• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 37407
  • Last Modified:

ISA 2004 (Error Code 64: Host not available) gives intermittent and random error.

Dear Experts!!

Before I start, I would like to mention that I tried the solution from an expert article "Q_21483635.html", but no luck. We have even opened a case with Microsoft PSS, and its been 10days now without any breakthrough. We have an ISA 2004 Server with Service Pack 2 running on Windows Server 2003.

The problem is explained below..........
When user browse the Web Page. It will open for two or three pages. Intermittently, it will not open, and we need to click refresh for browsing. This happen very often. While checking in ISA logging Query we can see the Allowed user (By checking PC’s IP) as anonymous User and access was denied. If the same User when refreshes the browser they can able to browse and in ISA logging Monitor we are able to see the particular user's login name.

Error Message:
Technical Information (for support personnel)
·         Error Code 64: Host not available
·         Background: The gateway or proxy server lost connection to the Web server.
·         Date: 3/11/2006 8:12:21 AM
·         Server: prxycity1.internal.com
·         Source: Remote server

Just to eliminate doubts on network side, we tried accessing the internet directly without the Proxy server, and things work normal, but with ISA the error keeps coming randomly.

Please help.
0
imkazi
Asked:
imkazi
  • 15
  • 12
  • +2
1 Solution
 
Keith AlabasterCommented:
Can you switch off the cache temporarily so that you have to access the site directly each time?
0
 
imkaziAuthor Commented:
In fact, the cache was switched off initially after the ISA was installed. After the problem appeared, we noticed that the cache is not switched ON, and that's when we switched it ON hoping the problem might go away. Anyways, I shall try switching off the cache again tomorrow morning. Right now its midnight here in Kuwait.

One more thing I'd like to mention that we notice that this problem appears seldom during off peak hours. So it may be because of Network congestion. But what's confusing is that during peak hours if we access the internet directly bypassing the proxy, then the problem does not appear. So we cant really be sure its network congestion.

Next two days we are into weekend here. So i'm not sure we can repro the problem. Anyways will keep you updated.
0
 
Keith AlabasterCommented:
No problem. Its 9.25PM in the UK so I will be calling it a day soon also. let me know when you want to try a few things and I'll be here.
regards
keith
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

 
IPKON_NetworksCommented:
The behaviour may go away if you change the following settings in the Web Publishing rule:

Unticked "forward the original host header"

Change "Requests appear to come from the original client"

to:

"Requests appear to come from ISA Server computer"


If you are not validating hostheaders you are not using the ISA as a gateway and the requests are split. The "Requests appear to come from the original client" is SNAT'ing.

Hope this help
IPKON Networks Ltd
0
 
imkaziAuthor Commented:
We are not using any web publishing rules. The ISA is being used only for proxing outgoing internet sessions, and the error is coming up for internal clients trying to browse the internet. The template used for the setup was "Edge Firewall Mode".
0
 
imkaziAuthor Commented:
Sure thing Keith. Will let you know.
Regards,
imkazi
0
 
imkaziAuthor Commented:
We did a trace of the ISA logs and it looks more like a Network issue. The ISA Proxy server is behind a Juniper netscreen FW. Please check if the below analysis makes any sense.

TRACE ANALYSIS:
In ISA-internal.cap we can see ISA return the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" in 12 cases to different clients (this can be seen in frame 10771, 10855, 10949, 11070, 16175, 25161, 31367, 34219, 34555, 35009, 35579 and 35888). After locating these 12 errors in the ISA-internal.cap, I then looked at isa-ext.cap to see what is causing it. And all 12 cases show the same pattern in isa-ext.cap:
Example 1
----------------
In frame 8500, 8501 and 8502 ISA and the external web server establish a TCP connection. In frame 8503 ISA Server sends the GET request to www.rsasecurity.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it two more times (with 3 and 6 seconds intervals respectively). This can be seen in frame 8708 and 9066. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 9066. This TCP reset can be seen in frame 9067. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.
Example 2
----------------
In frame 19562, 19563 and 19564 ISA and the external web server establish a TCP connection. In frame 19565 ISA Server sends the GET request to www.jaijaidin.com on behalf of the Web Proxy client. The web server doesn't respond at all to this request, not even with a TCP ACK, so ISA (the TCP stack) will resend the GET request. In this particular case ISA resends it three more times (with 3 and 6 and 12 seconds intervals respectively). This can be seen in frame 19923, 20334 and 21491. Again the web server doesn't respond to these requests, but instead sends a TCP Reset to the last request ISA sent in frame 21491. This TCP reset can be seen in frame 21493. Because the web server resets the TCP connection, there is nothing ISA can do except send the "502 Proxy Error (The specified network name is no longer available) ....Error 64: host not available" back to the client.

Regards,,
0
 
Keith AlabasterCommented:
Are you using the ISA firewall client or just the web proxy settings?
If you run the same access attempts on the ISA itself, do these same results get returned?
Have you installed the SP2 service pack yet?
0
 
imkaziAuthor Commented:
We're using just web proxy settings.
Yes, the same error appears while accessing internet from ISA server itself.
Yes, we have upgraded to SP2 after the problem first appeared.
0
 
Keith AlabasterCommented:
In the gui, click on mintoiring - logging - click on start query.
What is being reported in the log itself?
What is the definition of the rule that is being used when you see this issue?
0
 
imkaziAuthor Commented:
I have copied an excerpt of the log below. You may have to remove word wrap after copying to notepad to view properly. As yo may notice in the log, the same source IP is getting allowed, denied and failed connection attempts subsequently. During the allowed instance the login username shows corrently, during denied/failed instances the same IP shows the username as anonymous.

---------------------------------- Start of Log ------------------------------------------------------

Original Client IP      Client Agent      Authenticated Client      Service      Referring Server      Destination Host Name      Transport      HTTP Method      MIME Type      Object Source      Source Proxy      Destination Proxy      Bidirectional      Client Host Name      Filter Information      Network Interface      Raw IP Header      Raw Payload      GMT Log Time      Source Port      Processing Time      Bytes Sent      Bytes Received      Cache Information      Error Information      Log Time      Client IP      Destination IP      Destination Port      Protocol      Action      Rule      Result Code      HTTP Status Code      Client Username      Source Network      Destination Network      URL      Server Name      Log Record Type
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      Yes      Proxy            www.technology-evaluation.com      TCP      GET      image/gif      Internet      -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      1431      929      0x50801002      0xd80      3/25/2006 4:14:13 PM      10.27.3.4      66.201.244.33      80      http      Allowed Connection      Proxy Access            200       domkw\ai.damiri      Internal      External      http://www.technology-evaluation.com/images/arrow3.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      4516      692      0x0      0x0      3/25/2006 4:14:13 PM      10.27.3.4      10.15.1.11      80      http      Denied Connection                  12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.       anonymous      Internal            http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      4516      696      0x0      0x80      3/25/2006 4:14:13 PM      10.27.3.4      10.15.1.11      80      http      Denied Connection                  12209 The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied.       anonymous      Internal            http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      16      547      777      0x0      0x80      3/25/2006 4:14:13 PM      10.27.3.4      10.15.1.11      80      http      Failed Connection Attempt                  5       anonymous      Internal            http://www.technology-evaluation.com/images/arrow3.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      Yes      Proxy            www.technology-evaluation.com      TCP      GET      image/gif      Internet      -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      16      1431      929      0x50801002      0xd80      3/25/2006 4:14:13 PM      10.27.3.4      66.201.244.33      80      http      Allowed Connection      Proxy Access            200       domkw\ai.damiri      Internal      External      http://www.technology-evaluation.com/images/arrow3.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      547      777      0x0      0x0      3/25/2006 4:14:13 PM      10.27.3.4      10.15.1.11      80      http      Failed Connection Attempt                  5       anonymous      Internal            http://www.technology-evaluation.com/images/arrow3.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      Yes      Proxy            www.technology-evaluation.com      TCP      GET      image/gif      Internet      -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      1431      929      0x50801002      0xd80      3/25/2006 4:14:13 PM      10.27.3.4      66.201.244.33      80      http      Allowed Connection      Proxy Access            200       domkw\ai.damiri      Internal      External      http://www.technology-evaluation.com/images/arrow3.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:13 PM      0      1      547      792      0x0      0x0      3/25/2006 4:14:13 PM      10.27.3.4      10.15.1.11      80      http      Failed Connection Attempt                  5       anonymous      Internal            http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; MSN Messenger 7.5.0322)      Yes      Proxy            207.46.7.11      TCP      POST      application/x-msn-messenger      Internet      -      -            -            -      -      -      3/25/2006 1:14:14 PM      0      297      306      355      0x40000004      0xf80      3/25/2006 4:14:14 PM      10.27.4.135      207.46.7.11      80      http      Allowed Connection      Proxy Access            200       domkw\md.mostafa      Internal      External      http://207.46.7.11/gateway/gateway.dll?SessionID=2027575288.27562      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      Yes      Proxy            www.technology-evaluation.com      TCP      GET      image/gif      Internet      -      -            -            -      -      -      3/25/2006 1:14:14 PM      0      312      6393      944      0x50801002      0xd80      3/25/2006 4:14:14 PM      10.27.3.4      66.201.244.33      80      http      Allowed Connection      Proxy Access            200       domkw\ai.damiri      Internal      External      http://www.technology-evaluation.com/a/crmXchange/crmxchange_logop.gif?e=      KCA1PRXY01      Web Proxy Filter
0.0.0.0      Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; SIMBAR Enabled; .NET CLR 1.1.4322)      No      Proxy            www.technology-evaluation.com      TCP      GET                  -      -            -            -      -      -      3/25/2006 1:14:14 PM      0      1      547      796      0x0      0x0      3/25/2006 4:14:14 PM      10.27.3.4      10.15.1.11      80      http      Failed Connection Attempt                  5       anonymous      Internal            http://www.technology-evaluation.com/a/TEC/2004Dec-Outsourcing160x600.jpg?e=      KCA1PRXY01      Web Proxy Filter

