RE: Isa Server 2006 RPC filter blocks RPC traffic

---

• From: richard <richard@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Fri, 19 Jan 2007 12:30:39 -0800

---

Microsoft PSS solved the issue. It seems to be related particurarly to Dell
PowerEdge 1950 with Broadcom BCM5708c NetExtreme Gigabit NIC and ISA 2006,
here is the solution from Microsoft:
---------------------------------
There is a similar issue in ISA 2004. It has been addressed in KB 887222 and
fixed in ISA 2004 SP1. For ISA 2006, that issue doesn't exist.

We captured a network trace on the ISA server to troubleshoot this issue.
The ISA server immediately reset the TCP connection once it received the DC's
TCP ACK packet when it tried to establish the connection against the DC's 135
port.

According to the network trace, the ISA server may think the DC's reply
packet used an invalid sequence number or acknowledgment number. If you use
the live monitoring feature in ISA server to monitor this issue, you should
find that the ISA server reports the error FWX_E_SEQ_ACK_MISMATCH. However,
the sequence number and the acknowledgment number were correct based on the
network trace. The problem should be still on the ISA server side.

After performing intensive research, the issue was caused by the NIC
settings on the ISA server. We turned off the feature Receive Side Scaling on
the Broadcom NIC and that resolved the issue.

We have received report for this issue occurred on the DELL PowerEdge 1950
server with Broadcom BCM5708c NetExtreme Gigabit NIC.

To turn of the feature Receive Side Scaling,

a. Log on the ISA server. Click Start, click Run, type devmgmt.msc and press
OK.

b. Expand Network Adapters and double-click the NIC which connects the ISA
server to the internal network.

c. On the Advanced tab, find the feature Receive Side Scaling and turn it
off. Click OK.

Note: When you click OK, the network connection may be interrupted
temporarily.

--
Regards,

Richard


"Shijaz Abdulla" wrote:

Should I apply ISA 2004 sp1 on this ISA 2006 as mentioned in the KB?

No. This is supported only for versions that is listed in the Applies To
section of the article. Besides, I dont think ISA 2006 would let you install
ISA2004 Sp1 over it ;)
I have not been able to find a fix addressing this, it would be a good idea
to contact Microsoft PSS.

What are the consequences running the ISA 2006 with "RPC filter" disabled?http://www.microsoft.com/technet/isa/2000/proddocs/isafp1/rpcaboutfilter.mspx?mfr=true

--
Shijaz Abdulla
MVP, MCSE:Security, CCNA

Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org


"richard" wrote:

I have exactly the same problem as mentioned in this kb.:

http://support.microsoft.com/kb/887222

But this is an ISA 2006 on a new server with an Windows Server 2003 R2 sp1
OEM installation.
Logging on takes at least 5 min. This error shows in the system log:
-------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 11-01-2007
Time: 11:38:11
User: NT AUTHORITY\SYSTEM
Computer: xxx
Description:
Windows cannot determine the user or computer name. (The RPC server is
unavailable. ).
Group Policy processing aborted.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------

When i disable the "RPC filter" application filter in ISA, everything is fine.

Amongst a lot of things (uninstall ISA, rejoin the Domain, install ISA
again), I have tried to enable/disable "Enforce strict RPC compliance", but
at no use. As long as the RPC filter is enabled, I am stuck!

Should I apply ISA 2004 sp1 on this ISA 2006 as mentioned in the KB?

What are the consequences running the ISA 2006 with "RPC filter" disabled?

The plan was that the ISA 2006 should replace an ISA 2000, as a back-end
firewall handlening VPN-connections, server publishing (Exchange 2003, Portal
Services) and more.

Thanks in advance!
--
Regards,

Richard

.

---

• Follow-Ups:
  • RE: Isa Server 2006 RPC filter blocks RPC traffic
    • From: Shijaz Abdulla

• References:
  • RE: Isa Server 2006 RPC filter blocks RPC traffic
    • From: Shijaz Abdulla

• Prev by Date: Re: ISA 2004 causing slow web connection
• Next by Date: Selective Compression
• Previous by thread: RE: Isa Server 2006 RPC filter blocks RPC traffic
• Next by thread: RE: Isa Server 2006 RPC filter blocks RPC traffic
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: REPOST: Firewall Client Disconnects ... -> Define Connection Limits ... Subject: Firewall Client disconnects? ... reported it was unable to connect to the ISA server. ... The Firewall Client is for ISA 2004. ... (microsoft.public.windows.server.sbs) REPOST: Firewall Client Disconnects ... Subject: Firewall Client disconnects? ... reported it was unable to connect to the ISA server. ... The Firewall Client is for ISA 2004. ... This posting is provided "AS IS" with no warranties, ... (microsoft.public.windows.server.sbs) Re: REPOST: Firewall Client Disconnects ... >> Subject: Firewall Client disconnects? ... >> reported it was unable to connect to the ISA server. ... >> Thank you for posting to the SBS Newsgroup. ... (microsoft.public.windows.server.sbs) Re: REPOST: Firewall Client Disconnects ... >> Subject: Firewall Client disconnects? ... >> reported it was unable to connect to the ISA server. ... >> Thank you for posting to the SBS Newsgroup. ... (microsoft.public.windows.server.sbs) RE: Domain Auth Problems After Upgrade to ISA 2006? ... I'd like to provide you with the following RPC Filter information ... 2003 Service Pack 1 is installed on a computer that is running ISA Server ... |> When I check the live logs while a user attempts VPN authentication, ... (microsoft.public.isa)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > ISA  > microsoft.public.isa.configuration  > 2007-01