RE: Changed i-net facing IP and now OWA is broken.

  • From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Tue, 27 Dec 2005 10:34:35 -0800

This message is quite clear; the ISA is receiving an ICMP "destination
unreachable" from the upstream router.

What this usually means is that the ISA server's routing table is
buggered.
I also suspect that you haven't updated the ISA configuration to support
your new deployment.
Is this a multi- or single-net deployment?

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------
-----Original Message-----
From: Ray Dzek [mailto:Ray.Dzek@xxxxxxxxxxxxxxx] 
Sent: Tuesday, December 27, 2005 10:04 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changed i-net facing IP and now OWA is broken.

http://www.ISAserver.org

More info...

We changed the outside IP from a public IP to a private IP (192.168.3.5)
because we were going to place the ISA behind ASA5510.  This didn't work
and was ultimately deemed unnecessary and so the decision was made to
change the IP back to a public IP in the new IP range.  So in the logs I
am still seeing the 192.168.3.5 address.  

From the browser:

Error Code: 500 Internal Server Error. Internet Control Message Protocol
(ICMP) network is unreachable. For more information about this event,
see ISA Server Help. (10051)  

From the logs:
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2435
216.139.27.21:443       216.139.18.35   External        Local Host
Establish       0x0     -       HTTPS   0       0       0       0
-       -       -       -       -       -       507     43280
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2434
216.139.27.21:443       216.139.18.35   External        Local Host
Terminate       0x80074e21      -       HTTPS   1031    1031    3647
3647    2000    2000    -       -       -       -       507     43279
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2434
216.139.27.21:443       216.139.18.35   External        Local Host
Denied  0xc0040017      -       HTTPS   0       0       0       0
-       -       -       -       -       -       0       0
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2434
216.139.27.21:443       216.139.18.35   External        Local Host
Denied  0xc0040017      -       HTTPS   0       0       0       0
-       -       -       -       -       -       0       0
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2435
216.139.27.21:443       216.139.18.35   External        Local Host
Terminate       0x80074e21      -       HTTPS   996     996     3647
3647    -       -       -       -       -       -       507     43280
ISA     2005-12-27      05:32:46        TCP     216.139.18.35:2437
216.139.27.21:443       216.139.18.35   External        Local Host
Establish       0x0     -       HTTPS   0       0       0       0
-       -       -       -       -       -       507     43281

216.139.18.35   anonymous       MSRPC   N       2005-12-27      05:32:44
W3ReverseProxy  ISA     -       owa.specialized.com     216.139.27.21
443     1       309     2320    https   RPC_IN_DATA
http://owa.specialized.com:443/rpc/rpcproxy.dll?exchange.specialized.com
:6002   Inet    10051   OWA RPC HTTPS   -       External        -
0xa40   Failed
216.139.18.35   anonymous       MSRPC   N       2005-12-27      05:32:44
W3ReverseProxy  ISA     -       owa.specialized.com     216.139.27.21
443     1       454     2320    https   RPC_OUT_DATA
http://owa.specialized.com:443/rpc/rpcproxy.dll?exchange.specialized.com
:6002   Inet    10051   OWA RPC HTTPS   -       External        -
0xa40   Failed
216.139.18.35   anonymous       MSRPC   N       2005-12-27      05:32:44
W3ReverseProxy  ISA     -       owa.specialized.com     216.139.27.21
443     1       309     2320    https   RPC_IN_DATA
http://owa.specialized.com:443/rpc/rpcproxy.dll?exchange.specialized.com
:6001   Inet    10051   OWA RPC HTTPS   -       External        -
0xa40   Failed
216.139.18.35   anonymous       MSRPC   N       2005-12-27      05:32:44
W3ReverseProxy  ISA     -       owa.specialized.com     216.139.27.21
443     1       454     2320    https   RPC_OUT_DATA
http://owa.specialized.com:443/rpc/rpcproxy.dll?exchange.specialized.com
:6001   Inet    10051   OWA RPC HTTPS   -       External        -
0xa40   Failed


-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Tuesday, December 27, 2005 8:19 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changed i-net facing IP and now OWA is broken.

http://www.ISAserver.org

Ok - we're getting there.
"failed" is important, but ultimately useless without the actual error
code.
Can you provide the whole log snip?

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Ray Dzek [mailto:Ray.Dzek@xxxxxxxxxxxxxxx]
Sent: Monday, December 26, 2005 11:40 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changed i-net facing IP and now OWA is broken.

http://www.ISAserver.org

Roger that...

The BGP implemetation was simply the reason for having to change the
outside IP address.  I realize BGP has nothing in of itself to cause OWA
and RPC over HTTPS to stop working.  As stated, in/out web traffic,
other published servers are working fine.  The problem seems specific to
OWA and RPC over HTTPS.

ERROR: Failed Connection Attempt
Rule: OWA RPC HTTPS

Which makes sense.  The request is dying in the rule.  But I don't know
why.  Should I yank it out and re-publish the rules?

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Monday, December 26, 2005 10:42 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Changed i-net facing IP and now OWA is broken.

http://www.ISAserver.org

Hm..
ISA doesn't "do" BGP, OSPF, RIP or F2F.
Maybe you could add some details like:
*exact* user experience
ISA log excerpts for this traffic

--------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
--------------------------------------------

-----Original Message-----
From: Ray Dzek [mailto:Ray.Dzek@xxxxxxxxxxxxxxx]
Sent: Monday, December 26, 2005 8:02 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Changed i-net facing IP and now OWA is broken.

http://www.ISAserver.org

We implemented BGP today (yippee for us) and I was able to get almost
everything up and running.  But both OWA publishing rules are not
working.  RPC over HTTPS, and OWA both will not work.  I changed the owa
web and certificate listenters to the new IP address but its still being
cranky.  Any ideas?
 
Thanks!
 


Ray Dzek
Net Ops / Helpdesk Supervisor
Specialized Bicycle Components 

 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ray.dzek@xxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ray.dzek@xxxxxxxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.



Other related posts: