[isalist] Re: Strange Behaviour in ISA2006

  • From: "Ball, Dan" <DBall@xxxxxxxxxxx>
  • To: "'isalist@xxxxxxxxxxxxx'" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 27 Jan 2009 14:11:18 -0500

Been too busy to play with this much lately, basically I've been just waiting 
it out whenever it has happened, it eventually clears itself.  Just now it 
happened again though, and I happened to be logged into the ISA server at the 
time, so I did some packet captures in case someone asked for them.

Otherwise, I have tested the DNS servers out pretty good, and the problem 
appears to be in the ISA server.  The internal servers cannot contact the 
forwarders, so they dish out responses until the cache times out and then start 
sending out host-not-found messages instead.  While this is going on, I can 
take a computer on the other side of our ISA server and connect to the DNS 
servers on the forwarders list, so I know they are alive and kicking, the DNS 
queries just are not passing through the ISA server.  As long as the computers 
know the IP address, they can continue to communicate through the ISA server, 
they just cannot look up any new addresses.

I see a bunch of alerts saying "ISA Server detected an all port scan attack..." 
from the forwarders IPs addresses immediately prior to and during the problem.  
I remember from awhile back that this was a common message from DNS server, 
would the ISA server block those IPs for a time in response to those scan 
attacks?


From: Ball, Dan
Sent: Thursday, November 06, 2008 12:52 PM
To: 'isalist@xxxxxxxxxxxxx'
Subject: RE: [isalist] Re: Strange Behaviour in ISA2006

Yes, there are two DNS servers on the internal network that the ISA server is a 
part of.  All workstations (including the ISA server)  are pointing to these 
two DNS servers, no external DNS serves are configured except as forwarders on 
those two DNS servers.  If any DNS request is made that is not part of the 
local network, they use forwarders to resolve the address from our ISPs DNS 
servers.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jerry Young
Sent: Thursday, November 06, 2008 12:36 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Strange Behaviour in ISA2006

Or, you wouldn't happen to have entered DNS servers on both the internal and 
external interface connections in Windows on the ISA Server would you?

Also, how do clients in your environment resolve internet-based DNS records?  
Are DNS forwarders set up on your internal DNS servers or are you using some 
other method for resolving internet-based DNS records?

Are the internal DNS servers part of the same internal network that your ISA 
Server sits on or do those internal queries pass through a router?

You can troubleshoot this by directing nslookup to use specific DNS servers for 
each record test case.

For example, if you wanted to query your internal DNS server for an external 
DNS record you could use:

nslookup www.yahoo.com<http://www.yahoo.com/> <Internal DNS Server>,

Where <Internal DNS Server> is the IP address of your internal DNS server.

To test against an external DNS server, you could use:

nslookup www.yahoo.com<http://www.yahoo.com/> <External DNS Server>,

Where <External DNS Server> is the IP address of an external DNS server your 
environment uses (usually one provided by your carrier/ISP).
On Thu, Nov 6, 2008 at 12:22 PM, Jim Harrison 
<Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

The combination of forward access and server login sluggishness point squarely 
at DNS.
Are you using the same DNS server to handle AD and external DNS queries?

Jim

-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> 
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On 
Behalf Of Ball, Dan
Sent: Thursday, November 06, 2008 8:30 AM
To: 'isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>'
Subject: [isalist] Strange Behaviour in ISA2006

http://www.ISAserver.org<http://www.isaserver.org/>
-------------------------------------------------------

I've noticed an interesting behavior of my ISA2006 box, and was wondering if 
anyone would have an idea of what might be causing it...

Periodically, browsing to websites (from our Intranet) becomes sluggish and we 
experience a lot of time-outs, sometimes it clears itself, but sometimes it 
gets worse.  Tracing this back, it appears to be a DNS-related issue, the names 
cannot be resolved correctly.  I've restarted the internal DNS servers when 
this happens, with little, if any improvement in performance.  So I log into 
the ISA server via Remote Desktop to see what is happening, the login takes 
significantly longer than usual, then right about the time I get logged in, 
everything works perfect again, so I cannot trace it.

I thought it was a coincidence the first few times, but it has happened a 
couple of dozen times now and it is a definite pattern.  Once I log into the 
ISA server via Remote Desktop, it starts working again.  Any ideas?

------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>


------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com<http://www.techgenix.com/>
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>



--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer

Other related posts: