?
Solved

connection timeout while connectting to only one web site with ISA, it is available through dial-up

Posted on 2003-11-24
5
Medium Priority
?
194 Views
Last Modified: 2010-04-09
Hi experts,
Here is my problem. We are using ISA server and one site had become unavaliable 3 days before. Nothing changed in ISA , I was not at the office. It is a bank's site that was working just fine with our ISA for over a year.  

When I try to connect to the site ISA returns connection timeout error.  
We can enter the site using dial up without a problem.
I tried connecting with ip address but couldn't, also.
Our ISP can connect without a problem.
Only ISA part is left. I configured a rule for full access to that side including ip address but it did not work.

I can trace the web site with our router, it does not give timeout.

What can be the problem or what can I do  
 
0
Comment
Question by:nurhal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 24

Expert Comment

by:shivsa
ID: 9809121
did u update IE recently. updated some securtity fix on IE. if yes then it must have caused this.
try to remove those update and try again and see if it works.
0
 
LVL 33

Assisted Solution

by:MikeKane
MikeKane earned 1000 total points
ID: 9817963
If your setup looks like this

INTERNET
|
Router
|
ISA Server
|
Internal Network.  

Then I would recommend the following to help further isolate the point of failure.    

1)  Use a laptop or other client situated between the router and ISA.   Assign it the ISA's IP address and remove the ISA fromthe picture temporarily.    Configure DNS and Gateway and see if you have any trouble.     If you CAN get out to this trouble-site with the laptop, then we focus on the ISA go to step 2.    If you CAN NOT get to the site, then your router may need attention due to bad coding, recent IOS upgrades, downstream issues...etc....  

2) Remove the laptop and plug the ISA back in.   Can the ISA ping the site by name and get resolution.    If NO then check DNS settings.  If YES then go to Step 3

3) HAve you performed any updates to the ISA?   Service packs, IE, Patches, new applications, anything?  If YES then Roll back the updates, if NO then got to step 4

4) Post some additional details about the ISA for me.  Service pack, hardware, and some ipranges (if you are comfortable with that) would be helpful to further diagnose the issue.

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 9820083
You might set the MTU on the ISA server lower than the default max 1500
The recent outbreak of Welchia and MSBlast worms has caused many ISP's and other network managers to block ICMP. This is a knee-jerk reaction that has far reaching consequences. One of those is the inherenet ability of MS operating systems to adjust dynamically using Path MTU Detect. Blocking ICMP blocks the "unreachable" packets that PMTUD depends on to adjust. No unreachable, no adjustment, just timeouts. This helps explain why this is a recent phenomenon with no changes on your part.
If you set the Max MTU size on the server to 576 (same as dialup) you'll never have this problem again..

ICMP - PMTUD - IDENT - Black Hole
http://www.winguides.com/registry/display.php/887/
http://www.cisco.com/warp/public/105/38.shtml
http://www.netheaven.com/pmtu.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;159211
PMTUD fails after WIN2K SP2
http://support.microsoft.com/default.aspx?scid=kb;en-us;301337
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10976342
No comment has been added to this question in more than 21 days, so it is now classified as abandoned..
I will leave the following recommendation for this question in the Cleanup topic area:

--> Split between lrmoore and MikeKane.

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

tim_holman
EE Cleanup Volunteer
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month12 days, 16 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question