RE: Live log query question

• From: "John T \(Lists\)" <johnlist@xxxxxxxxxxxxxxxxxxx>
• To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 19 Jan 2006 00:28:17 -0800

My terminology as it relates the network protocol stack has always been weak
and in need of study.

The app is using TCP as opposed to UDP, and per the destination server
configuration (meaning dictated by the 3rd party) is configured to use port
80, although I do not know specifically if in the app it is coded to use
port 80 or configured to use the HTTP protocol.

Made the change to the EnablePMTUDiscover after making sure 896060 was
installed.

I will see what happens Thursday.

John T
eServices For You


> -----Original Message-----
> From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> Sent: Wednesday, January 18, 2006 4:34 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> Er..
> "..winsock app using TCP over HTTP.." is essentially meaningless.
> Do you mean an "HTTP-abusive app"?
> Unlike ISA, the sonicwall (i.e., "wall of noise") isn't inspecting
anything beyond L3 in
> the traffic (if that).
> It's possible that ISA is rejecting part of the traffic, but you haven't
sent any log data
> to that effect (have you looked?).
> 
> Verify:
>
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\EnablePMTUDiscovery
> == 0x1 (or missing altogether)
> ..if you have to change (or delete) it, you'll need to reboot the ISA
server.
> 
> -------------------------------------------------------
>    Jim Harrison
>    MCP(NT4, W2K), A+, Network+, PCG
>    http://isaserver.org/Jim_Harrison/
>    http://isatools.org
>    Read the help / books / articles!
> -------------------------------------------------------
> 
> 
> -----Original Message-----
> From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> Sent: Wednesday, January 18, 2006 15:13
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Live log query question
> 
> http://www.ISAserver.org
> 
> No, no alert on connection limit, which is what I was wondering.
> 
> More information:
> 
> This is a winsock app using TCP over HTTP
> 
> App formats query for each part and sends request. (Initiated connection
> line)
> Request is received, packets are accepted and verified and information is
reviewed. If
> all there and correct, the app then "closes" the connection by issuing a
closesocket
> command which is defined as "Private Declare Function api_closesocket Lib
> "ws2_32.dll" Alias "closesocket" (ByVal s As Long) As Long" and then
cycles to go to
> the next part number.
> 
> What I did was have the user only do 5 part numbers. I watched in live
query and saw
> 5 Initiated connection each about 1 second apart. He then said it finished
and he
> closed that window since it was only a test. However, the live query did
not show the
> Closed connection until 42 seconds after the first Initiated connection
and until 60
> seconds after the 4 subsequent initiated connections.
> 
> Another user that is behind a Sonicwall TELE3 was able to complete a query
of 75 part
> numbers with no problem.
> 
> So, if the destination server was some how keeping the individual
connections open, I
> should have seen an alert about exceeding number of connections in ISA,
correct? But
> I did not.
> 
> Correction now is that yes I had him do another test and this time he got
to around
> the 27th part number and then froze. At that point, yes there was an error
about
> exceeding the number of connections. Before he was not getting that far.
> 
> So, ISA is seeing the connection as open until apparently a time out. So
either the
> destination is keeping it open or it is not getting or accepting the
client close
> connection command.
> 
> John T
> eServices For You
> 
> 
> > -----Original Message-----
> > From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 2:14 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Live log query question
> >
> > http://www.ISAserver.org
> >
> > Take a look in your alerts; do you see recent connection limits for
> > that
> client?
> >
> >
> > -------------------------------------------------------
> >    Jim Harrison
> >    MCP(NT4, W2K), A+, Network+, PCG
> >    http://isaserver.org/Jim_Harrison/
> >    http://isatools.org
> >    Read the help / books / articles!
> > -------------------------------------------------------
> >
> >
> > -----Original Message-----
> > From: John T (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
> > Sent: Wednesday, January 18, 2006 14:08
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] Live log query question
> >
> > http://www.ISAserver.org
> >
> > I am working on a problem for a client.
> >
> > ISA 2004 Standard.
> > Windows Server 2003 Standard.
> > Logging to log files.
> >
> > Program:
> > Makes a XML request to a server on the Internet over HTTP. The request
> > is
> for stock
> > and price on a part number.
> >
> > If the user configures it for a couple lines of part numbers, there is
> > no
> problem.
> >
> > A user is trying to run a batch of say 25 part numbers.
> >
> > The request is sent for part 1 and a response is received. A request
> > is
> then made for
> > part 2 and a response is received.
> >
> > What is happening is after several part request and received, it will
> freeze on a
> > request.
> >
> > View the live query, I see a line for each connection and under
> > action, it
> says Initiated
> > connection. As soon as the program freezes, I start seeing on each
> > line
> for the
> > connection under action Closed connection.
> >
> > Is this a restriction/configuration on ISA some where that it is maybe
> limiting the
> > number of connection strings from the client IP, or is it more likely
> > a
> restrict the
> > destination server has?
> >
> > John T
> > eServices For You
> >
> >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> jim@xxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> All mail to and from this domain is GFI-scanned.
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> johnlist@xxxxxxxxxxxxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question
• » RE: Live log query question

1. Home
2. isalist
3. Archive
4. 01-2006

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---