[isalist] Re: Outlook from VPN creates lots of denied tcp traffic
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 27 Apr 2010 02:10:13 +0000
If it’s that easy to repro, you should get some craptures from both ends of the
connection.
IOW, start Netmon on both ISA capturing both ISA networks and stop them after
you get the repro state.
This is either late traffic or packet loss resulting in trashed connections,
which leads to bad connections.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Amy Babinchak
Sent: Monday, April 26, 2010 6:40 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Outlook from VPN creates lots of denied tcp traffic
There are cisco asa's making the VPN connection on each end. The ISA 2006 is
behind the end at the main office. The ciscos are managed by the AT&T vendor
and they claim they are working fine.
Thanks,
Amy Babinchak
Harbor Computer Services | 248-850-8616 | 248-890-1794
From iPhone w/Exchange
On Apr 26, 2010, at 8:30 PM, "Jim Harrison"
<jim@xxxxxxxxxxxx<mailto:jim@xxxxxxxxxxxx>> wrote:
Amy,
The consistent thing about those log entries (not_syn) is that they indicate
one of two possibilities:
1. The connection between OL and the Exch server was half-closed and the
other side continued trying to send traffic (not illegal, but definitely rude
and ISA/TMG reject this)
2. The routing for this traffic is split (one path not through TMG) –
this isn’t likely since you have a W2W connection – UNLESS you have a dual-link
connection (some folks see this as “redundant”)
If you know you’re having other problems for this link, these log entries may
simply be symptomatic.
Jim
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak
Sent: Monday, April 26, 2010 17:08
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Outlook from VPN creates lots of denied tcp traffic
I’m seeing a lot of denied TCP traffic coming from machines running Outlook
from the other side of our site-site VPN. I’m pretty sure that we narrowed it
down to only occurring when outlook is open.
Here’s a sample:
Original Client IP Client Agent Authenticated Client
Service Server Name Referring Server Destination Host Name
Transport MIME Type Object Source Source Proxy
Destination Proxy Bidirectional Client Host Name
Filter Information Network Interface Raw IP Header
Raw Payload GMT Log Time Source Port Processing Time
Bytes Sent Bytes Received Result Code HTTP Status Code
Cache Information Error Information Log Record
Type Authentication Server Client IP Log Time
Destination IP Destination Port Protocol Action
Rule Client Username Source Network
Destination Network HTTP Method URL
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 4a 40 00 80 06 8b 8a c0 a8 c8 12 c0 a8 fa 97 04
05 0e 2d 69 d5 e5 6d 5e fb 2f 39 50 11 fd 5c 7e d1 00 00 4/26/2010 11:52:32
PM 1029 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:32 PM
192.168.250.151 3629 Unidentified IP Traffic
(TCP:3629) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 51 40 00 80 06 8b 83 c0 a8 c8 12 c0 a8 fa 97 00
87 0e 2c 11 ed 58 92 ee 89 fe b9 50 11 fb 88 09 d9 00 00 4/26/2010 11:52:32
PM 135 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:32 PM
192.168.250.151 3628 Unidentified IP Traffic
(TCP:3628) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 54 40 00 80 06 8b 80 c0 a8 c8 12 c0 a8 fa 97 04
07 0e 2f 31 f6 a5 49 c0 6c 74 dd 50 10 fa 2c 52 ec 00 00 4/26/2010
11:52:34 PM 1031 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:34 PM
192.168.250.151 3631 Unidentified IP Traffic
(TCP:3631) Denied Connection
Internal Internal - -
192.168.200.18 FIREWALL
- TCP -
No -
192.168.200.23 45 00 00 28 2b 70 40 00 80 06 8b 64 c0 a8 c8 12 c0 a8 fa 97 00
87 0e 2c 11 ed 58 93 ee 89 fe b9 50 10 fb 88 09 d9 00 00 4/26/2010 11:52:38
PM 135 0 0 0 0xc0040017
FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0
Firewall - 192.168.200.18 4/26/2010 7:52:38 PM
192.168.250.151 3628 Unidentified IP Traffic
(TCP:3628) Denied Connection
Internal Internal - -
It will continue through a whole range of TCP ports. Pause for a while, Outlook
will lose its connection to the server and then it starts up again and Outlook
reconnects. It’s driving me crazy. Now, outlook disconnecting and reconnecting
could be something entirely different since this connection seems to be having
other strange issues that we’re having AT&T look at. But I can turn this
packets on and off by opening Outlook. Ideas for cleaning this up?
Thanks,
Amy
Other related posts:
