RE: Live log query question

• From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 19 Jan 2006 08:23:38 -0800

The registry funkicity? 
No - that's separate (and odd).

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------
 

-----Original Message-----
From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Thursday, January 19, 2006 07:45
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Live log query question

http://www.ISAserver.org

Not yet but once on-site today if there is no change after adding the PMTU 
registry that will be the next step.

BTW, I assume this has nothing to do with the other problem I sent, correct?

John T
eServices For You


> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 7:00 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> No worries, although it does make problem description a bit unusual.
> For instance, HTTP is pretty much dependent on TCP since it has no 
> inherent traffic management built in.
> 
> Whether the app uses HTTP or merely uses port 80 is significant.
> Can you get a capture of a session?
> 
> --------------------------------------------
> Jim Harrison
> MCP(NT4, W2K), A+, Network+, PCG
> http://isaserver.org/Jim_Harrison/
> http://isatools.org
> Read the help / books / articles!
> --------------------------------------------
> -----Original Message-----
> From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Thursday, January 19, 2006 12:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> My terminology as it relates the network protocol stack has always 
> been weak and in need of study.
> 
> The app is using TCP as opposed to UDP, and per the destination server 
> configuration (meaning dictated by the 3rd party) is configured to use 
> port 80, although I do not know specifically if in the app it is coded 
> to use port 80 or configured to use the HTTP protocol.
> 
> Made the change to the EnablePMTUDiscover after making sure 896060 was 
> installed.
> 
> I will see what happens Thursday.
> 
> John T
> eServices For You
> 
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 4:34 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Live log query question
> >
> > http://www.ISAserver.org
> >
> > Er..
> > "..winsock app using TCP over HTTP.." is essentially meaningless.
> > Do you mean an "HTTP-abusive app"?
> > Unlike ISA, the sonicwall (i.e., "wall of noise") isn't inspecting
> anything beyond L3 in
> > the traffic (if that).
> > It's possible that ISA is rejecting part of the traffic, but you
> haven't
> sent any log data
> > to that effect (have you looked?).
> >
> > Verify:
> >
> HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDisc
> ov
> ery
> > == 0x1 (or missing altogether)
> > ..if you have to change (or delete) it, you'll need to reboot the 
> > ISA
> server.
> >
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 15:13
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Live log query question
> >
> > http://www.ISAserver.org
> >
> > No, no alert on connection limit, which is what I was wondering.
> >
> > More information:
> >
> > This is a winsock app using TCP over HTTP
> >
> > App formats query for each part and sends request. (Initiated
> connection
> > line)
> > Request is received, packets are accepted and verified and 
> > information
> is
> reviewed. If
> > all there and correct, the app then "closes" the connection by 
> > issuing
> a
> closesocket
> > command which is defined as "Private Declare Function 
> > api_closesocket
> Lib
> > "ws2_32.dll" Alias "closesocket" (ByVal s As Long) As Long" and then
> cycles to go to
> > the next part number.
> >
> > What I did was have the user only do 5 part numbers. I watched in 
> > live
> query and saw
> > 5 Initiated connection each about 1 second apart. He then said it
> finished
> and he
> > closed that window since it was only a test. However, the live query
> did
> not show the
> > Closed connection until 42 seconds after the first Initiated
> connection
> and until 60
> > seconds after the 4 subsequent initiated connections.
> >
> > Another user that is behind a Sonicwall TELE3 was able to complete a
> query
> of 75 part
> > numbers with no problem.
> >
> > So, if the destination server was some how keeping the individual
> connections open, I
> > should have seen an alert about exceeding number of connections in
> ISA,
> correct? But
> > I did not.
> >
> > Correction now is that yes I had him do another test and this time 
> > he
> got
> to around
> > the 27th part number and then froze. At that point, yes there was an
> error
> about
> > exceeding the number of connections. Before he was not getting that
> far.
> >
> > So, ISA is seeing the connection as open until apparently a time out.
> So
> either the
> > destination is keeping it open or it is not getting or accepting the
> client close
> > connection command.
> >
> > John T
> > eServices For You
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Wednesday, January 18, 2006 2:14 PM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Live log query question
> > >
> > > http://www.ISAserver.org
> > >
> > > Take a look in your alerts; do you see recent connection limits 
> > > for that
> > client?
> > >
> > >
> > > -------------------------------------------------------
> > >    Jim Harrison
> > >    MCP(NT4, W2K), A+, Network+, PCG
> > >    http://isaserver.org/Jim_Harrison/
> > >    http://isatools.org
> > >    Read the help / books / articles!
> > > -------------------------------------------------------
> > >
> > >
> > > -----Original Message-----
> > > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > > Sent: Wednesday, January 18, 2006 14:08
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] Live log query question
> > >
> > > http://www.ISAserver.org
> > >
> > > I am working on a problem for a client.
> > >
> > > ISA 2004 Standard.
> > > Windows Server 2003 Standard.
> > > Logging to log files.
> > >
> > > Program:
> > > Makes a XML request to a server on the Internet over HTTP. The
> request
> > > is
> > for stock
> > > and price on a part number.
> > >
> > > If the user configures it for a couple lines of part numbers, 
> > > there
> is
> > > no
> > problem.
> > >
> > > A user is trying to run a batch of say 25 part numbers.
> > >
> > > The request is sent for part 1 and a response is received. A 
> > > request is
> > then made for
> > > part 2 and a response is received.
> > >
> > > What is happening is after several part request and received, it
> will
> > freeze on a
> > > request.
> > >
> > > View the live query, I see a line for each connection and under 
> > > action, it
> > says Initiated
> > > connection. As soon as the program freezes, I start seeing on each 
> > > line
> > for the
> > > connection under action Closed connection.
> > >
> > > Is this a restriction/configuration on ISA some where that it is
> maybe
> > limiting the
> > > number of connection strings from the client IP, or is it more
> likely
> > > a
> > restrict the
> > > destination server has?
> > >
> > > John T
> > > eServices For You
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> > > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> > > http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> > > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > johnlist@xxxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
jim@xxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

All mail to and from this domain is GFI-scanned.

Other related posts:

• » Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---