?
Solved

Unidenified traffic error (return web traffic)

Posted on 2007-10-19
7
Medium Priority
?
474 Views
Last Modified: 2012-06-21
A new web server has been setup @ the main office and a webserver publishing rule has been applied to the ISA. I am able to access the servers website from External, Internal (local subnet), and VPN clients.
The only issues I have are:
Users in the branch office are unable to access the website by name. All other locations work without issue. This would seem like a DNS issue but, I dont believe this to be the case. I am able to ping the server by name from the branch office with no issues. I verified that the internal DNS servers have both A records and reverse lookup records for the webserver. A WINS entry has also been created for the webserver. Other servers can be accessed from the Branch office using port 80 with no issue.

When a connection is attempted from the Branch office to the webserver I receive an unidentified traffic error in the ISA log. The source is the webserver and the destination is the ISA box (return traffic). ISA is the default gateway for all hosts in the Main office.
The main office is connected to the branch office via frame relay using 2 Cisco 1700 series routers. The branch office contains 1 domain controller running DNS and WINS. All workstations in this office point the local Cisco 1700 router as the default gateway.  The cisco routers default route points all traffic to the ISA server.
The Internal network is defined in ISA as the whole network range encompassing both networks.
 
Thanks for any help or ideas you can send my way.
jackm1
0
Comment
Question by:jackm1
  • 3
  • 2
  • 2
7 Comments
 
LVL 20

Assisted Solution

by:What90
What90 earned 800 total points
ID: 20113332
I think your branch office clients may be looping through the ISA and getting lost.

Is the web server on the main office internal lan or a DMZ leg?
If it is on the internal network do you have a exception range on the client machines not to use the ISA for certain internal IP addresses or your domain name?

Follow this to stop you internal machines looping thorugh the ISA to get to internal resources
http://www.microsoft.com/technet/isa/2004/plan/internalclientaccess.mspx#D5


Oh and make sure you're on the lastest ISA service pack :-)
0
 

Author Comment

by:jackm1
ID: 20115007
What90 thanks for the reply.

The ISA 2004 server is setup as an edge deivce. No DMZ is configured. The webserver is on the internal network. (Main offcie (10.0.0.x). The branch office is the IP range 10.0.2.x. The internal network is defined as 10.0.0.0 - 10.255.255.255. The domain name has been specified as an expection; I added the ip address of the webserver for good measure. No change.  
Other servers on the internal network in the main office subnet are accessable using hostname and RDP from the BO. With the exception of 2 new servers a BES server and the webserver that were setup recently.  
0
 
LVL 20

Expert Comment

by:What90
ID: 20115196
Hmmm, the web traffic for your new web server should not be hitting the ISA. Unless it can't resolve the new web server.

If you stick in a host entry file for the new web server on one of the client machines in th remote office does that work for the web site?
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1200 total points
ID: 20115651
The entries in your lat table (10.0.0.0 - 10.255.255.255) are simply used for anti-spoofing purposes, these are nothing to do with routing at all. Drop out to a cmd prompt on the isa server.
Do a route print - what do you get back? Do you see routes for all internal networks including all of the remote offices that are connected?

provide a route print output here and an ipconfig /all from the ISA and we can see for sure.
0
 

Author Comment

by:jackm1
ID: 20116956
Guys, thanks for the help. What90 was right that the traffic was being lost in the ISA server and Keith was on the right track with the route command. As the web traffic left the BO for the webserrver at the main office it hit the server without passing through the ISA server. The return traffic from the webserver was being routed and lost through the ISA server. By adding the BO subnet to the webserver routing table the issue was resolved.
"route add -p 10.0.2.0 mask 255.255.255.0 10.0.0.1 metric 1"
10.0.0.1 is the cisco router for the point to pont connection between offices.
This enables the web server to send traffic intended for the 10.0.2.0 network without using it's default gateway (the ISA server 10.0.2.0)
0
 

Author Comment

by:jackm1
ID: 20116960
forgot to mention that the route command had to be entered on the webserver.

thanks again
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20117327
Thanks Jack :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question