Solved

ISA Application Error in the Event Log

Posted on 2003-11-05
5
5,840 Views
Last Modified: 2013-11-16
We are seeing a ton of errors in our event log under the application menu.  I don't know what this error is or how to fix it.  Our ISA server sits inside our Checkpoint NG firewall and all of our network nodes have the ISA firewall client installed which directs them through the ISA server which in turn sends the requests out the firewall.  All of our network IP's (except for Network Servers and ISA) are explicitly denied in the firewall to force the network clients to use the ISA server as the gateway.  The other day we noticed these errors in the application log and also saw a bunch (100 or so) routes in our routing table on the Windows 2000 server running ISA.  We cleared the routing table and now we just see the errors (no routes are being added at this time).  Thanks for any help.  Here's the error below.  This is just one of many different IP addresses we are seeing.


Event Type:      Error
Event Source:      Microsoft Web Proxy
Event Category:      None
Event ID:      14120
Date:            11/5/2003
Time:            10:59:06 AM
User:            N/A
Computer:      NETPROXY
Description:
The ISA Server services cannot create a packet filter 64.4.18.250. This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict.
Data:
0000: 15 00 00 00               ....    
0
Comment
Question by:slaroche
  • 2
  • 2
5 Comments
 
LVL 49

Expert Comment

by:sunray_2003
ID: 9687771
0
 

Accepted Solution

by:
juanmamerino earned 200 total points
ID: 9687845
Hello slaroche,

I understand your ISA SErver has only one NIC so it's normal this event ID when request are received by the same nic as the are send to the Internet. If you see more information for this event ID on MS you'll see the solution is connect ISA server between two network segments. If it's not possible because of network changes you can installa second interface wich communicates with firewall through the same network segment ans continue receiving URL requests by the original nic.

Regards,

Juanma Merino
Barcelona
0
 

Author Comment

by:slaroche
ID: 9689230
Ok, so that makes sense.  We've actually got dual NIC's running load balancing on the ISA server, so getting rid of the team and using two different IP addresses is definitely a possibility.  How would the routing and DNS work if we did that?  Since this machine is inside the firewall, it has to maintain internal IP addresses, ie. 192.168.x.1 and 192.168.x.2.  If we set up the two nic's with different IP addresses in our network, won't the internal DNS read them both as valid IP's for ISA and cause a resolution issue?  Do we need to add a default route to our second NIC that sends packets directly to the internal interface of our Checkpoint firewall?  thanks

Steve
0
 

Author Comment

by:slaroche
ID: 9689499
One more useful piece of information: our default gateway on the ISA server is our Primary Router...not the checkpoint firewall interface.  All packets are are appropriately routed through this router.  
0
 

Expert Comment

by:juanmamerino
ID: 9692497
You're right cause in the network segment you're resolving trhough ARP and not routing tables. I suggest you to place disable de CPQTeam (If this is what your using to do the load balancing) and try run only one nic to this network segment. This is not the best solution cause you lost your actual load balancing scheme but it may work.
The best solution for me is place ISA between two network segments but you may create a single point of failure, solve it running two ISA Servers on cluster.

First review your LAT entries (where you define what ip address pools are able to pass through your ISA, the problem could be there and try to disable Routing and RAS service on your ISA if it's enabled.

Juanma Merino
Barcelona
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Knowing where your website is hosted is as important as the features you receive, the monthly fee, and the support you receive. Due diligence should be done when choosing your next hosting provider.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question