[isalist] Re: Serious Problems Now
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Sat, 8 Apr 2006 14:01:47 -0500
Hi Ray,
You need to remember that 99.987587% of the time, its not an ISA
firewall problem, its something else. While its common to make the ISA
firewall the 'sin eater' for everyone elses' problems, it just ain't the
case.
That's way you need to do some troubleshooting to figure out what's
going on. I have the same problems with network connectivity from time
to time, but I don't start with the ISA firewall, I start with the
problem. Then I use tools like:
* nslookup (in interactive mode)
* ping
* pathping
* tracert with and without -d switch
* ISA firewall logs
* Network Monitor (or any other packet tracer)
* ISA Alerts
* Event Viewer
* ISA firewall BPA
* Telnet
First step is to try to replicate the problem. Then check the ISA
firewall logs to see what they report regarding the problem. Make sure
you're logging for all fields in the Web proxy and Firewall logs
If the ISA firewall logs show that the ISA firewall isn't blocking the
connection, then you need to figure out where in the request/response
path the connections are being blocked.
Is it a name resolution problem?
Is it a black hole router?
Is is a router loop somewhere in the path?
Is it a link failure at the ISP?
Is it a link failure of your CPE?
Is a bad switch or switch port?
Is it a bad internal router?
Is it a hardware problem on the ISA firewall device?
Is it a bad cable to a network switch, router or ISA firewall?
Is it network at 100% network utilization problem? (and if so, why?
Worms? Warez?)
Is it a problem with the ISP's Web proxy (if they're using one)
Is it a link failure for a major provider (akamai, etc)?
Is it client problem?
Is it an authentication problem?
Is it a Group Policy problem?
That's just a short list of things to consider before considering a
problem with the ISA firewall software/configuration. Its one thing if
something never worked, but when things have worked fine before, and
then they stop working,
BTW -- what's "winproxy" is it this? http://www.winproxy.com/
HTH,
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Ray Dzek
Sent: Saturday, April 08, 2006 12:50 PM
To: isalist@xxxxxxxxxxxxx
Subject: RE: [isalist] Re: Serious Problems Now
I may be a little "Andrew-ish" at this point. Last week I had a
perfectly functional ISA server. This week, I don't know what I have.
First, we lost HTTPS connections. We still have no idea why. We
previously did not have winproxy applied to https. The fix was to apply
winproxy, restart the services, and then un-apply it again and restart
services. The failure was such that secure NAT would not accept HTTPS
at all. You would simply get a time out. No error was being generated
in the logs, other than a "failure". No error codes, no nothing. This
wasted 2 days of my time.
So since we were tearing into ISA anyway, it seemed like a good
time to catch up on service packs for the OS and ISA. I had not seen
anything on the list to make me think this would be a bad thing. And in
most cases it makes little problems go away. I was wrong.
As explained earlier, Marketing was launching a new series of
podcasts. When we applied SP2, that broke iTunes which generated
another post to the list.
Next on the list was a series of stupid user tricks for which
ISA was blamed because after the first and second problem nobody trusted
ISA to be working properly any longer. This wasted another 2 days.
So that brings me to my "Andrew" day. I claimed 1/2 the
internet was not working. I was actually pretty close. The issue was,
and still is for some sites that You can go to site www.some.site with
no problems. But if you click on a link on that site, it breaks and
goes nowhere. So my.yahoo.com with all the news feeds, for instance.
The page would load fine, but if you clicked on one of the new items, it
would just time out. You can't log into Yahoo mail, msn mail etc. The
links from my RSS feeds would not work. All other protocols seem to
work fine. Skype, IM, streaming radio, email, etc. It appears to be
directly related to http redirects, but I am not sure.
I have a pretty good relationship with our upstream ISP's. I
use IM with the NOC on a regular basis with some of the techs there. As
it turns out, one of the ISP's had started getting customer complaints
about the same issue. So the issue on my "Andrew" day is probably not
ISA related. But after the week I have already had, ISA was about to be
replaced with a Linux iptables script. I am working with both ISP's
right now to see if we can isolate the trouble. One of the ISP's is
reporting errors on one of the T3's, but I can't see how a T3
transmission error could only block http redirects. But who knows...
BTW... did you hear the joke about the user that wrote to a
firewall support list and asked how to open a port?
I hope you all are enjoying your Saturday.
________________________________
From: isalist-bounce@xxxxxxxxxxxxx on behalf of Jim Harrison
Sent: Fri 4/7/2006 5:12 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Serious Problems Now
http://www.ISAserver.org
-------------------------------------------------------
C'mon, Ray - you're starting to sound like Andrew now.
"Half the Internet"?
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Ray Dzek
Sent: Friday, April 07, 2006 5:07 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Serious Problems Now
So .. SP2.. What the hell am I supposed to do now?
Half the internet does not work.
I can go to www.yahoo.com, but if you try to open yahoo mail
from your
my yahoo page, it just hangs.
In the logs I see Initiated Connection then Closed Connection
over and
over. The traffic is not being denied. Error is 0x0
I can't get to slashdot rss feeds, etc
I can seem to get to a standard www page, but anything with
extended
cookies or redirects or whatever seems to die.
Any suggestions besides spend the weekend rebuilding this thing?
I
noticed that SP2 has no uninstall. How nice.
Ray Dzek
Net Ops / Helpdesk Supervisor
Specialized Bicycle Components
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
