[isalist] Re: Timeout issue driving me nuts...

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 17 Sep 2008 17:24:00 -0500

And since NetMon 3.2 was released today, it's easier and more fun than
ever!

 

Thomas W. Shinder, M.D., MCSE  ||  Sr. Consultant / Technical Writer

shinder@xxxxxxxxxxxxxxxxxxxxx  ||  www.prowessconsulting.com
<blocked::http://www.prowessconsulting.com/> 

Phone: (206) 443.1117 || Fax (206) 443.1119

Blog: http://blogs.isaserver.org/shinder  ||  Books: 
http://tinyurl.com/2gpoo8 

PROWESS CONSULTING  ||  documentation  ||  integration  ||
virtualization

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Wednesday, September 17, 2008 4:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

 

It still comes down to the same thing; get a capture during the failing
event.

10060 is clear; when ISA requested Winsock to create a network
connection to 64.15.175.5 on TCP:443, the host at that IP address failed
to respond to the TCP handshake.  Winsock responded back to ISA with
"10060; no response" and ISA reported that to you.

 

You cannot resolve this without getting a capture of the failing event.

Get Netmon (or whatever you like for a netcap tool), run it on the ISA
and capture the traffic until the event recurs.

If you see the traffic heading for the remote host, but no responses,
it's time to check your network hardware or engage the ISP support
folks.

 

Until you get a capture that shows this behavior, it's all conjecture.

 

Jim

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Wednesday, September 17, 2008 1:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

 

Yep - it is, but I just happened to have that site error handy.
SalesForce gives the same type of errors.

 

Is it possible my DNS is messed up on the ISA server? The WAN to my ISP
did have their DNS IPs in the NIC IP Config. Are we supposed to leave
those blank so that the DNS request will go to the Internal DNS server
which in turn goes to the ISP DNS?

 

Our ISA server is setup as a DNS forwarder.

 

Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or
entity to whom they are addressed.If you have received this email in
error please notify the system manager.
This message contains confidential information and is intended only for
the individual named. If you are not the
named addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the 
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. 

P Please consider the environment before printing this email. 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Steve Moffat
Sent: Wednesday, September 17, 2008 4:06 PM
To: ISA Mailing List
Subject: [isalist] Re: Timeout issue driving me nuts...

 

Request: login.facebook.com:443

 

Facebook does that all  the time....anyway, I thought the dodgy site was
salesforce.com???

 

S

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Wednesday, September 17, 2008 4:18 PM
To: ISA Mailing List
Subject: [isalist] Re: Timeout issue driving me nuts...

 

Here is an example of what I am getting when we get the timeout
issues...

 

 

Failed Connection Attempt

ISA 9/17/2008 3:14:37 PM

Log type: Web Proxy (Forward)

Status: 10060 A connection attempt failed because the connected party
did not properly respond after a period of time, or established
connection failed because connected host has failed to respond. 

Rule: Limited Outbound Access for all other protocols

Source: Internal (192.168.1.135)

Destination: External (64.15.175.5:443)

Request: login.facebook.com:443

Filter information: Req ID: 0e58c928; Compression: client=No, server=No,
compress rate=0% decompress rate=0%

Protocol: SSL-tunnel

        
User: DOMAIN\trogers

        
 Additional information 

1.                   Client agent: Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)

2.       Object source: Internet (Source is the Internet. Object was
added to the cache.)

3.       Cache info: 0x0

4.       Processing time: 0 ms

5.                   MIME type: 

 

 

Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or
entity to whom they are addressed.If you have received this email in
error please notify the system manager.
This message contains confidential information and is intended only for
the individual named. If you are not the
named addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the 
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. 

P Please consider the environment before printing this email. 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jim Harrison
Sent: Tuesday, September 16, 2008 11:54 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

 

These are frequently difficult to troubleshoot, but the good news is
that 99 times out of 10, the problem is external to ISA.

The first thing to note is the IP address ISA reports as failing to
accept a connection; 204.14.234.61.  

-          Is this the correct IP address for the destination site
(nslookup reports "na5-sjl.salesforce.com")?

-          Is this one of many IPs used for that site (I only find one)?

-          What do you find in the ISA logs around this event?

-          What do you find in the ISA event logs around this event?

-          What devices separate your ISA from the Internet (modem,
router, etc.)?

-          Can you get a capture at each point along the chain?

 

I've not found RR tier-1 support to be of much use; they're typically of
the "let's remove and reinstall TCP/IP" troubleshooting class.

If you can get an escalation to their networking team, you may be able
to get concurrent captures during the failure state.

 

 

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Tom Rogers
Sent: Tuesday, September 16, 2008 7:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Timeout issue driving me nuts...

 

I have one ISA server (2006 SP-1) on a W2K3 SP-2 box, and we are having
a random time out error on only one website. (SalesForce.com)

 

The error message is always this...

 

Technical Information (for Support personnel) Error Code: 504 Proxy
Timeout. The connection timed out. (10060) IP Address: 204.14.234...61

Date: 9/16/2008 2:29:24 PM [GMT]

Server: isa.local.NET

Source: proxy 

 

I though I had it figured out, as an employee from Colorado was VPN'ing
in and using SalesForce.com through our internal network instead of his
own ISP, but he is no longer doing that and we still have the timeout
occurring. Salesforce.com's tech support has basically washed their
hands of it and said it is our ISA 2006 server. My Web Proxy timeout is
set to 1800 seconds - that's 30 minutes so it should never have a
timeout issue.

 

We run on RoadRunner's business class service with 7mbps download, 2mbps
upload (theoretical speed).

 

I don't know where to turn from here. Can anyone help me troubleshoot
this issue? We don't have this issue with any other websites through ISA
2006. 

 

Is there a user friendly reader for the ISA web and fw log files? Is
there a tool to see who or what is taking how much bandwidth at a time?

 

TIA,

 

Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or
entity to whom they are addressed.If you have received this email in
error please notify the system manager.
This message contains confidential information and is intended only for
the individual named. If you are not the
named addressee you should not disseminate, distribute or copy this
e-mail. Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this
e-mail from your system. If you are not the 
intended recipient you are notified that disclosing, copying,
distributing or taking any action in reliance on the 
contents of this information is strictly prohibited. 

P Please consider the environment before printing this email.

PNG image

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 09-2008