RE: Live log query question

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 18 Jan 2006 19:44:12 -0600

I thought all HTTP was over TCP? ;-()

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
> Sent: Wednesday, January 18, 2006 6:34 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> Er..
> "..winsock app using TCP over HTTP.." is essentially meaningless.
> Do you mean an "HTTP-abusive app"?
> Unlike ISA, the sonicwall (i.e., "wall of noise") isn't 
> inspecting anything beyond L3 in the traffic (if that).
> It's possible that ISA is rejecting part of the traffic, but 
> you haven't sent any log data to that effect (have you looked?).
> 
> Verify:
> HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Enable
> PMTUDiscovery == 0x1 (or missing altogether)
> ..if you have to change (or delete) it, you'll need to reboot 
> the ISA server.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
>  
> 
> -----Original Message-----
> From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
> Sent: Wednesday, January 18, 2006 15:13
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> No, no alert on connection limit, which is what I was wondering.
> 
> More information:
> 
> This is a winsock app using TCP over HTTP
> 
> App formats query for each part and sends request. (Initiated 
> connection
> line)
> Request is received, packets are accepted and verified and 
> information is reviewed. If all there and correct, the app 
> then "closes" the connection by issuing a closesocket command 
> which is defined as "Private Declare Function api_closesocket 
> Lib "ws2_32.dll" Alias "closesocket" (ByVal s As Long) As 
> Long" and then cycles to go to the next part number.
> 
> What I did was have the user only do 5 part numbers. I 
> watched in live query and saw 5 Initiated connection each 
> about 1 second apart. He then said it finished and he closed 
> that window since it was only a test. However, the live query 
> did not show the Closed connection until 42 seconds after the 
> first Initiated connection and until 60 seconds after the 4 
> subsequent initiated connections.
> 
> Another user that is behind a Sonicwall TELE3 was able to 
> complete a query of 75 part numbers with no problem. 
> 
> So, if the destination server was some how keeping the 
> individual connections open, I should have seen an alert 
> about exceeding number of connections in ISA, correct? But I did not.
> 
> Correction now is that yes I had him do another test and this 
> time he got to around the 27th part number and then froze. At 
> that point, yes there was an error about exceeding the number 
> of connections. Before he was not getting that far.
> 
> So, ISA is seeing the connection as open until apparently a 
> time out. So either the destination is keeping it open or it 
> is not getting or accepting the client close connection command.
> 
> John T
> eServices For You
> 
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 2:14 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Live log query question
> > 
> > http://www.ISAserver.org
> > 
> > Take a look in your alerts; do you see recent connection limits for 
> > that
> client?
> > 
> > 
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> > 
> > 
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 14:08
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Live log query question
> > 
> > http://www.ISAserver.org
> > 
> > I am working on a problem for a client.
> > 
> > ISA 2004 Standard.
> > Windows Server 2003 Standard.
> > Logging to log files.
> > 
> > Program:
> > Makes a XML request to a server on the Internet over HTTP. 
> The request 
> > is
> for stock
> > and price on a part number.
> > 
> > If the user configures it for a couple lines of part 
> numbers, there is 
> > no
> problem.
> > 
> > A user is trying to run a batch of say 25 part numbers.
> > 
> > The request is sent for part 1 and a response is received. 
> A request 
> > is
> then made for
> > part 2 and a response is received.
> > 
> > What is happening is after several part request and 
> received, it will
> freeze on a
> > request.
> > 
> > View the live query, I see a line for each connection and under 
> > action, it
> says Initiated
> > connection. As soon as the program freezes, I start seeing on each 
> > line
> for the
> > connection under action Closed connection.
> > 
> > Is this a restriction/configuration on ISA some where that 
> it is maybe
> limiting the
> > number of connection strings from the client IP, or is it 
> more likely 
> > a
> restrict the
> > destination server has?
> > 
> > John T
> > eServices For You
> > 
> > 
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> jim@xxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > All mail to and from this domain is GFI-scanned.
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: jim@xxxxxxxxxxxx To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---