RE: Isa Server 2006 RPC filter blocks RPC traffic
- From: Shijaz Abdulla <ShijazAbdulla@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Jan 2007 12:15:27 -0800
Thank you Richard, for sharing. :)
--
Shijaz Abdulla
MVP, MCSE:Security, CCNA
Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org
"richard" wrote:
Microsoft PSS solved the issue. It seems to be related particurarly to Dell.
PowerEdge 1950 with Broadcom BCM5708c NetExtreme Gigabit NIC and ISA 2006,
here is the solution from Microsoft:
---------------------------------
There is a similar issue in ISA 2004. It has been addressed in KB 887222 and
fixed in ISA 2004 SP1. For ISA 2006, that issue doesn't exist.
We captured a network trace on the ISA server to troubleshoot this issue.
The ISA server immediately reset the TCP connection once it received the DC's
TCP ACK packet when it tried to establish the connection against the DC's 135
port.
According to the network trace, the ISA server may think the DC's reply
packet used an invalid sequence number or acknowledgment number. If you use
the live monitoring feature in ISA server to monitor this issue, you should
find that the ISA server reports the error FWX_E_SEQ_ACK_MISMATCH. However,
the sequence number and the acknowledgment number were correct based on the
network trace. The problem should be still on the ISA server side.
After performing intensive research, the issue was caused by the NIC
settings on the ISA server. We turned off the feature Receive Side Scaling on
the Broadcom NIC and that resolved the issue.
We have received report for this issue occurred on the DELL PowerEdge 1950
server with Broadcom BCM5708c NetExtreme Gigabit NIC.
To turn of the feature Receive Side Scaling,
a. Log on the ISA server. Click Start, click Run, type devmgmt.msc and press
OK.
b. Expand Network Adapters and double-click the NIC which connects the ISA
server to the internal network.
c. On the Advanced tab, find the feature Receive Side Scaling and turn it
off. Click OK.
Note: When you click OK, the network connection may be interrupted
temporarily.
--
Regards,
Richard
"Shijaz Abdulla" wrote:
Should I apply ISA 2004 sp1 on this ISA 2006 as mentioned in the KB?No. This is supported only for versions that is listed in the Applies To
section of the article. Besides, I dont think ISA 2006 would let you install
ISA2004 Sp1 over it ;)
I have not been able to find a fix addressing this, it would be a good idea
to contact Microsoft PSS.
What are the consequences running the ISA 2006 with "RPC filter" disabled?http://www.microsoft.com/technet/isa/2000/proddocs/isafp1/rpcaboutfilter.mspx?mfr=true
--
Shijaz Abdulla
MVP, MCSE:Security, CCNA
Articles: www.shijaz.com/isaserver
Forums: www.tech-links.org
"richard" wrote:
I have exactly the same problem as mentioned in this kb.:
http://support.microsoft.com/kb/887222
But this is an ISA 2006 on a new server with an Windows Server 2003 R2 sp1
OEM installation.
Logging on takes at least 5 min. This error shows in the system log:
-------------------------------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1053
Date: 11-01-2007
Time: 11:38:11
User: NT AUTHORITY\SYSTEM
Computer: xxx
Description:
Windows cannot determine the user or computer name. (The RPC server is
unavailable. ).
Group Policy processing aborted.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
-------------------------------------------------
When i disable the "RPC filter" application filter in ISA, everything is fine.
Amongst a lot of things (uninstall ISA, rejoin the Domain, install ISA
again), I have tried to enable/disable "Enforce strict RPC compliance", but
at no use. As long as the RPC filter is enabled, I am stuck!
Should I apply ISA 2004 sp1 on this ISA 2006 as mentioned in the KB?
What are the consequences running the ISA 2006 with "RPC filter" disabled?
The plan was that the ISA 2006 should replace an ISA 2000, as a back-end
firewall handlening VPN-connections, server publishing (Exchange 2003, Portal
Services) and more.
Thanks in advance!
--
Regards,
Richard
- References:
- RE: Isa Server 2006 RPC filter blocks RPC traffic
- From: Shijaz Abdulla
- RE: Isa Server 2006 RPC filter blocks RPC traffic
- From: richard
- RE: Isa Server 2006 RPC filter blocks RPC traffic
- Prev by Date: sip with asterisk
- Next by Date: Help me choose a LAN configuration uunder ISA in SBS
- Previous by thread: RE: Isa Server 2006 RPC filter blocks RPC traffic
- Next by thread: Publishing issues with SubjectAltName SSL certs?
- Index(es):
Relevant Pages
|
Loading
