[isalist] Re: Error 87

I finally fixed that problem. I noticed that the extension on the PDF file was 
very odd: instead of ".pdf" it's ".DocServer". So I changed the HTTP filter to 
"Allow all extensions" and that worked.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Monday, May 16, 2011 1:10 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

Thanks for the idea, Jim. Unfortunately disabling compression didn't fix the 
problem. Same error as before.  :(

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Saturday, May 14, 2011 1:13 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

Here's the filtered and reordered capture (Wireshark can't do that, either; 
neener-neener-boo-boo :)).

It seems that the response form the Web server upsets TMG somehow.
It's not possible to say exactly how this upsets TMG without a tracefile, but 
you may be able to resolve this by disabling compression if you have it 
enabled; the client indicates acceptance of compressed data  in frame 7, so TMG 
may be trying to compress it back to the client.

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, May 13, 2011 9:25 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

Here is the whole capture.

172.17.201.24 is the address of my PC. 170.115.248.137 is the address of the 
remote web server.

This download worked when we were using ISA. It still works for these folks 
when they access the site from home.

Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Friday, May 13, 2011 10:03 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

Actually, I'd need to see the capture itself, although it seems pretty clear 
that:

1.       There is another (NAT) device upstream from TMG (TMG  IPAddr = 
172.17.201.24; WebSvr IPAddr = 170.115.248.137)

2.       The WebSvr failed the request (frame 452)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Friday, May 13, 2011 6:50 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

He's trying to download PDFs from a City of Philadelphia website. The URL is 
http://philadox.phila.gov/picris/servlet/ecs.servlet.DocServer. To get there, 
though, you have to have a username and password. I went there (using his 
credentials) and tried to download a PDF. I got the same error.

I did the Netmon capture, as per your instructions. Below is the traffic 
between my computer and the remote server. Let me know what you see and if you 
need something more (like maybe the whole Netmon capture file, or this 
conversation in an Excel file, or anything else).

441

5/13/2011 9:34

1.225792

172.17.201.24

170.115.248.137

TCP

TCP:Flags=......S., SrcPort=49490, DstPort=HTTP(80), PayloadLen=0, Seq=26693, 
Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192

{TCP:168, IPv4:167}

442

5/13/2011 9:34

1.226298

170.115.248.137

172.17.201.24

TCP

TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=49490, PayloadLen=0, 
Seq=3946482666, Ack=26694, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152

{TCP:168, IPv4:167}

443

5/13/2011 9:34

1.22644

172.17.201.24

170.115.248.137

TCP

TCP:Flags=......S., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, 
Seq=705015745, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192

{TCP:169, IPv4:167}

444

5/13/2011 9:34

1.226862

170.115.248.137

172.17.201.24

TCP

TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=49491, PayloadLen=0, 
Seq=2744969049, Ack=705015746, Win=8192 ( Negotiated scale factor 0x8 ) = 
2097152

{TCP:169, IPv4:167}

445

5/13/2011 9:34

1.227025

172.17.201.24

170.115.248.137

TCP

TCP:Flags=...A...., SrcPort=49490, DstPort=HTTP(80), PayloadLen=0, Seq=26694, 
Ack=3946482667, Win=365 (scale factor 0x2) = 1460

{TCP:168, IPv4:167}

446

5/13/2011 9:34

1.228155

172.17.201.24

170.115.248.137

TCP

TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, 
Seq=705015746, Ack=2744969050, Win=365 (scale factor 0x2) = 1460

{TCP:169, IPv4:167}

447

5/13/2011 9:34

1.229617

172.17.201.24

170.115.248.137

HTTP

HTTP:Request, POST /picris/servlet/ecs.servlet.DocServer

{HTTP:170, TCP:169, IPv4:167}

452

5/13/2011 9:34

1.345096

170.115.248.137

172.17.201.24

HTTP

HTTP:Response, HTTP/1.1, Status: Internal server error, URL: 
/picris/servlet/ecs.servlet.DocServer

{HTTP:170, TCP:169, IPv4:167}

453

5/13/2011 9:34

1.345096

170.115.248.137

172.17.201.24

TCP

TCP:[Continuation to #452]Flags=...A...., SrcPort=HTTP(80), DstPort=49491, 
PayloadLen=1460, Seq=2744970510 - 2744971970, Ack=705016330, Win=256 (scale 
factor 0x8) = 65536

{TCP:169, IPv4:167}

454

5/13/2011 9:34

1.346642

172.17.201.24

170.115.248.137

TCP

TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, 
Seq=705016330, Ack=2744971970, Win=16425 (scale factor 0x2) = 65700

{TCP:169, IPv4:167}

455

5/13/2011 9:34

1.346729

170.115.248.137

172.17.201.24

TCP

TCP:[Continuation to #452]Flags=...AP..F, SrcPort=HTTP(80), DstPort=49491, 
PayloadLen=1330, Seq=2744971970 - 2744973301, Ack=705016330, Win=256 (scale 
factor 0x8) = 65536

{TCP:169, IPv4:167}

456

5/13/2011 9:34

1.348033

172.17.201.24

170.115.248.137

TCP

TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, 
Seq=705016330, Ack=2744973301, Win=16092 (scale factor 0x2) = 64368

{TCP:169, IPv4:167}

457

5/13/2011 9:34

1.348428

172.17.201.24

170.115.248.137

TCP

TCP:Flags=...A...F, SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, 
Seq=705016330, Ack=2744973301, Win=16092 (scale factor 0x2) = 64368

{TCP:169, IPv4:167}

458

5/13/2011 9:34

1.348518

170.115.248.137

172.17.201.24

TCP

TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=49491, PayloadLen=0, 
Seq=2744973301, Ack=705016331, Win=256 (scale factor 0x8) = 65536

{TCP:169, IPv4:167}



From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Thursday, May 12, 2011 12:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

You should install Netmon 3.4 on the TMG and run it from an elevated cmd window 
using the following command:

md c:\NetmonCaps
nmcap /capture /network * /file c:\NetmonCaps\Capture.chn:100M

..before he runs the process to failure.
This way, you'll be able to see the internal and external conversations as they 
happen.

Wireshark can't do that...
:)

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Wednesday, May 11, 2011 10:28 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

OK, let me try to get the series of steps from the user. I just watched the 
console while he went through a series of clicks from his computer (remote to 
me) to get to the object he wanted to download. Once I have that, I'll post 
back.

Thanks,
Rob

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, May 11, 2011 11:10 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Error 87

"87" is the result-code and it means something about the request or response 
failed to process correctly.
You have to identify "what it is" first.
What is the web site URL?

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Rob Moore
Sent: Wednesday, May 11, 2011 6:56 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Error 87

Using TMG Standard. Not caching, not using Firewall Client.

I have a user trying to download a form from a City of Philadelphia website. It 
worked before we upgraded from ISA to TMG. Now when he tries to download the 
form, it fails. When I monitor his activity, I don't get a Result Code when it 
fails. All I get is an Action of "Failed Connection Attempt" and an HTTP Status 
Code of "87 The parameter is incorrect."

What's going on? How can I work around this?

Thanks,
Rob

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rob Moore
Network Manager
215-241-7870
Helpdesk: 800-500-AFSC

Other related posts: