First post, although I've spent some time on the Forum. Excellent site well done and thankyou for providing such a useful resource.
Here's my problem.
I have a uni-homed 2006 (SP1) ISA Server which is occasionaly jsut dropping clients connections, they report this as a freeze (ie6) where they just get a page not found ( not ISA server but MS connection settings one) and have to untick the use proxy server box in IE to continue browsing.
I have noticed that when this happens I also get the following event log Error event ID 21285
"The number of HTTP requests per minute from the source IP address 10.1.4.38 exceeded the configured limit. ISA Server will block new HTTP requests sent from this IP address. This event indicates that this IP address probably belongs to an infected host. See the product documentation for more information about ISA Server flood resiliency. "
This server is running uni-homed and so the firewall is obviously just the local firewall service. Any ideas on how to get round this?
From: United Kingdom
Is this happening for all clients?
Basically, this error is caused by the Flood Mitigation feature of ISA detecting that a client is reaching a defined threshold of HTTP requests within a certain time period. You can modify this default threshold or create exceptions. If you look in the ISA alerts tab in monitoring, you should see an associated alert. Flood Mitigation configuration can be found under the 'Configuration=>General=>Configure Flood Mitigation Settings' link.
Is there anything strange about the machines that would generate a large number of HTTP requests? I assume your systems are clean from malware/spyware/worms that could be generating these types of requests?
I wouldn't normally expect to see this type of alert for client machines unless something was wrong or some local software was legitimately generating a large number of HTTP requests for a valid reason.
You can increase the threshold, but I think it may be prudent to investigate why the threshold is being reached, as it isn't normal for client systems IMHO.
JJ, thanks for the quick response. You were bang on the money, there is a GPO which opens the inhouse developed intranet. I just did some testing and moving around the intranet and filtering the login tab I was able to see it stop working. I also did a comparsion to see if opening msn.com produced less Get requests, although it didn't seem to.
I've also taken your 2nd point into consideration. We can route round the intranet however what is the impact of it needing all these get requests? As I've set the ISA up using a unihomed template ( includes every private range in internal network set) is this causing the issue or should I be asking the Dev team to check their code?
From: United Kingdom
Ideally, you should be bypassing ISA for all internal web servers as this is unnecessary and ineffiecient. ISA should only need to see traffic which is destined for the Internet, not all internal HTTP traffic as well...even so, I would be surprised that this type of thing would trigger the alert so easily...maybe the intranet code is just doing something weird!
You can configure the bypass with IE exception lists or using the Direct Access feature of ISA.
I would bet that once you get the bypass sorted, all of the Flood Mitigation errors will go away
< Message edited by Jason Jones -- 19.Nov.2008 10:55:22 AM >