Had a major slowdown of all web traffic this morning, so I logged into the ISA server and checked out the logs. There was a large amount of NetBIOS traffic being logged, so I captured several seconds of it from the firewall log, and restarted the server. The problem has since disappeared. Here are two entries that kept repeating themselves: Original Client IP Client Agent Authenticated Client Service Server Name Referring Server Destination Host Name Transport MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload Source Port Processing Time Bytes Sent Bytes Received Result Code HTTP Status Code Cache Information Error Information Log Record Type Log Time Destination IP Destination Port Protocol Action Rule Client IP Client Username Source Network Destination Network HTTP Method URL 24.213.58.250 GATEWAY - UDP - - 137 0 0 0 0xc0040030 FWX_E_OUTBOUND_PATH_THROUGH_DROPPED 0x0 0x0 Firewall 6/29/2005 9:07 10.6.8.72 137 NetBios Name Service Denied Connection 24.213.58.250 Local Host Internal - WAN Network - - 10.20.3.22 GATEWAY - UDP - - 137 0 0 0 0xc0040030 FWX_E_OUTBOUND_PATH_THROUGH_DROPPED 0x0 0x0 Firewall 6/29/2005 9:07 10.6.8.72 137 NetBios Name Service Denied Connection 10.20.3.22 Local Host Internal - WAN Network - - 24.213.58.25 is one of our Public IP addresses 10.20.3.22 is a DHCP lease that was supposedly currently in use by the ISA server, for VPN clients 10.6.8.72 is a workstation on one of our subnets. There were no VPN connections in session at the time. Anyone else seen something like this?