RE: URGENT - FW Client cannot connect to ISA

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 13 Dec 2002 01:37:56 -0600

Hi William,

There's a chance its related to the following. AFAIK, there is no fix :-(

Junior Member 
Member # 8800 

  posted November 15, 2002 12:13 PM                  
Microsoft has managed to reproduce our problem in their lab AND they have 
managed to find the cause.. no cure yet though :-(

IF you have UDP based publishing (any UPD not just DNS) AND a Site and Content 
filter containing FQDN the following happens;

Incoming UDP requests are checked against the Site and Content rules by 
attempting to do a reverse lookup on the incoming IP (to find a FQDN to match 
against the IP).

If this for some reason fails (like the requesting IP not being in a reverse 
zone) then the ISA tries to make a NBTSTAT query against the remote IP to find 
the FQDN. 

Once it has succeded, failed or timed-out on the incoming request it will then 
process the request.

This can take some time (at least on my side we just drop incoming netbios so 
those will have to timeout) and during that time the ISA is gobbling up UDP 

With heavy traffic this will at times cause the pool of available UDP mapppings 
to be full so that incoming requests first have to wait for another request to 
make it through the S&S rules before itself can start the path through!

So if;
- you have a remote client that is not in a reverse zone and that can not be 
resolved by nbtstat AND if it is re-requesting the DNS information after say 5 
- then you can easily end up in a situation where 
- the requests are being held pending, in wait for a process slot, while the 
ISA is trying to resolve the FQDN of a previous request FROM THE SAME MACHINE!

So the good news is that they know why and the bad news is that it sounds like 
it is a fundamental change that needs to be done!

Possible workaround, no S&S rules! Not sure I want to go that way....

Was this clear? If not, drop me a line and I'll try again....



Thomas W Shinder


-----Original Message-----
From: William Robertson [mailto:robertson.william@xxxxxxxxxxxxxx] 
Sent: Thursday, December 12, 2002 11:06 PM
To: [ Discussion List]
Subject: [isalist] URGENT - FW Client cannot connect to ISA

Hi there

Yesterday I had some SERIOUS problems on my network with regards to my
Firewall Clients not being able to connect to the ISA Server. I als had
EXTREME issues with my DNS Servers unable to do lookups and the bottom
line is that no FIREWALL SERVICE activity was permitted through the ISA

In an attempt to resolve the problem I removed and reinstalled ISA Server
last night. After this drastic step all seemed well.

But now this morning, again all of a suddent, the Firewall clients are
again reporting the following when I click on Update Now:
The server is not responding when client requests an update.
Possible causes:
- The server is not an ISA Server.
- The server is down.

Now I have confirmed that I can NSLOOKUP the ISA Server and I can connect
just fine to it. I have installed ISA SP1 as well as the 2 hotfixes
(isahf174 & isahf177).

Any ideas please?!?!?!?!?

William R.

List Archives:
ISA Server Newsletter:
ISA Server FAQ:
Exchange Server Resource Site:
Windows Security Resource Site:
Windows 2000/NT Fax Solutions:
You are currently subscribed to this Discussion List as: 
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts: