[isalist] Re: Strange Behaviour in ISA2006

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 5 Mar 2009 19:18:34 -0600

Oh yeah, there is that :)

 

____________________________________________

TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx


5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM <http://www.prowesscorp.com/> 

____________________________________________

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Amy Babinchak
Sent: Thursday, March 05, 2009 7:01 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

You've got FIOS too. The rest of us are jealous.

 

thanks,

 

Amy Babinchak

 

Harbor Computer Services | 248-850-8616

 

Mobile 248-890-1794

Web   http://www.harborcomputerservices.net
<http://www.harborcomputerservices.net/> 

Client Blog   http://smalltechnotes.blogspot.com
<http://smalltechnotes.blogspot.com/> 

Tech Blog   http://securesmb.harborcomputerservices.net
<http://securesmb.harborcomputerservices.net/> 

 

Buy My House: http://www.shannonrealty.com/vassar_mls_tour.html

 

Are you an IT Pro?  http://www.thirdtier.net <http://www.thirdtier.net/>


 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Thomas W Shinder
Sent: Thursday, March 05, 2009 7:56 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

That's because your ISPs are so small in .bm that there is no
performance advantage to using them. I get a 3ms response time from my
forwards at Verizon and it does make a difference in end user perceived
Web performance.

 

____________________________________________

TOM SHINDER   |   Sr. Consultant/Technical Writer 
206.443.1117   |   SHINDER@xxxxxxxxxxxxxxx


5701 Sixth Avenue South   |   Seattle, WA 98108  
PROWESS   |   WWW.PROWESSCORP.COM <http://www.prowesscorp.com/> 

____________________________________________

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, March 05, 2009 6:40 PM
To: ISA Mailing List
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

I have never ever used forwarders and never had 1 dns issue at all
ever...

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, March 05, 2009 4:14 PM
To: ISA Mailing List
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

No, I have not tried it yet... I remember there was a serious debate on
this list a few years ago whether using only root servers was beneficial
or not, and I believe it ended in a stalemate.  Since then, I have not
revisited that issue.  Besides, if I have four forwarders and all of
them lock out my ISA server, what benefit would I get from having every
root server on the Internet block me other than global recognition?   I
believe I have a problem with something on my network that is flooding
the forwarders and causing them to lock me out, so by changing to the
root servers I'm only reducing the effect, not fixing the problem.

 

In any case, I've been spending my time lately partitioning out my
internal network so I can try to isolate the issue some more.   The
sheer volume of traffic here makes it difficult to find the culprit(s)
with the little time I have to spend on it.

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Thursday, February 26, 2009 4:29 PM
To: ISA Mailing List
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Too easy....

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Crockett, Gregory
Sent: Thursday, February 26, 2009 4:25 PM
To: ISA Mailing List
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Have you tried deleting your forwarders and use just the DNS root
servers?  

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Thursday, February 26, 2009 1:26 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Yep, when contacting all of our normal forwarders, I get query refused.
When I changed to the Verizon DNS server, the query went through.
Something is definitely causing our DNS forwarding servers to start
blocking us for a period of time.  

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Friday, February 13, 2009 6:40 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

That was from behind the ISA server, from in front of it the same DNS
responds fine.  Trying to figure out why the DNS servers stop responding
to requests coming from the ISA server.   I'll try the Verizon server
next time to see if that will pass through.

 

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Wednesday, February 11, 2009 10:40 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Did you do this from in front or behind the ISA Server?

 

The query refused response indicates the DNS server chose not to respond
to your query; that's got nothing to do with ISA, I don't think.

 

The most common cause of a query refusal that I've run across is when a
secondary DNS server can't pull updates from the primary DNS server (for
some reason the zone transfer failed) and so shuts down the zone.

 

Try using the DNS server 4.2.2.2 (Verizon) the next time to see if that
box also exhibits the same query refused response.

On Tue, Feb 10, 2009 at 9:17 AM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:

Okay, was able to run some tests today during a DNS outage.

 

Telnet to DNS server, connected okay.

 

Using NSLOOKUP interactively gave the response of "Query refused" on
each of the forwarders.

 

Any further testing was cut short because I logged into the ISA server
via RDP and, like usual, the situation cleared immediately.

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ball, Dan
Sent: Friday, January 30, 2009 2:01 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Yes, the computer I put on the "outside" is on the same sub-net as the
ISA server is.   

 

Thanks, your input has given me a much shorter list of things to test
the next time this occurs.

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Thursday, January 29, 2009 3:19 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

If telnet isn't working but yet you're seeing it pass through the ISA
server, it seems more likely that some kind of assymetric route is in
play - this can occassionally occur with bad BGP routes between peers.

 

When you put a client on the outside of the ISA server, is it in the
same external network that the ISA server is?

On Thu, Jan 29, 2009 at 3:05 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:

I did try to telnet, and that didn't work, and I did try nslookup with
manually configuring multiple servers, they all timed out.  I don't
think I tried manually setting a DNS server that wasn't one of our
normal ones though,  so I'll have to try that next time.  

 

As for routing, the DNS traffic makes it to the ISA server and goes out
to the Internet, I can see it in the logs, it just doesn't seem to come
back.

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Thursday, January 29, 2009 2:02 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

 

Dan,

 

From the clients on the inside of the ISA Server try the following
command.

 

telnet <dns server ip address> 53

 

Does that work?

