Actually, I'd need to see the capture itself, although it seems pretty clear that: 1. There is another (NAT) device upstream from TMG (TMG IPAddr = 172.17.201.24; WebSvr IPAddr = 170.115.248.137) 2. The WebSvr failed the request (frame 452) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Friday, May 13, 2011 6:50 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Error 87 He's trying to download PDFs from a City of Philadelphia website. The URL is http://philadox.phila.gov/picris/servlet/ecs.servlet.DocServer. To get there, though, you have to have a username and password. I went there (using his credentials) and tried to download a PDF. I got the same error. I did the Netmon capture, as per your instructions. Below is the traffic between my computer and the remote server. Let me know what you see and if you need something more (like maybe the whole Netmon capture file, or this conversation in an Excel file, or anything else). 441 5/13/2011 9:34 1.225792 172.17.201.24 170.115.248.137 TCP TCP:Flags=......S., SrcPort=49490, DstPort=HTTP(80), PayloadLen=0, Seq=26693, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:168, IPv4:167} 442 5/13/2011 9:34 1.226298 170.115.248.137 172.17.201.24 TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=49490, PayloadLen=0, Seq=3946482666, Ack=26694, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:168, IPv4:167} 443 5/13/2011 9:34 1.22644 172.17.201.24 170.115.248.137 TCP TCP:Flags=......S., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, Seq=705015745, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 {TCP:169, IPv4:167} 444 5/13/2011 9:34 1.226862 170.115.248.137 172.17.201.24 TCP TCP:Flags=...A..S., SrcPort=HTTP(80), DstPort=49491, PayloadLen=0, Seq=2744969049, Ack=705015746, Win=8192 ( Negotiated scale factor 0x8 ) = 2097152 {TCP:169, IPv4:167} 445 5/13/2011 9:34 1.227025 172.17.201.24 170.115.248.137 TCP TCP:Flags=...A...., SrcPort=49490, DstPort=HTTP(80), PayloadLen=0, Seq=26694, Ack=3946482667, Win=365 (scale factor 0x2) = 1460 {TCP:168, IPv4:167} 446 5/13/2011 9:34 1.228155 172.17.201.24 170.115.248.137 TCP TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, Seq=705015746, Ack=2744969050, Win=365 (scale factor 0x2) = 1460 {TCP:169, IPv4:167} 447 5/13/2011 9:34 1.229617 172.17.201.24 170.115.248.137 HTTP HTTP:Request, POST /picris/servlet/ecs.servlet.DocServer {HTTP:170, TCP:169, IPv4:167} 452 5/13/2011 9:34 1.345096 170.115.248.137 172.17.201.24 HTTP HTTP:Response, HTTP/1.1, Status: Internal server error, URL: /picris/servlet/ecs.servlet.DocServer {HTTP:170, TCP:169, IPv4:167} 453 5/13/2011 9:34 1.345096 170.115.248.137 172.17.201.24 TCP TCP:[Continuation to #452]Flags=...A...., SrcPort=HTTP(80), DstPort=49491, PayloadLen=1460, Seq=2744970510 - 2744971970, Ack=705016330, Win=256 (scale factor 0x8) = 65536 {TCP:169, IPv4:167} 454 5/13/2011 9:34 1.346642 172.17.201.24 170.115.248.137 TCP TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, Seq=705016330, Ack=2744971970, Win=16425 (scale factor 0x2) = 65700 {TCP:169, IPv4:167} 455 5/13/2011 9:34 1.346729 170.115.248.137 172.17.201.24 TCP TCP:[Continuation to #452]Flags=...AP..F, SrcPort=HTTP(80), DstPort=49491, PayloadLen=1330, Seq=2744971970 - 2744973301, Ack=705016330, Win=256 (scale factor 0x8) = 65536 {TCP:169, IPv4:167} 456 5/13/2011 9:34 1.348033 172.17.201.24 170.115.248.137 TCP TCP:Flags=...A...., SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, Seq=705016330, Ack=2744973301, Win=16092 (scale factor 0x2) = 64368 {TCP:169, IPv4:167} 457 5/13/2011 9:34 1.348428 172.17.201.24 170.115.248.137 TCP TCP:Flags=...A...F, SrcPort=49491, DstPort=HTTP(80), PayloadLen=0, Seq=705016330, Ack=2744973301, Win=16092 (scale factor 0x2) = 64368 {TCP:169, IPv4:167} 458 5/13/2011 9:34 1.348518 170.115.248.137 172.17.201.24 TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=49491, PayloadLen=0, Seq=2744973301, Ack=705016331, Win=256 (scale factor 0x8) = 65536 {TCP:169, IPv4:167} From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Thursday, May 12, 2011 12:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Error 87 You should install Netmon 3.4 on the TMG and run it from an elevated cmd window using the following command: md c:\NetmonCaps nmcap /capture /network * /file c:\NetmonCaps\Capture.chn:100M ..before he runs the process to failure. This way, you'll be able to see the internal and external conversations as they happen. Wireshark can't do that... :) From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, May 11, 2011 10:28 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Error 87 OK, let me try to get the series of steps from the user. I just watched the console while he went through a series of clicks from his computer (remote to me) to get to the object he wanted to download. Once I have that, I'll post back. Thanks, Rob From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Wednesday, May 11, 2011 11:10 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Error 87 "87" is the result-code and it means something about the request or response failed to process correctly. You have to identify "what it is" first. What is the web site URL? From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Rob Moore Sent: Wednesday, May 11, 2011 6:56 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Error 87 Using TMG Standard. Not caching, not using Firewall Client. I have a user trying to download a form from a City of Philadelphia website. It worked before we upgraded from ISA to TMG. Now when he tries to download the form, it fails. When I monitor his activity, I don't get a Result Code when it fails. All I get is an Action of "Failed Connection Attempt" and an HTTP Status Code of "87 The parameter is incorrect." What's going on? How can I work around this? Thanks, Rob -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Rob Moore Network Manager 215-241-7870 Helpdesk: 800-500-AFSC