---------------------------------------end of log --------------------------------------
0
 
imkaziAuthor Commented:
I forgot to answer your other query. The first rule of the "Firewall Policy Rule" is as follows,
Allow - All Outboud Traffic - From Internal/Local Host - To External/Internal - For Selected users.
0
 
imkaziAuthor Commented:
Its been a long day here. To answer your query right, there is no rule shown during the problem. The rule column is blank when anonymous user/denied connection/failed connection entries are logged!!

Regards,,
0
 
Keith AlabasterCommented:
Is the browser on ISA set to use itself as a proxy or does the ISA go out directly on the external interface? try it both ways please.

If you allow the rule for ALL Users rather than selected users (just as a ttest), this removes the authentication (for ISA). Does this remove all the failed/denied messages in the log?
0
 
imkaziAuthor Commented:
The browser on ISA is set to itself while testing. I also tested with ISA going directly and that works fine. Adding rule for ALL users still keeps the failed/denied messages, however, as per Microsoft these messages are normal in an integrated authentication setup. As per them, the local computer first tries to authenticate directly to the ISA which results in a denied/failed, who sees the user as anonymous, and then subsequently authenticates with the AD.
0
 
Keith AlabasterCommented:
Agreed. So are you saying that the ISA server itself does not show the symptoms at all, or that ISA is fine when it does not use itself as proxy?

0
 
imkaziAuthor Commented:
I mean the ISA server DOES show the error when it uses itself as a proxy.
0
 
imkaziAuthor Commented:
And the ISA server is fine when it does not uses itself as a proxy.
0
 
Keith AlabasterCommented:
Bizarre isn't it. You mention earlier that you are only using for proxying outgoing traffic; are you suing ISA as a firewall as well? I have never seen ISA set up as an edge device when it is caching/proxy only so this would be quite interesting.

