Re: Serious(ly weird) ISA 2004 problem
From: Jasen Fici (jasen_at_velaro.com)
Date: 09/29/04
- Next message: Wryanubis: "Reports"
- Previous message: Phillip Windell: "Re: How to FTP?"
- In reply to: Jasen Fici: "Serious(ly weird) ISA 2004 problem"
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 29 Sep 2004 12:54:01 -0400
One other thing, here's a trace log if we start completely fresh to one of
the IP addresses that aren't working:
Log Time Destination IP Destination Port Protocol Action Rule Client IP
Client Username Source Network Destination Network HTTP Method URL
Authenticated Client Object Source Raw Payload HTTP Status Code Client Agent
Service Source Proxy Client Host Name Processing Time Result Code Error
Information Original Client IP Server Name Referring Server Destination
Proxy Destination Host Name Raw IP Header Transport MIME Type Bidirectional
Filter Information Network Interface Source Port Bytes Sent Bytes Received
Cache Information Log Record Type
9/29/2004 12:50:29 PM 162.33.130.138 80 HTTP Initiated Connection
68.55.85.212 External Local Host - - 0 0x0 0x0 68.55.85.212
FIREWALL - TCP - - 58245 0 0 0x0 Firewall
9/29/2004 12:50:29 PM 162.33.130.138 80 HTTP Closed Connection 68.55.85.212
External Local Host - - 0 0x80074e21 0x0 68.55.85.212 FIREWALL -
TCP - - 58245 88 88 0x0 Firewall
9/29/2004 12:50:29 PM 162.33.130.138 80 HTTP Denied Connection 68.55.85.212
External Local Host - - 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 68.55.85.212 FIREWALL - TCP - -
58245 0 0 0x0 Firewall
9/29/2004 12:50:31 PM 162.33.130.138 80 HTTP Initiated Connection
68.55.85.212 External Local Host - - 0 0x0 0x0 68.55.85.212
FIREWALL - TCP - - 58246 0 0 0x0 Firewall
(probably have to put that in Notepad for a clearer view)
"Jasen Fici" <jasen@velaro.com> wrote in message
news:%23M4oE0jpEHA.3572@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> We have been running ISA 2004 successfully for about two months now,
> however, all of a sudden a serious error has started occuring that is a
> bit difficult to explain, so please bear with me.
>
> First, the environment:
>
> 10 external IP addresses, 10 different domain names:
>
> srv0.velaro.com 162.33.130.130
> srv1.velaro.com 162.33.130.131
> ..
> srv8.velaro.com 162.33.130.138
> srv9.velaro.com 162.33.130.139
>
> All HTTP requests from all these domains are being sent through a single
> ISA rule which routes them all internally to the same web server and same
> application. (The reasons for this overly complicated approach are for
> pre-emptively dealing with our corporate growth. Eventually each external
> address will go to its own internal server).
>
> Anyway, as I said, all has been well for about two months now, and there
> hasn't been any change at all to the configuration. However, about a week
> ago, anyone who tried access http://srv9.velaro.com from their browsers
> started receiving "cannot find website errors". After making sure nothing
> was wrong with our DNS, we investigated the ISA logs and started came up
> with some curious results. Thinking it was an isolated incident, we
> simply repointed our external DNS for srv9.velaro.com to 162.33.130.130,
> and all was well again a few hours later (after it propogated throughout
> the Internet).
>
> However, today, exactly 1 week later, it started happening again, this
> time to srv8.velaro.com. We've had to make the DNS adjustment to get up
> and running again, but I have set up another test domain name:
> test.velaro.com which points to 162.33.130.138. This domain name was
> simply added to the single ISA rule where all the other domain names are
> routed to the same internal web server, so the result should be the same,
> going to any http://srvX.velaro.com or http://test.velaro.com. The result
> should be a small XML configuration file being displayed.
