RE: Strange Problem...

• From: "Steve Moffat" <steve@xxxxxxxxxx>
• To: "ISA Mailing List" <isalist@xxxxxxxxxxxxx>
• Date: Fri, 1 Jul 2005 07:48:44 -0300

Having worked with 3 different Kevin's in the past, I have learnt to
ignore them, they seem to be like Andrew's....:)

-----Original Message-----
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] 
Sent: Friday, July 01, 2005 12:47 AM
To: ISA Mailing List
Subject: [isalist] RE: Strange Problem...

http://www.ISAserver.org

Probably a good idea to ignore "thekevin" (wonder who "theotherkevin"
is?) in general.

Time to start with some perf counters.
Specifically, any ISA or network counters that deal in "backlogged" or
"queue".

-----Original Message-----
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Thursday, June 30, 2005 8:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Strange Problem...

http://www.ISAserver.org


I've had this slowdown happen several times today, and haven't figured
out what is going on yet.  Traffic passing through the server drags to a
halt (RDP continues to work fine though), VPN connections drop, then a
few minutes later everything is running smoothly again.  Reviewing the
logs shows nothing out of the ordinary, the only things curious are a
few entries similar to the below entries.

 

How do I troubleshoot this?  

 

Regardless of thekevin's thoughts, I'm not going to "FDISK" my server to
fix it.  Heck, I can't even remember the last time I used FDISK,
repartioning has been part of the OS installation for many years now.
Not to mention all my servers have RAID arrays, not a good thing to use
on them...

 

________________________________

From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Wednesday, June 29, 2005 12:14 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Strange Problem...

 

http://www.ISAserver.org

Had a major slowdown of all web traffic this morning, so I logged into
the ISA server and checked out the logs.  There was a large amount of
NetBIOS traffic being logged, so I captured several seconds of it from
the firewall log, and restarted the server.  The problem has since
disappeared.

 

Here are two entries that kept repeating themselves:

 

Original Client IP            Client Agent      Authenticated Client
Service  Server Name      Referring Server Destination Host Name
Transport           MIME Type        Object Source   Source Proxy
Destination Proxy          Bidirectional      Client Host Name    Filter
Information            Network Interface           Raw IP Header   Raw
Payload     Source Port       Processing Time            Bytes Sent
Bytes Received  Result Code      HTTP Status Code         Cache
Information          Error Information            Log Record Type
Log Time           Destination IP    Destination Port Protocol
Action   Rule      Client IP            Client Username
Source Network Destination Network       HTTP Method    URL

24.213.58.250                                        GATEWAY        -
UDP     -
-                                               137       0          0
0          0xc0040030 FWX_E_OUTBOUND_PATH_THROUGH_DROPPED
0x0       0x0       Firewall 6/29/2005 9:07   10.6.8.72           137
NetBios Name Service    Denied Connection
24.213.58.250                Local Host         Internal - WAN Network
-           -

10.20.3.22                                             GATEWAY        -
UDP     -
-                                               137       0          0
0          0xc0040030 FWX_E_OUTBOUND_PATH_THROUGH_DROPPED
0x0       0x0       Firewall 6/29/2005 9:07   10.6.8.72           137
NetBios Name Service    Denied Connection                     10.20.3.22
Local Host         Internal - WAN Network            -           -

 

24.213.58.25 is one of our Public IP addresses

10.20.3.22 is a DHCP lease that was supposedly currently in use by the
ISA server, for VPN clients

10.6.8.72 is a workstation on one of our subnets.

There were no VPN connections in session at the time.

 

Anyone else seen something like this?

 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dball@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 

All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com Leading
Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isalist@xxxxxxxxxx To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

The correct technical term for haggis stalking is "havering". 

Other related posts:

• » Strange Problem...
• » RE: Strange Problem...
• » RE: Strange Problem...
• » RE: Strange Problem...
• » RE: Strange Problem...

1. Home
2. isalist
3. Archive
4. 07-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---