 

If it does, try the following:

 

nslookup www.yahoo.com <http://www.yahoo.com/>  <dns server ip address>

 

Does that work?

 

If not, try using nslookup interactively and see what kind of error
message you get when you attempt to set the server to the DNS server IP
address.

 

Since this is happening intermittently, it may actually be a network
routing issue as opposed to an ISA server issue.  I don't know what kind
of topology you have in place on the inside of your ISA server but do
take a look at that.

On Thu, Jan 29, 2009 at 1:53 PM, Ball, Dan <DBall@xxxxxxxxxxx> wrote:

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------

It seems to happen no matter what DNS servers I put in as forwarders,
and we cannot function without them (need to get DNS resolution
somehow!).


-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Crockett, Gregory
Sent: Tuesday, January 27, 2009 2:30 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

http://www.ISAserver.org <http://www.isaserver.org/> 
-------------------------------------------------------

What happens should you kill your isp dns servers as forwarders?  I have
never used our isps dns servers as forwarders.

Sent from mobile outlook.

-----Original Message-----
From: Ball, Dan <DBall@xxxxxxxxxxx>
Sent: Tuesday, January 27, 2009 1:12 PM
To: 'isalist@xxxxxxxxxxxxx' <isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Strange Behaviour in ISA2006

Been too busy to play with this much lately, basically I've been just
waiting it out whenever it has happened, it eventually clears itself.
Just now it happened again though, and I happened to be logged into the
ISA server at the time, so I did some packet captures in case someone
asked for them.

Otherwise, I have tested the DNS servers out pretty good, and the
problem appears to be in the ISA server.  The internal servers cannot
contact the forwarders, so they dish out responses until the cache times
out and then start sending out host-not-found messages instead.  While
this is going on, I can take a computer on the other side of our ISA
server and connect to the DNS servers on the forwarders list, so I know
they are alive and kicking, the DNS queries just are not passing through
the ISA server.  As long as the computers know the IP address, they can
continue to communicate through the ISA server, they just cannot look up
any new addresses.

I see a bunch of alerts saying "ISA Server detected an all port scan
attack..." from the forwarders IPs addresses immediately prior to and
during the problem.  I remember from awhile back that this was a common
message from DNS server, would the ISA server block those IPs for a time
in response to those scan attacks?


From: Ball, Dan
Sent: Thursday, November 06, 2008 12:52 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: Strange Behaviour in ISA2006

Yes, there are two DNS servers on the internal network that the ISA
server is a part of.  All workstations (including the ISA server)  are
pointing to these two DNS servers, no external DNS serves are configured
except as forwarders on those two DNS servers.  If any DNS request is
made that is not part of the local network, they use forwarders to
resolve the address from our ISPs DNS servers.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Thursday, November 06, 2008 12:36 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

Or, you wouldn't happen to have entered DNS servers on both the internal
and external interface connections in Windows on the ISA Server would
you?

Also, how do clients in your environment resolve internet-based DNS
records?  Are DNS forwarders set up on your internal DNS servers or are
you using some other method for resolving internet-based DNS records?

Are the internal DNS servers part of the same internal network that your
ISA Server sits on or do those internal queries pass through a router?

You can troubleshoot this by directing nslookup to use specific DNS
servers for each record test case.

For example, if you wanted to query your internal DNS server for an
external DNS record you could use:

nslookup www.yahoo.com <http://www.yahoo.com/> <http://www.yahoo.com/>
<Internal DNS Server>,

Where <Internal DNS Server> is the IP address of your internal DNS
server.

To test against an external DNS server, you could use:

nslookup www.yahoo.com <http://www.yahoo.com/> <http://www.yahoo.com/>
<External DNS Server>,

Where <External DNS Server> is the IP address of an external DNS server
your environment uses (usually one provided by your carrier/ISP).
On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
-------------------------------------------------------

The combination of forward access and server login sluggishness point
squarely at DNS.
Are you using the same DNS server to handle AD and external DNS queries?

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx
>] On Behalf Of Ball, Dan
Sent: Thursday, November 06, 2008 8:30 AM
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
Subject: [isalist] Strange Behaviour in ISA2006

http://www.ISAserver.org <http://www.isaserver.org/>
<http://www.isaserver.org/>
-------------------------------------------------------

I've noticed an interesting behavior of my ISA2006 box, and was
wondering if anyone would have an idea of what might be causing it...

Periodically, browsing to websites (from our Intranet) becomes sluggish
and we experience a lot of time-outs, sometimes it clears itself, but
sometimes it gets worse.  Tracing this back, it appears to be a
DNS-related issue, the names cannot be resolved correctly.  I've
restarted the internal DNS servers when this happens, with little, if
any improvement in performance.  So I log into the ISA server via Remote
Desktop to see what is happening, the login takes significantly longer
than usual, then right about the time I get logged in, everything works
perfect again, so I cannot trace it.

I thought it was a coincidence the first few times, but it has happened
a couple of dozen times now and it is a definite pattern.  Once I log
into the ISA server via Remote Desktop, it starts working again.  Any
ideas?

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/>
<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

All mail to and from this domain is scrutinized by GFI.


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com <http://www.techgenix.com/> 
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer




-- 
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

All mail to and from this domain is scrutinized by the Scrutinizer.


ExchangeDefender Message Security: Check Authenticity
<http://www.exchangedefender.com/verify.asp?id=n2613sLJ000621&from=amy@h
arborcomputerservices.net>

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 03-2009