If it’s that easy to repro, you should get some craptures from both ends of the connection. IOW, start Netmon on both ISA capturing both ISA networks and stop them after you get the repro state. This is either late traffic or packet loss resulting in trashed connections, which leads to bad connections. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Monday, April 26, 2010 6:40 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Outlook from VPN creates lots of denied tcp traffic There are cisco asa's making the VPN connection on each end. The ISA 2006 is behind the end at the main office. The ciscos are managed by the AT&T vendor and they claim they are working fine. Thanks, Amy Babinchak Harbor Computer Services | 248-850-8616 | 248-890-1794 From iPhone w/Exchange On Apr 26, 2010, at 8:30 PM, "Jim Harrison" <jim@xxxxxxxxxxxx<mailto:jim@xxxxxxxxxxxx>> wrote: Amy, The consistent thing about those log entries (not_syn) is that they indicate one of two possibilities: 1. The connection between OL and the Exch server was half-closed and the other side continued trying to send traffic (not illegal, but definitely rude and ISA/TMG reject this) 2. The routing for this traffic is split (one path not through TMG) – this isn’t likely since you have a W2W connection – UNLESS you have a dual-link connection (some folks see this as “redundant”) If you know you’re having other problems for this link, these log entries may simply be symptomatic. Jim From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx> [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak Sent: Monday, April 26, 2010 17:08 To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx> Subject: [isalist] Outlook from VPN creates lots of denied tcp traffic I’m seeing a lot of denied TCP traffic coming from machines running Outlook from the other side of our site-site VPN. I’m pretty sure that we narrowed it down to only occurring when outlook is open. Here’s a sample: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Authentication Server Client IP Log Time Destination IP Destination Port Protocol Action Rule Client Username Source Network Destination Network HTTP Method URL 192.168.200.18 FIREWALL - TCP - No - 192.168.200.23 45 00 00 28 2b 4a 40 00 80 06 8b 8a c0 a8 c8 12 c0 a8 fa 97 04 05 0e 2d 69 d5 e5 6d 5e fb 2f 39 50 11 fd 5c 7e d1 00 00 4/26/2010 11:52:32 PM 1029 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall - 192.168.200.18 4/26/2010 7:52:32 PM 192.168.250.151 3629 Unidentified IP Traffic (TCP:3629) Denied Connection Internal Internal - - 192.168.200.18 FIREWALL - TCP - No - 192.168.200.23 45 00 00 28 2b 51 40 00 80 06 8b 83 c0 a8 c8 12 c0 a8 fa 97 00 87 0e 2c 11 ed 58 92 ee 89 fe b9 50 11 fb 88 09 d9 00 00 4/26/2010 11:52:32 PM 135 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall - 192.168.200.18 4/26/2010 7:52:32 PM 192.168.250.151 3628 Unidentified IP Traffic (TCP:3628) Denied Connection Internal Internal - - 192.168.200.18 FIREWALL - TCP - No - 192.168.200.23 45 00 00 28 2b 54 40 00 80 06 8b 80 c0 a8 c8 12 c0 a8 fa 97 04 07 0e 2f 31 f6 a5 49 c0 6c 74 dd 50 10 fa 2c 52 ec 00 00 4/26/2010 11:52:34 PM 1031 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall - 192.168.200.18 4/26/2010 7:52:34 PM 192.168.250.151 3631 Unidentified IP Traffic (TCP:3631) Denied Connection Internal Internal - - 192.168.200.18 FIREWALL - TCP - No - 192.168.200.23 45 00 00 28 2b 70 40 00 80 06 8b 64 c0 a8 c8 12 c0 a8 fa 97 00 87 0e 2c 11 ed 58 93 ee 89 fe b9 50 10 fb 88 09 d9 00 00 4/26/2010 11:52:38 PM 135 0 0 0 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED 0x0 0x0 Firewall - 192.168.200.18 4/26/2010 7:52:38 PM 192.168.250.151 3628 Unidentified IP Traffic (TCP:3628) Denied Connection Internal Internal - - It will continue through a whole range of TCP ports. Pause for a while, Outlook will lose its connection to the server and then it starts up again and Outlook reconnects. It’s driving me crazy. Now, outlook disconnecting and reconnecting could be something entirely different since this connection seems to be having other strange issues that we’re having AT&T look at. But I can turn this packets on and off by opening Outlook. Ideas for cleaning this up? Thanks, Amy