[isalist] Re: Strange Behaviour in ISA2006

From: Jerry Young <jerrygyoungii@xxxxxxxxx>
To: isalist@xxxxxxxxxxxxx
Date: Thu, 29 Jan 2009 15:19:07 -0500
If telnet isn't working but yet you're seeing it pass through the ISA
server, it seems more likely that some kind of assymetric route is in play -
this can occassionally occur with bad BGP routes between peers.

When you put a client on the outside of the ISA server, is it in the same
external network that the ISA server is?
On Thu, Jan 29, 2009 at 3:05 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:

>  I did try to telnet, and that didn't work, and I did try nslookup with
> manually configuring multiple servers, they all timed out.  I don't think I
> tried manually setting a DNS server that wasn't one of our normal ones
> though,  so I'll have to try that next time.
>
>
>
> As for routing, the DNS traffic makes it to the ISA server and goes out to
> the Internet, I can see it in the logs, it just doesn't seem to come back.
>
>
>
>
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Thursday, January 29, 2009 2:02 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Strange Behaviour in ISA2006
>
>
>
> Dan,
>
>
>
> From the clients on the inside of the ISA Server try the following command.
>
>
>
> telnet <dns server ip address> 53
>
>
>
> Does that work?
>
>
>
> If it does, try the following:
>
>
>
> nslookup www.yahoo.com <dns server ip address>
>
>
>
> Does that work?
>
>
>
> If not, try using nslookup interactively and see what kind of error message
> you get when you attempt to set the server to the DNS server IP address.
>
>
>
> Since this is happening intermittently, it may actually be a network
> routing issue as opposed to an ISA server issue.  I don't know what kind of
> topology you have in place on the inside of your ISA server but do take a
> look at that.
>
> On Thu, Jan 29, 2009 at 1:53 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> It seems to happen no matter what DNS servers I put in as forwarders, and
> we cannot function without them (need to get DNS resolution somehow!).
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Crockett, Gregory
> Sent: Tuesday, January 27, 2009 2:30 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> What happens should you kill your isp dns servers as forwarders?  I have
> never used our isps dns servers as forwarders.
>
> Sent from mobile outlook.
>
> -----Original Message-----
> From: Ball, Dan <DBall@xxxxxxxxxxx>
> Sent: Tuesday, January 27, 2009 1:12 PM
> To: 'isalist@xxxxxxxxxxxxx' <isalist@xxxxxxxxxxxxx>
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> Been too busy to play with this much lately, basically I've been just
> waiting it out whenever it has happened, it eventually clears itself.  Just
> now it happened again though, and I happened to be logged into the ISA
> server at the time, so I did some packet captures in case someone asked for
> them.
>
> Otherwise, I have tested the DNS servers out pretty good, and the problem
> appears to be in the ISA server.  The internal servers cannot contact the
> forwarders, so they dish out responses until the cache times out and then
> start sending out host-not-found messages instead.  While this is going on,
> I can take a computer on the other side of our ISA server and connect to the
> DNS servers on the forwarders list, so I know they are alive and kicking,
> the DNS queries just are not passing through the ISA server.  As long as the
> computers know the IP address, they can continue to communicate through the
> ISA server, they just cannot look up any new addresses.
>
> I see a bunch of alerts saying "ISA Server detected an all port scan
> attack..." from the forwarders IPs addresses immediately prior to and during
> the problem.  I remember from awhile back that this was a common message
> from DNS server, would the ISA server block those IPs for a time in response
> to those scan attacks?
>
>
> From: Ball, Dan
> Sent: Thursday, November 06, 2008 12:52 PM
> To: 'isalist@xxxxxxxxxxxxx'
> Subject: RE: [isalist] Re: Strange Behaviour in ISA2006
>
> Yes, there are two DNS servers on the internal network that the ISA server
> is a part of.  All workstations (including the ISA server)  are pointing to
> these two DNS servers, no external DNS serves are configured except as
> forwarders on those two DNS servers.  If any DNS request is made that is not
> part of the local network, they use forwarders to resolve the address from
> our ISPs DNS servers.
>
>
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jerry Young
> Sent: Thursday, November 06, 2008 12:36 PM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Strange Behaviour in ISA2006
>
> Or, you wouldn't happen to have entered DNS servers on both the internal
> and external interface connections in Windows on the ISA Server would you?
>
> Also, how do clients in your environment resolve internet-based DNS
> records?  Are DNS forwarders set up on your internal DNS servers or are you
> using some other method for resolving internet-based DNS records?
>
> Are the internal DNS servers part of the same internal network that your
> ISA Server sits on or do those internal queries pass through a router?
>
> You can troubleshoot this by directing nslookup to use specific DNS servers
> for each record test case.
>
> For example, if you wanted to query your internal DNS server for an
> external DNS record you could use:
>
> nslookup www.yahoo.com<http://www.yahoo.com/> <Internal DNS Server>,
>
> Where <Internal DNS Server> is the IP address of your internal DNS server.
>
> To test against an external DNS server, you could use:
>
> nslookup www.yahoo.com<http://www.yahoo.com/> <External DNS Server>,
>
> Where <External DNS Server> is the IP address of an external DNS server
> your environment uses (usually one provided by your carrier/ISP).
> On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:
> Jim@xxxxxxxxxxxx>> wrote:
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> The combination of forward access and server login sluggishness point
> squarely at DNS.
> Are you using the same DNS server to handle AD and external DNS queries?
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
> [mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>]
> On Behalf Of Ball, Dan
> Sent: Thursday, November 06, 2008 8:30 AM
> To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
> Subject: [isalist] Strange Behaviour in ISA2006
>
> http://www.ISAserver.org <http://www.isaserver.org/><
> http://www.isaserver.org/>
> -------------------------------------------------------
>
> I've noticed an interesting behavior of my ISA2006 box, and was wondering
> if anyone would have an idea of what might be causing it...
>
> Periodically, browsing to websites (from our Intranet) becomes sluggish and
> we experience a lot of time-outs, sometimes it clears itself, but sometimes
> it gets worse.  Tracing this back, it appears to be a DNS-related issue, the
> names cannot be resolved correctly.  I've restarted the internal DNS servers
> when this happens, with little, if any improvement in performance.  So I log
> into the ISA server via Remote Desktop to see what is happening, the login
> takes significantly longer than usual, then right about the time I get
> logged in, everything works perfect again, so I cannot trace it.
>
> I thought it was a coincidence the first few times, but it has happened a
> couple of dozen times now and it is a definite pattern.  Once I log into the
> ISA server via Remote Desktop, it starts working again.  Any ideas?
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com<http://www.techgenix.com/>
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
> All mail to and from this domain is scrutinized by GFI.
>
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>



-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Follow-Ups:
- [isalist] Re: Strange Behaviour in ISA2006
  - From: Ball, Dan
References:
- [isalist] Re: Strange Behaviour in ISA2006
  - From: Crockett, Gregory
- [isalist] Re: Strange Behaviour in ISA2006
  - From: Ball, Dan
- [isalist] Re: Strange Behaviour in ISA2006
  - From: Jerry Young
- [isalist] Re: Strange Behaviour in ISA2006
  - From: Ball, Dan
[isalist] Re: Strange Behaviour in ISA2006

Other related posts:
