RE: Live log query question
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 23 Jan 2006 07:51:30 -0600
Hi John,
Most likely SSL sites, right?
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Monday, January 23, 2006 12:28 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
>
> http://www.ISAserver.org
>
> An overdue update.
>
> I changed the concurrent connection limits for the default to
> 50 (it was 40,
> although I thought I read it by default should be 160) and
> then created a
> computer set for the sales department and configured their concurrent
> connection limit to 200. That got them to work and surprise,
> a couple of
> other websites that they were having problems with now worked.
>
> So, for some reason, the connection in ISA is remaining open
> until it times
> out after 60 seconds.
>
> So, a NetMon capture is the next step. However, I am poor at
> reading NetMon
> captures.
>
> John T
> eServices For You
>
>
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Thursday, January 19, 2006 7:45 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Live log query question
> >
> > http://www.ISAserver.org
> >
> > Not yet but once on-site today if there is no change after
> adding the PMTU
> > registry that will be the next step.
> >
> > BTW, I assume this has nothing to do with the other problem I sent,
> correct?
> >
> > John T
> > eServices For You
> >
> >
> > > -----Original Message-----
> > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > Sent: Thursday, January 19, 2006 7:00 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Live log query question
> > >
> > > http://www.ISAserver.org
> > >
> > > No worries, although it does make problem description a
> bit unusual.
> > > For instance, HTTP is pretty much dependent on TCP since it has no
> > > inherent traffic management built in.
> > >
> > > Whether the app uses HTTP or merely uses port 80 is significant.
> > > Can you get a capture of a session?
> > >
> > > --------------------------------------------
> > > Jim Harrison
> > > MCP(NT4, W2K), A+, Network+, PCG
> > > http://isaserver.org/Jim_Harrison/
> > > http://isatools.org
> > > Read the help / books / articles!
> > > --------------------------------------------
> > > -----Original Message-----
> > > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > > Sent: Thursday, January 19, 2006 12:28 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: Live log query question
> > >
> > > http://www.ISAserver.org
> > >
> > > My terminology as it relates the network protocol stack
> has always been
> > > weak
> > > and in need of study.
> > >
> > > The app is using TCP as opposed to UDP, and per the
> destination server
> > > configuration (meaning dictated by the 3rd party) is
> configured to use
> > > port
> > > 80, although I do not know specifically if in the app it
> is coded to use
> > > port 80 or configured to use the HTTP protocol.
> > >
> > > Made the change to the EnablePMTUDiscover after making
> sure 896060 was
> > > installed.
> > >
> > > I will see what happens Thursday.
> > >
> > > John T
> > > eServices For You
> > >
> > >
> > > > -----Original Message-----
> > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > Sent: Wednesday, January 18, 2006 4:34 PM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Live log query question
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Er..
> > > > "..winsock app using TCP over HTTP.." is essentially
> meaningless.
> > > > Do you mean an "HTTP-abusive app"?
> > > > Unlike ISA, the sonicwall (i.e., "wall of noise") isn't
> inspecting
> > > anything beyond L3 in
> > > > the traffic (if that).
> > > > It's possible that ISA is rejecting part of the traffic, but you
> > > haven't
> > > sent any log data
> > > > to that effect (have you looked?).
> > > >
> > > > Verify:
> > > >
> > >
> HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Enable
> PMTUDiscov
> > > ery
> > > > == 0x1 (or missing altogether)
> > > > ..if you have to change (or delete) it, you'll need to
> reboot the ISA
> > > server.
> > > >
> > > > -------------------------------------------------------
> > > > Jim Harrison
> > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > http://isaserver.org/Jim_Harrison/
> > > > http://isatools.org
> > > > Read the help / books / articles!
> > > > -------------------------------------------------------
> > > >
> > > >
> > > > -----Original Message-----
> > > > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > > > Sent: Wednesday, January 18, 2006 15:13
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Live log query question
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > No, no alert on connection limit, which is what I was wondering.
> > > >
> > > > More information:
> > > >
> > > > This is a winsock app using TCP over HTTP
> > > >
> > > > App formats query for each part and sends request. (Initiated
> > > connection
> > > > line)
> > > > Request is received, packets are accepted and verified
> and information
> > > is
> > > reviewed. If
> > > > all there and correct, the app then "closes" the
> connection by issuing
> > > a
> > > closesocket
> > > > command which is defined as "Private Declare Function
> api_closesocket
> > > Lib
> > > > "ws2_32.dll" Alias "closesocket" (ByVal s As Long) As
> Long" and then
> > > cycles to go to
> > > > the next part number.
> > > >
> > > > What I did was have the user only do 5 part numbers. I
> watched in live
> > > query and saw
> > > > 5 Initiated connection each about 1 second apart. He
> then said it
> > > finished
> > > and he
> > > > closed that window since it was only a test. However,
> the live query
> > > did
> > > not show the
> > > > Closed connection until 42 seconds after the first Initiated
> > > connection
> > > and until 60
> > > > seconds after the 4 subsequent initiated connections.
> > > >
> > > > Another user that is behind a Sonicwall TELE3 was able
> to complete a
> > > query
> > > of 75 part
> > > > numbers with no problem.
> > > >
> > > > So, if the destination server was some how keeping the
> individual
> > > connections open, I
> > > > should have seen an alert about exceeding number of
> connections in
> > > ISA,
> > > correct? But
> > > > I did not.
> > > >
> > > > Correction now is that yes I had him do another test
> and this time he
> > > got
> > > to around
> > > > the 27th part number and then froze. At that point, yes
> there was an
> > > error
> > > about
> > > > exceeding the number of connections. Before he was not
> getting that
> > > far.
> > > >
> > > > So, ISA is seeing the connection as open until
> apparently a time out.
> > > So
> > > either the
> > > > destination is keeping it open or it is not getting or
> accepting the
> > > client close
> > > > connection command.
> > > >
> > > > John T
> > > > eServices For You
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > > > > Sent: Wednesday, January 18, 2006 2:14 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] RE: Live log query question
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Take a look in your alerts; do you see recent
> connection limits for
> > > > > that
> > > > client?
> > > > >
> > > > >
> > > > > -------------------------------------------------------
> > > > > Jim Harrison
> > > > > MCP(NT4, W2K), A+, Network+, PCG
> > > > > http://isaserver.org/Jim_Harrison/
> > > > > http://isatools.org
> > > > > Read the help / books / articles!
> > > > > -------------------------------------------------------
> > > > >
> > > > >
> > > > > -----Original Message-----
> > > > > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > > > > Sent: Wednesday, January 18, 2006 14:08
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] Live log query question
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > I am working on a problem for a client.
> > > > >
> > > > > ISA 2004 Standard.
> > > > > Windows Server 2003 Standard.
> > > > > Logging to log files.
> > > > >
> > > > > Program:
> > > > > Makes a XML request to a server on the Internet over HTTP. The
> > > request
> > > > > is
> > > > for stock
> > > > > and price on a part number.
> > > > >
> > > > > If the user configures it for a couple lines of part
> numbers, there
> > > is
> > > > > no
> > > > problem.
> > > > >
> > > > > A user is trying to run a batch of say 25 part numbers.
> > > > >
> > > > > The request is sent for part 1 and a response is
> received. A request
> > > > > is
> > > > then made for
> > > > > part 2 and a response is received.
> > > > >
> > > > > What is happening is after several part request and
> received, it
> > > will
> > > > freeze on a
> > > > > request.
> > > > >
> > > > > View the live query, I see a line for each connection
> and under
> > > > > action, it
> > > > says Initiated
> > > > > connection. As soon as the program freezes, I start
> seeing on each
> > > > > line
> > > > for the
> > > > > connection under action Closed connection.
> > > > >
> > > > > Is this a restriction/configuration on ISA some where
> that it is
> > > maybe
> > > > limiting the
> > > > > number of connection strings from the client IP, or is it more
> > > likely
> > > > > a
> > > > restrict the
> > > > > destination server has?
> > > > >
> > > > > John T
> > > > > eServices For You
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our
> other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > as:
> > > > jim@xxxxxxxxxxxx
> > > > > To unsubscribe visit
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Visit TechGenix.com for more information about our
> other sites:
> > > > > http://www.techgenix.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> Discussion List
> > > as:
> > > > > johnlist@xxxxxxxxxxxxxxxxxxx
> > > > > To unsubscribe visit
> > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > > All mail to and from this domain is GFI-scanned.
> > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > > > johnlist@xxxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit
> > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > > johnlist@xxxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org
> Discussion List as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
