Solved

ISA Application Error in the Event Log

Posted on 2003-11-05
5
5,838 Views
Last Modified: 2013-11-16
We are seeing a ton of errors in our event log under the application menu.  I don't know what this error is or how to fix it.  Our ISA server sits inside our Checkpoint NG firewall and all of our network nodes have the ISA firewall client installed which directs them through the ISA server which in turn sends the requests out the firewall.  All of our network IP's (except for Network Servers and ISA) are explicitly denied in the firewall to force the network clients to use the ISA server as the gateway.  The other day we noticed these errors in the application log and also saw a bunch (100 or so) routes in our routing table on the Windows 2000 server running ISA.  We cleared the routing table and now we just see the errors (no routes are being added at this time).  Thanks for any help.  Here's the error below.  This is just one of many different IP addresses we are seeing.


Event Type:      Error
Event Source:      Microsoft Web Proxy
Event Category:      None
Event ID:      14120
Date:            11/5/2003
Time:            10:59:06 AM
User:            N/A
Computer:      NETPROXY
Description:
The ISA Server services cannot create a packet filter 64.4.18.250. This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict.
Data:
0000: 15 00 00 00               ....    
0
Comment
Question by:slaroche
  • 2
  • 2
5 Comments
 
LVL 49

Expert Comment

by:sunray_2003
Comment Utility
0
 

Accepted Solution

by:
juanmamerino earned 200 total points
Comment Utility
Hello slaroche,

I understand your ISA SErver has only one NIC so it's normal this event ID when request are received by the same nic as the are send to the Internet. If you see more information for this event ID on MS you'll see the solution is connect ISA server between two network segments. If it's not possible because of network changes you can installa second interface wich communicates with firewall through the same network segment ans continue receiving URL requests by the original nic.

Regards,

Juanma Merino
Barcelona
0
 

Author Comment

by:slaroche
Comment Utility
Ok, so that makes sense.  We've actually got dual NIC's running load balancing on the ISA server, so getting rid of the team and using two different IP addresses is definitely a possibility.  How would the routing and DNS work if we did that?  Since this machine is inside the firewall, it has to maintain internal IP addresses, ie. 192.168.x.1 and 192.168.x.2.  If we set up the two nic's with different IP addresses in our network, won't the internal DNS read them both as valid IP's for ISA and cause a resolution issue?  Do we need to add a default route to our second NIC that sends packets directly to the internal interface of our Checkpoint firewall?  thanks

Steve
0
 

Author Comment

by:slaroche
Comment Utility
One more useful piece of information: our default gateway on the ISA server is our Primary Router...not the checkpoint firewall interface.  All packets are are appropriately routed through this router.  
0
 

Expert Comment

by:juanmamerino
Comment Utility
You're right cause in the network segment you're resolving trhough ARP and not routing tables. I suggest you to place disable de CPQTeam (If this is what your using to do the load balancing) and try run only one nic to this network segment. This is not the best solution cause you lost your actual load balancing scheme but it may work.
The best solution for me is place ISA between two network segments but you may create a single point of failure, solve it running two ISA Servers on cluster.

First review your LAT entries (where you define what ip address pools are able to pass through your ISA, the problem could be there and try to disable Routing and RAS service on your ISA if it's enabled.

Juanma Merino
Barcelona
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now