Clients dropping like flies (Full Version)

All Forums >> [ISA Server 2000 Firewall] >> Firewall Client


todd-beaulieu -> Clients dropping like flies (19.Feb.2003 5:47:00 PM)

My problem is that the clients keep losing their connection to the Firewall. The icon appears in the tray, and they have no internet access. Rebooting sometimes fixes it, as does simply waiting. It comes and goes all over the network. Stations that were working, aren't now, and visa-versa. Sometimes they come up and can't find the Server, but after a wait suddenly find it.

I'm an ISA rookie, so it might be something stupid that I did, relating to something like DNS or DHCP on the network. This is not my primary line of work; I'm a developer.

It's a small network of about 15 - 20 workstations. They're a mix of 95, 98x, XP and 2000. It's a real basic setup: DSL comes into a small router (which I've been having LOTs of issues in this mix...should I eliminate it?). It then goes into the 2000 box with ISA. Out the second NIC goes the internal network to the hubs and then onto the stations. There are no routers internally; all clients are on the same subnet (192...).

I have DHCP enabled on the 2000 box for the internal network. All workstations are configured to obtain their settings automatically. The Server's IPs are hard-coded and excluded from the pool. DHCP is disabled on the router.

I tried having them put the IP into the firewall client and hit UPDATE, but they said it just comes back with the server name.

I'm about to disable the client and experiment with either "auto detect" in IE or hard-code the proxy information.

Any ideas? Thanks!

tshinder -> RE: Clients dropping like flies (19.Feb.2003 10:14:00 PM)

Hi Todd,

Are you publishing DNS servers?

What is the value of the Non-connected UDP mappings counter when this happens?


todd-beaulieu -> RE: Clients dropping like flies (19.Feb.2003 11:50:00 PM)

Remember, this isn't my strength.

I'm not sure what you mean by "publishing DNS". Honestly, I can't even rememebr what we did for DNS during the install. I had someone helping me, and he seems to love implementing anything that is an option. Myself, I am a minimalist when it comes to those types of settings. When I don't understand something, I try to avoid it. I'm not aware of building any kind of list of machine names/IPs. We did a routing Table at one point, including just the internal IPs. Is there something that I should look for, when it comes to DNS? We're using the DNS servers that the ISP gave us for the outside world, but haven't done much inside, that I'm aware of. Should we? I suspected DNS at one point, and called to have the customer enter the IP into the ISA Server cfg for the firewall client. They told me that it seemed to take it, but that it immediately reverted back to the name.

Now, I know even LESS, if you thought that possible, about the second question. I have no clue what the "value of the Non-connected UDP mappings counter" is. Is this on the client or the server? What am I looking for?

One thing that we did with this round of changes was to remove NetBios from the network profiles on the clients. My helper made me do it, swearing up and down that it was unnecessary and a security risk.

I'm also trying to get a VPN going, and having a heck of hard time with it. I'll save that for another thread.

Thanks for the help!

tshinder -> RE: Clients dropping like flies (20.Feb.2003 5:10:00 PM)

Hi Todd,

OK, I understand the situation a bit better. What I really need to do is start a service for people who need a step by step setup guide, based on what they want and what their current setup is. Oh yea, I do! That's what it says in my sig line [Smile]

It seems like your problem is a DNS related problem, but it could also be a multifactorial problem. Its probably something a pair of expert eyes could fix pretty quickly, but troubleshooting it online could be complex.

The first step is to determine if the clients are resolving the name of the ISA Server correctly, and the easiest way to do that is to use network monitor on the clients.


todd-beaulieu -> RE: Clients dropping like flies (24.Feb.2003 4:56:00 PM)

Well, I believe (and hope!) that I found the cause of the clients intermittently losing connection with/not connecting to the ISA Server.

I believe it was licensing on the SBS.

I guess I don't understand how the connections concept works. How can 20 workstations cause 150 connections (peak)?

I hope I'm not expected to buy an additional 100 licenses when not a single new workstation has been installed!

tshinder -> RE: Clients dropping like flies (24.Feb.2003 6:48:00 PM)

Hi Todd,

What kind of connecitons are these? IIRC, the SBS liscense limits the number of SMB/CIFS connections, not the number of VPN connectons (although I could be wrong about that) [Big Grin]


todd-beaulieu -> RE: Clients dropping like flies (24.Feb.2003 7:26:00 PM)

These connections are internal clients. We have no VPN functioning as of yet.

I noticed the popup on the server, complaining about running out of licenses. I looked through the reports generated by ISA and noticed the number of connections was insanely high (compared to what I was expecting). I'm trying to understand how that works. These are all 9x/2k clients just doing normal web/email access via the FW client and proxy client. They're also authenticated into the domain via that same server.

Does each client make and maintain multiple connections? I can't be one for each resource in a web page, or something, right? Since it only happened during work hours, I wasn't expecting it. We tested all weekend long, but it never occurred to us that when the users were all simultaneoulsy accessing the net, this would happen.

tshinder -> RE: Clients dropping like flies (24.Feb.2003 8:28:00 PM)

Hi Todd,

A connection attempt is made for each HTTP object. If you have access control enabled, the client will need to authenticate to access each object, becuase the ISA Server needs to determine whether that client is allowed to access each specific object.


todd-beaulieu -> RE: Clients dropping like flies (24.Feb.2003 8:40:00 PM)

Oh wow! I wouldn'ta guessed that up front.

I wonder why the client doesn't use a system wherein its "main" connection is used for this? In other words, a client accessing LAN resources must surely not make additional conncetions to the server each time, right?

Does this mean that I am, indeed to purchase additional licenses on that Server, just because of the firewall? Yikes!

Or, should I disable Access Control? I need to look that up again, to see what the deal is with it.

How do large companies, with thousands of employees handle this?

Page: [1]