[isalist] Re: Timeout issue driving me nuts...

  • From: Jim Harrison <Jim@xxxxxxxxxxxx>
  • To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 17 Sep 2008 14:36:19 -0700

Another thing you can do is verify your DNS if that's what you suspect.
From here (WA state), nslookup provides:
C:\Windows\system32>nslookup login.facebook.com
Name:    login.facebook.com
Address:  69.63.178.21

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Wednesday, September 17, 2008 2:32 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

It still comes down to the same thing; get a capture during the failing event.
10060 is clear; when ISA requested Winsock to create a network connection to 
64.15.175.5 on TCP:443, the host at that IP address failed to respond to the 
TCP handshake.  Winsock responded back to ISA with "10060; no response" and ISA 
reported that to you.

You cannot resolve this without getting a capture of the failing event.
Get Netmon (or whatever you like for a netcap tool), run it on the ISA and 
capture the traffic until the event recurs.
If you see the traffic heading for the remote host, but no responses, it's time 
to check your network hardware or engage the ISP support folks.

Until you get a capture that shows this behavior, it's all conjecture.

Jim

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tom Rogers
Sent: Wednesday, September 17, 2008 1:15 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

Yep - it is, but I just happened to have that site error handy. SalesForce 
gives the same type of errors.

Is it possible my DNS is messed up on the ISA server? The WAN to my ISP did 
have their DNS IPs in the NIC IP Config. Are we supposed to leave those blank 
so that the DNS request will go to the Internal DNS server which in turn goes 
to the ISP DNS?

Our ISA server is setup as a DNS forwarder.

Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or
entity to whom they are addressed.If you have received this email in error 
please notify the system manager.
This message contains confidential information and is intended only for the 
individual named. If you are not the
named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail 
from your system. If you are not the
intended recipient you are notified that disclosing, copying, distributing or 
taking any action in reliance on the
contents of this information is strictly prohibited.
P Please consider the environment before printing this email.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Steve Moffat
Sent: Wednesday, September 17, 2008 4:06 PM
To: ISA Mailing List
Subject: [isalist] Re: Timeout issue driving me nuts...

Request: login.facebook.com:443

Facebook does that all  the time....anyway, I thought the dodgy site was 
salesforce.com???

S

From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tom Rogers
Sent: Wednesday, September 17, 2008 4:18 PM
To: ISA Mailing List
Subject: [isalist] Re: Timeout issue driving me nuts...

Here is an example of what I am getting when we get the timeout issues...


Failed Connection Attempt

ISA 9/17/2008 3:14:37 PM

Log type: Web Proxy (Forward)

Status: 10060 A connection attempt failed because the connected party did not 
properly respond after a period of time, or established connection failed 
because connected host has failed to respond.

Rule: Limited Outbound Access for all other protocols

Source: Internal (192.168.1.135)

Destination: External (64.15.175.5:443)

Request: login.facebook.com:443

Filter information: Req ID: 0e58c928; Compression: client=No, server=No, 
compress rate=0% decompress rate=0%

Protocol: SSL-tunnel

User: DOMAIN\trogers

[cid:image001.png@01C918D2.BE83B070]Additional information
1.                Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 
5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; InfoPath.2)
2.      Object source: Internet (Source is the Internet. Object was added to 
the cache.)
3.      Cache info: 0x0
4.      Processing time: 0 ms
5.                MIME type:



Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or
entity to whom they are addressed.If you have received this email in error 
please notify the system manager.
This message contains confidential information and is intended only for the 
individual named. If you are not the
named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail 
from your system. If you are not the
intended recipient you are notified that disclosing, copying, distributing or 
taking any action in reliance on the
contents of this information is strictly prohibited.
P Please consider the environment before printing this email.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Jim Harrison
Sent: Tuesday, September 16, 2008 11:54 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Timeout issue driving me nuts...

These are frequently difficult to troubleshoot, but the good news is that 99 
times out of 10, the problem is external to ISA.
The first thing to note is the IP address ISA reports as failing to accept a 
connection; 204.14.234.61.

-        Is this the correct IP address for the destination site (nslookup 
reports "na5-sjl.salesforce.com")?

-        Is this one of many IPs used for that site (I only find one)?

-        What do you find in the ISA logs around this event?

-        What do you find in the ISA event logs around this event?

-        What devices separate your ISA from the Internet (modem, router, etc.)?

-        Can you get a capture at each point along the chain?

I've not found RR tier-1 support to be of much use; they're typically of the 
"let's remove and reinstall TCP/IP" troubleshooting class.
If you can get an escalation to their networking team, you may be able to get 
concurrent captures during the failure state.


From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On 
Behalf Of Tom Rogers
Sent: Tuesday, September 16, 2008 7:58 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Timeout issue driving me nuts...

I have one ISA server (2006 SP-1) on a W2K3 SP-2 box, and we are having a 
random time out error on only one website. (SalesForce.com)

The error message is always this...


Technical Information (for Support personnel) Error Code: 504 Proxy Timeout. 
The connection timed out. (10060) IP Address: 204.14.234...61

Date: 9/16/2008 2:29:24 PM [GMT]

Server: isa.local.NET

Source: proxy

I though I had it figured out, as an employee from Colorado was VPN'ing in and 
using SalesForce.com through our internal network instead of his own ISP, but 
he is no longer doing that and we still have the timeout occurring. 
Salesforce.com's tech support has basically washed their hands of it and said 
it is our ISA 2006 server. My Web Proxy timeout is set to 1800 seconds - that's 
30 minutes so it should never have a timeout issue.

We run on RoadRunner's business class service with 7mbps download, 2mbps upload 
(theoretical speed).

I don't know where to turn from here. Can anyone help me troubleshoot this 
issue? We don't have this issue with any other websites through ISA 2006.

Is there a user friendly reader for the ISA web and fw log files? Is there a 
tool to see who or what is taking how much bandwidth at a time?

TIA,

Tom Rogers
Systems Administrator
Schneider Packaging Equipment

________________________________
This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or
entity to whom they are addressed.If you have received this email in error 
please notify the system manager.
This message contains confidential information and is intended only for the 
individual named. If you are not the
named addressee you should not disseminate, distribute or copy this e-mail. 
Please notify the sender immediately
by e-mail if you have received this e-mail by mistake and delete this e-mail 
from your system. If you are not the
intended recipient you are notified that disclosing, copying, distributing or 
taking any action in reliance on the
contents of this information is strictly prohibited.
P Please consider the environment before printing this email.


PNG image

Other related posts: