Question

Slow https sites. Protocol SSL Tunnel - "Failed Connection Attempt"

Asked by: Mr_Flibble69

My company is having lots of problems connecting to https sites. Lots of failed connection errors, resulting in really slow SSL sessions.

In the ISA 2004 logs I can see error msgs with :-
995 The I/O operation has been aborted because of either a thread exit or an application request.

I've tried increasing the connection limits to 200, installing sp3, checking dns settings, and reset the isa cache

A sample log is below.

Original Client IP      Client Agent      Authenticated Client      Service      Server Name      Referring Server      Destination Host Name      Transport      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      Source Port      Processing Time      Bytes Sent      Bytes Received      Result Code      HTTP Status Code      Cache Information      Error Information      Log Record Type      Log Time      Destination IP      Destination Port      Protocol      Action      Rule      Client IP      Client Username      Source Network      Destination Network      HTTP Method      URL
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 1.0.3705; .NET CLR 2.0.50727)      No      Proxy      ISA_SERVER            s12.projectcentre.net      TCP            Internet      -      -            -      Req ID: 0572cb53       -      -      -      0      0      895      777            995 The I/O operation has been aborted because of either a thread exit or an application request.       0x0      0x8      Web Proxy Filter      22/01/2008 10:15      202.51.175.12      443      SSL-tunnel      Failed Connection Attempt      Web Outbound      192.168.10.30      anonymous      Internal      External            s12.projectcentre.net:443


The ISA box's roles are firewall//gateway  whilst the web proxy (192.168.10.30) has Webmarshal installed and another server acts as the dns server

Any ideas?

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Tunnelling
    I have DSL at home, but a firewall at work. I'd like to be able to set up my DSL machine at home as a kind of "hub" through which I could tunnel web, FTP and other traffic. I'm trying to decide whether to set up a VPN link between my machines, or just use somethin...
  2. SSL Tunneling in ISA 2004
    I'm currently trying to configure a ISA 2004 server to let a program we use connect to a global server. The Program uses port 443 to connect to the server (HTTPS). If I try to open every single port by selecting "All Outbound Trafic" from all networks to all network...
  3. ISA Server Remote Site SSL Issue
    We have an ISA Server and four remote sites. everything works correctly but when users at the remote sites go to any online banking sites or certain SSL sites the page does not come up. One interesting thing is that if you are on the remote site server, the page works fine.
  4. SSL/ISA Problem
    ISA Firewall issue. I have a Pc on our network that uses a VPN dialer to connect to a network. This is all working. The connection is established fine. When the connection occurs, IE opens and tries to load a specific webpage(available only via this VPN). The page is o...
  5. web ssl proxy tunnel
    hello there, I have a app that connects to a website and posts data, I have been using a network analyzer to see the data but its SSL now so it wont work with normal network analyzers.. the app has an option to use proxy.. I'm wondering if there is some sorta of proxy tunneli...
  6. SSL connextion problem to a site with ISA 2004
    Hello, I am trying to access this website https://www.ipayables.net/ but it fails from my local network. The 3 images never loads and same with the page. I tried with firewall client disabled: does not work I tried from my DMZ: it works Tried from another network that does ...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: GLComputingPosted on 2008-01-22 at 10:19:17ID: 20716602

Try this:

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/ts_client_rules.mspx

in the section:

Allow Anonymous Access to Specific Sites

Problem: Some users cannot access the Internet.
Cause: Require all users to authenticate is enabled on the network listening for Web requests from users, so all user requests must be authenticated. Requests from users unable to authenticate (for example users who are not members of a domain, or client computers configured as SecureNAT clients) are denied.

Solution: Disable Require all users to authenticate. Instead, require authentication on access rules to sites to which you want to limit access. On sites for which you want to allow anonymous access, specify that rules should apply to All Users.

 

by: Mr_Flibble69Posted on 2008-02-03 at 13:49:48ID: 20810468

GL Computing thanks for your suggestion.

However, all users are able to access websites, but intermittently HTTPS websites (such as banking, etc) are very slow and simultaneously generate error isa 2004 errors consisting of  ->

995 The I/O operation has been aborted because of either a thread exit or an application request.

DNS is fine, tried sp3 on ISA 2004, increasing connection limit, bypassing cache for https.

Any other ideas??

 

by: Mr_Flibble69Posted on 2008-02-04 at 15:11:16ID: 31423622

At first glance this solution does not appear relevant as the problem description is very different as all my users can access the internet, but intermittantly https performance is poor .
Further research shows that this may work for similar situations as mine, but you didn't make this link. For future reference I would probably suggest a line stating how that solution would address my problem.

Thanks....

 

by: Mr_Flibble69Posted on 2008-02-04 at 15:17:20ID: 20819178

Although the solution GL_Computing posted has a different problem scenario, further research that I undertook showed that some java on https sites requires anonymous/basic authentication and because ISA cannot read the layer 5 session a failure is generated without much detail eg a generic status code 995.

I haven't tested this solution yet but from what I've found it would seem to work -->

http://forums.isaserver.org/m_2002019389/tm.htm

So, I will create an Unauthenticated Outbound rule for https with the https sites in a new domain set and if it doesn't work, then I'll add a remark here.

 

by: Mr_Flibble69Posted on 2008-02-04 at 16:26:58ID: 20819603

Well, that will teach me.

It didn't resolve the issue.

I'll continue the research.

 

by: suhasphadkePosted on 2009-01-29 at 22:16:35ID: 23505655

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 995 The I/O operation has been aborted because of either a thread exit or an application request.  
Rule: Internet-Access
Source: Internal (10.1.47.90)
Destination: External (65.54.166.122:443)
Request: support.microsoft.com:443
Filter information: Req ID: 0a9cc57e; Compression: client=No, server=No, compress rate=0% decompress rate=0%
Protocol: SSL-tunnel
User: anonymous
 Additional information
Client agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648)
Object source: Internet (Source is the Internet. Object was added to the cache.)
Cache info: 0x0
Processing time: 0 ms
MIME type:
 
Any solution?

 

by: pwindellPosted on 2009-05-19 at 14:31:51ID: 24426854

The best way to handle the Java, assuming you mean actually Java (requiring the JRE) and not simply Java Script, is to set the JRE using the Control Panel Applet to never use a proxy,..use a Direct Connection,...and then install the ISA Firewall Client on the machine.  The the Firewall Client will handle the authentication between the Client and the ISA and the JRE will be oblivious to that happening and will remain "happy".

My only suggestions for other syptoms would be:

1. Turn off the Compression Filter in the ISA MMC.
2. Make sure that the Active Directory DNS/DC is the only DNS used,...that nothing at all anywhere,...is using any other DNS.  Then use the ISP as a Forwarder in the config of the DNS service on the DNS/DC machine.
3. Make sure on the ISA that the only nic that has DNS is the Internal Nic and that it only points to the AD/DNS/DC.  The External nic on  the ISA should have blank DNS specs.

4. Make sure that the ISA only has a Default Gateway on the External Nic.  The DFG must be blank on all other interfaces.

 

by: pwindellPosted on 2009-05-19 at 14:33:16ID: 24426863

This being ISA2004, it did not have a Compression Filter unless one of the Service Packs added it,...I can't remember for sure about that one.

 

by: Box293Posted on 2009-06-03 at 20:05:15ID: 24543263

Try changing
HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\EnablePMTUDiscovery to 1 and then rebooting.

ISA changes the registry entry for EnablePMTUDiscovery to 0 on W2K3, for greater hardening of the TCPIP stack. When this is set to zero, it sets ISAs MTU 576 instead of negotiating.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...