bbao
asked on
NO PING after stopping ISA Firewall Services
hi folks
i got a strange problem. i thought i could PING NLB-enabled ISA servers after stopping their FWSRV service, but actually not.
basic system information of the ISA servers:
W2K3R2 Standard in Hyper-V
512MB
4 NICs with 4 dedicated IPs (1 x external facing, 3 x internal facing)
NLB enabled on all NICs on IGMP multicast mode
additional 17 VIPs assigned to the 4 NICs (10 + 1 + 3 + 3)
ISA 2006 Enterprise with SP1 and Supportability Update
Back Firewall template with Block All
outgoing DNS/HTTP/HTTPS/NTP/PING traffic is allowed
NOTE: ISA Integrated NLB is not used as it does not support NLB on all adapters with IGMP multicast, WLBS used instead.
the network connection is OK as i can use ARP -A to see their MAC addresses though i could not PING the IPs
any clues? many thanks for any input.
kind regards,
bbao
i got a strange problem. i thought i could PING NLB-enabled ISA servers after stopping their FWSRV service, but actually not.
basic system information of the ISA servers:
W2K3R2 Standard in Hyper-V
512MB
4 NICs with 4 dedicated IPs (1 x external facing, 3 x internal facing)
NLB enabled on all NICs on IGMP multicast mode
additional 17 VIPs assigned to the 4 NICs (10 + 1 + 3 + 3)
ISA 2006 Enterprise with SP1 and Supportability Update
Back Firewall template with Block All
outgoing DNS/HTTP/HTTPS/NTP/PING traffic is allowed
NOTE: ISA Integrated NLB is not used as it does not support NLB on all adapters with IGMP multicast, WLBS used instead.
the network connection is OK as i can use ARP -A to see their MAC addresses though i could not PING the IPs
any clues? many thanks for any input.
kind regards,
bbao
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nice one :) - I will have a read on that as I don't recall that paper, and I have read quite a few
Regards
Keith :)
Regards
Keith :)
ASKER
Thanks :)
ASKER
hi Keith,
do you mind that i accept my second comment as the answer as i would like to PAQ this question. i believe this would help others who intend to hear the heartbeat after killing the ISA server. :-)
i tried to share points to you by accepting multiple solutions, but EE did not allow me to choose my comment in this way...
thanks for your kind help,
regards,
bbao
do you mind that i accept my second comment as the answer as i would like to PAQ this question. i believe this would help others who intend to hear the heartbeat after killing the ISA server. :-)
i tried to share points to you by accepting multiple solutions, but EE did not allow me to choose my comment in this way...
thanks for your kind help,
regards,
bbao
No its fine and an accurate reflection anyway. Besides, you likely know my EE email address if you ever want help with ISA Server.
Regards
K :)
Regards
K :)
ASKER
i just did a test on another stand-alone ISA server and got the same problem. no PING. it seems the stopped ISA server has been locked down.
i also found the following from MS TechNet site:
"2. Put the ISA Server firewall in LOCKDOWN mode, by stopping the Microsoft Firewall service. At a command prompt, type net stop fwsrv."
Troubleshooting networking issues
http://www.microsoft.com/technet/isa/2004/help/CMT_TrblDialup.mspx?mfr=true
the ISA servers are now in LOCKDOWN mode?? if so, how to unlock in turn to allow any incoming and outgoing traffic as before?
regards,
bbao