>
> Now, to the ISA log files. Here's a typical set of entries from a single
> machine if it tries to access http://srv0.velaro.com: (XXX.XXX.XXX.XXX
> replaced our internal address):
>
> TCP - 0 792 772 0x42020000 Web Proxy Filter 9/29/2004 11:43:41 AM
> XXX.XXX.XXX.XXX 80 http Allowed Connection standard 68.55.85.212 anonymous
> External GET http://192.168.3.5/ No Internet - 200 Mozilla/4.0
> (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322) Reverse
> Proxy - - 16 0x400 0.0.0.0 FIREWALL - srv0.velaro.com -
>
> TCP - - 58047 0 0 0x0 Firewall 9/29/2004 11:43:41 AM 162.33.130.130 80
> HTTP Initiated Connection 68.55.85.212 External Local Host - - 0
> 0x0 0x0 68.55.85.212 FIREWALL -
>
> TCP - - 58047 980 920 0x0 Firewall 9/29/2004 11:44:41 AM 162.33.130.130
> 80 HTTP Closed Connection 68.55.85.212 External Local Host - -
> 60000 0x80074e21 0x0 68.55.85.212 FIREWALL -
>
>
> Now, if we try to go to test.velaro.com, the first entry made to ISA is:
>
> TCP - - 58070 0 0 0x0 Firewall 9/29/2004 11:48:19 AM 162.33.130.138 80
> HTTP Initiated Connection 68.55.85.212 External Local Host - - 0
> 0x0 0x0 68.55.85.212 FIREWALL -
>
> The browser returns IMMEDIATELY with a Page Cannot Be Displayed Error.
> Then, if we hit REFRESH on the browser, the rest comes through:
>
> TCP - - 58084 88 88 0x0 Firewall 9/29/2004 11:50:05 AM 162.33.130.138 80
> HTTP Closed Connection 68.55.85.212 External Local Host - - 0
> 0x80074e21 0x0 68.55.85.212 FIREWALL -
> TCP - - 58084 0 0 0x0 Firewall 9/29/2004 11:50:05 AM 162.33.130.138 80
> HTTP Denied Connection 68.55.85.212 External Local Host - - 0
> 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 68.55.85.212 FIREWALL -
> TCP - - 58085 0 0 0x0 Firewall 9/29/2004 11:50:05 AM 162.33.130.138 80
> HTTP Initiated Connection 68.55.85.212 External Local Host - - 0
> 0x0 0x0 68.55.85.212 FIREWALL -
> TCP - - 58085 88 88 0x0 Firewall 9/29/2004 11:50:05 AM 162.33.130.138 80
> HTTP Closed Connection 68.55.85.212 External Local Host - - 0
> 0x80074e21 0x0 68.55.85.212 FIREWALL -
> TCP - - 58085 0 0 0x0 Firewall 9/29/2004 11:50:05 AM 162.33.130.138 80
> HTTP Denied Connection 68.55.85.212 External Local Host - - 0
> 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 68.55.85.212 FIREWALL -
> TCP - - 58086 0 0 0x0 Firewall 9/29/2004 11:50:13 AM 162.33.130.138 80
> HTTP Initiated Connection 68.55.85.212 External Local Host - - 0
> 0x0 0x0 68.55.85.212 FIREWALL -
>
> The thing is, this is not a random isolated incident for 1 client, we have
> customers all over the world assigned to each one of these servers, and as
> soon as srv8 and srv9 went bad, all our customers assigned to those
> servers went bad.
>
> Does any one have ANY idea what could be causing this to happen? My gut
> is starting to tell me its our ISP where we co-locate. Could a bad
> externally configured subnet on our part be causing this? Does it look
> like an ISA configuration problem? All things being static on our side
> and on our clients machines leads me to our ISP, but I'm at a loss.
>
> Help!!?!
>
> thanks,
> Jasen
> jasen@velaro.com
>
>
>
>
>
>
- Next message: Wryanubis: "Reports"
- Previous message: Phillip Windell: "Re: How to FTP?"
- In reply to: Jasen Fici: "Serious(ly weird) ISA 2004 problem"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