If it is a firewall, do you get any different results if you install the ISA client on one workstation?
0
 
imkaziAuthor Commented:
Yes I mention earlier that the ISA I have here is installed in the Edge Firewall mode, and at the moment i am using it as a proxy server. I haven't tried using the ISA client. I will give it a try.

Do you think it would make any difference if I put the ISA in Proxy-Only mode? Guess I should try that as well.
0
 
Keith AlabasterCommented:
It depends really.

My own experience is that when I have wanted to use authorisation, I have always used the ISA firewall client as this is predominantly the authenication controller. I have well in excess of 100 ISA installations behind me and I have never seen a proxy server installed with the edge firewall configuration.

To test the config, just backup the configuration and re-run the templates from configuration - networks. If it then works for you; great. If not, just reinstall the saved config.

i have installed many boxes in proxy only (plus disabled and additional NIC's) and stacks as edge or three-legged firewalls but I will be honest and say I have not seen your particular symptoms. I agree that testing the two ther configurations would be a worthwhile exercise.
0
 
imkaziAuthor Commented:
We installed a brand new machine with the Single Network Adaptor Template for the Proxy-only mode. And the same problem exists!! The same with Firewall Client as well.

It is truly bizzare. I am beginning to believe that it is something to do with the network outside the ISA, which makes the toubleshooting all the more complicated. And to top that, there is doubt as well, since there are no errors if internet is accessed directly.

Lets see...
0
 
Keith AlabasterCommented:
OK.

1. thank you for trying it.
2. You obviously have a direct route to the internet (as you can bypass ISA) that is not displaying the issues. When you go directly, how is the traffic getting to the external router/firewall? Are the clients attached directly? Via a switch? Is this the same switch that the ISA is connected to?

From the info you give, it has to be the ISA server unless the network cable, port switch duplex/speed settings etc are mismatched/faulty.
What is ISA using as its DNS server? Apart from the issues you describe, what is the performance of ISA compared to going out directly?


0
 
imkaziAuthor Commented:
We have restricted direct access to the internet at the Firewall. For testing purpose I had allowed an IP and tested the direct access. The clients are connected at the access switch locally, and on separate switches on remote sites. The Firewall and Servers are connected to the Core switches.

The ISA is using a local DNS which is on the same subnet and the same switch physically. The local DNS is configured to forward to an external DNS for lookups it does not have. The performance of accessing through ISA as compared to accessing directly is slow.

We swapped the network cable, checked Switch Interface for any errors. Couldn't find anything wrong there.
0
 
Keith AlabasterCommented:
Lets look at this from a different angle.
On the ISA server, if you click start  programs  isa server  performance counters, it will start with a standard set of counters specific to ISA. you can also monitor dropped packets/errors etc. Anything look suspicious?

The fact you have rebuilt the server from scratch (and it is performing poorly) and still have the same issues does make it sound like something outside of the ISA. Do you have a web server or something on the internal LAN that could be accessed via ISA? Does this also perform poorly?

0
 
imkaziAuthor Commented:
I have news.

Though I still have to find out where exactly the problem lies. We shifted the ISA server to another ISP which is taking a different path (i.e. through a PIX), whereas the current ISP link is through the netscreen. So, I dont know yet if it is the ISP or the FW. I suspect the netscreen FW. It could be the number of sessions.

Anyways, atleast I know where to concentrate. For now, my ISA is working fine through the other path on the other ISP.

Thanks for all the advice. I'll just accept your last suggestion.

Bye,,
0
 
Keith AlabasterCommented:
Thats kind of you. :) Good luck with it.
0
 
omangmehta99Commented:
I have a problem in My ISA 2004 server.Intermittently the Internet connection goes down .the connection is getting restore when I move up and down the DNS I/P Address.
We have 4 DNS address out of which 2 s are Internal and 2s are external DNS I/P address.


Please Help.
0
 
Keith AlabasterCommented:
Create your own question - someone will look at it.
0
 
croitoruCommented:
In my case it was a java application - looks like it does not play nice with Proxy.
The solution was to set java to use the same settings as IE, and more important to upgrade to java 1.6
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

  • 15
  • 12
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now