Hope that helps.
Lex

(in reply to wbplomp)
Post #: 33
RE: SSL-tunnel Failed connection attempt - 9.Aug.2006 7:56:37 PM   
wbplomp

 

Posts: 144
Joined: 18.Nov.2004
From: Netherlands, The
Status: offline
Hey,

I my situation the ISA Server is the default geteway. ISA Server is connected between the internal and external (internet) network.

Boudewijn

(in reply to LexPenrose)
Post #: 34
RE: SSL-tunnel Failed connection attempt - 9.Aug.2006 8:39:06 PM   
LexPenrose

 

Posts: 2
Joined: 9.Aug.2006
Status: offline
hey boudewijn,

could you post the monitoring session of relevant data ?
Does anything come back from the host you're trying to reach ?
can you confirm that all traffic is coming from the client ? Or is some of the traffic coming from the ISA server ?

Lex

(in reply to wbplomp)
Post #: 35
RE: SSL-tunnel Failed connection attempt - 6.Feb.2007 6:46:03 PM   
randy_ray

 

Posts: 59
Joined: 7.Sep.2002
From: Houston, TX
Status: offline
I've recently started encountering this same issue.  ISA2004 is my network default gateway and is setup to publish automatic discovery information via default port 80, DNS has a WPAD Cname entry pointing to ISA's FQDN, and DNS has a host record for ISA.  Users are SNAT and unable to access many SSL sites but a site in particular is our own OWA server, internally.  The request times out in all cases.  Monitoring shows failed connection attempt, error 995, to many external IP addresses.  One external IP I was able to confirm is verisign.  Doesn't matter if the browser is set to automatic detect or not, the SSL request still times out.  The only way to get it to work is to actually configure the browser to use a proxy server as 10.x.x.x / port 8080.

Something odd that I don't understand is the information provided by MS regarding publishig automatic discovery information in ISA usgin DNS http://www.microsoft.com/technet/isa/2004/plan/automaticdiscovery.mspx.  According to MS,  ISA publishes on 8080 by default but to publish via DNS you must use 80... the Auto Discovery tab on the properties of the internal network default is 80.  From a client I can go to http ://myisaserver/wpad where I'm prompted to save the file. I save the WPAD file and open it with notepad to find "HttpPort="8080"".  So which is it???  80 or 8080 and where is it configured?

Randy near Houston, TX

< Message edited by randy_ray -- 6.Feb.2007 7:03:36 PM >

(in reply to LexPenrose)
Post #: 36
RE: SSL-tunnel Failed connection attempt - 20.Aug.2010 4:13:51 AM   
bilbo

 

Posts: 2
Joined: 20.Aug.2010
Status: offline
Hello, I am experiencing a very similar problem with ISA 2006.

Would you mind posting any learning or fixes you might have come across with this fault?

Thanks,

(in reply to tjcarst)
Post #: 37

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> General >> RE: SSL-tunnel Failed connection attempt Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts