?
Solved

ISA Application Error in the Event Log

Posted on 2003-11-05
5
Medium Priority
?
5,844 Views
Last Modified: 2013-11-16
We are seeing a ton of errors in our event log under the application menu.  I don't know what this error is or how to fix it.  Our ISA server sits inside our Checkpoint NG firewall and all of our network nodes have the ISA firewall client installed which directs them through the ISA server which in turn sends the requests out the firewall.  All of our network IP's (except for Network Servers and ISA) are explicitly denied in the firewall to force the network clients to use the ISA server as the gateway.  The other day we noticed these errors in the application log and also saw a bunch (100 or so) routes in our routing table on the Windows 2000 server running ISA.  We cleared the routing table and now we just see the errors (no routes are being added at this time).  Thanks for any help.  Here's the error below.  This is just one of many different IP addresses we are seeing.


Event Type:      Error
Event Source:      Microsoft Web Proxy
Event Category:      None
Event ID:      14120
Date:            11/5/2003
Time:            10:59:06 AM
User:            N/A
Computer:      NETPROXY
Description:
The ISA Server services cannot create a packet filter 64.4.18.250. This event occurs when there is a conflict between the Local Address Table (LAT) configuration and the Windows 2000 routing table. Check the routing table and the LAT to find the source of the conflict.
Data:
0000: 15 00 00 00               ....    
0
Comment
Question by:slaroche
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Accepted Solution

by:
juanmamerino earned 800 total points
ID: 9687845
Hello slaroche,

I understand your ISA SErver has only one NIC so it's normal this event ID when request are received by the same nic as the are send to the Internet. If you see more information for this event ID on MS you'll see the solution is connect ISA server between two network segments. If it's not possible because of network changes you can installa second interface wich communicates with firewall through the same network segment ans continue receiving URL requests by the original nic.

Regards,

Juanma Merino
Barcelona
0
 

Author Comment

by:slaroche
ID: 9689230
Ok, so that makes sense.  We've actually got dual NIC's running load balancing on the ISA server, so getting rid of the team and using two different IP addresses is definitely a possibility.  How would the routing and DNS work if we did that?  Since this machine is inside the firewall, it has to maintain internal IP addresses, ie. 192.168.x.1 and 192.168.x.2.  If we set up the two nic's with different IP addresses in our network, won't the internal DNS read them both as valid IP's for ISA and cause a resolution issue?  Do we need to add a default route to our second NIC that sends packets directly to the internal interface of our Checkpoint firewall?  thanks

Steve
0
 

Author Comment

by:slaroche
ID: 9689499
One more useful piece of information: our default gateway on the ISA server is our Primary Router...not the checkpoint firewall interface.  All packets are are appropriately routed through this router.  
0
 

Expert Comment

by:juanmamerino
ID: 9692497
You're right cause in the network segment you're resolving trhough ARP and not routing tables. I suggest you to place disable de CPQTeam (If this is what your using to do the load balancing) and try run only one nic to this network segment. This is not the best solution cause you lost your actual load balancing scheme but it may work.
The best solution for me is place ISA between two network segments but you may create a single point of failure, solve it running two ISA Servers on cluster.

First review your LAT entries (where you define what ip address pools are able to pass through your ISA, the problem could be there and try to disable Routing and RAS service on your ISA if it's enabled.

Juanma Merino
Barcelona
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses
Course of the Month14 days, 12 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question