"RPC Server is unavailable" when atempting to remote into  ISA 2004 server

Posted on 2008-10-07
Last Modified: 2012-05-05
Dear Experts,

We deployed a new ISA 2004 Standard Server with SP3 into our organization and it was functioning fine for about a month now. Today remote users reported that they are unable to VPN into the network (PPTP), I pointed some of the remote users to the old ISA server temporarily.
After rebooting the server everything seemed fine for about an hour, later I tried to remote into the server (mstsc) and I receive the following message:
"The system cannot log you onn due to the following error:
The RPC Server is unavailable.
Please try again or consult your system administrator"

I rebooted the server and tried again.. still no luck. I noticed that Routing and Remote Access were disabled on the ISA. I did run repair on the network connections, then started the Routing and Remote Access.
I had also started both services (which were disabled):
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator

Our internal network is
I noticed that ISA is throwing a lot of error messages stating that:
"ISA Server detected routes through the network adapter outside LAN that do not correlate with the network to which this network adapter belong. Then later in the message it lists"
I had a similar issue on the old ISA server and when we corrected the LAN to - we started getting other error messages.
After the ISA server with the issue was restarted I noticed that users are now able to VPN in to our network, but we are still unable to remote into it.

ISA BPA Tool lists the following:
Policy rule blocks FTP Uploads
Policy rule blocks FTP Uploads
Receive Side SCaling (RSS) is enabled by the OS
TCP Accelerator (TCPA) is enabled by the OS
Configuration error - same as the error I listed above in the question
The lower and Upper limits of the source port range for an access rule are equal (Stream/Download/IM block on 1214)
The RADIUS server can not be accessed
VPN Connection failure signaled x times (users were not able to VPN in earlier)
There are no cvertificates in the local computer store (we will not be publiching any SSL certs on this server)
Outlook WebAccesspublishing rule listends on HTTP (this rule will be disabled once HTTPS and SSL are ready)
Path maximum Transmission Unit (MTU) discovery is disabled

All of the Firewall System Policy rules are enabled with the exception for the ones below:
4 Allow Remote Logging to trusted servers using NETBIOS
13 Allow VPN site-to-site traffic to ISA server
14 Allow VPN site-to-site traffic from ISA server
16 Allow remote SQL logging from ISA server to selected servers
18  Allow HTTP/HTTPS requests from ISA server to selected servers
19 Allow access from trusted computers to the firewall client installation share on ISA server
20 Allow remote performance monitoring of ISA server from trusted servers
24 Allow SecurID
25 Allow remote monitoring from ISA server to trusted servers, using MOM Agent
26 Allow HTTP traffic from IS server to all network (for CRL downloads)
29 Allow HTTP from ISA server to selected computers for Conetnet download jobs

Any help is greatly appreciated.
Question by:technomic
  • 7
  • 5
LVL 18

Expert Comment

ID: 22663776
You have 2 NIC's installed -- 1 external and 1 internal? The RPC Server unavailable occurs with multiple interfaces and the binding order is not correct. Go to the advanced properties of the network interfaces and configure the binding order. You May have to play with it a bit...
LVL 18

Expert Comment

ID: 22663780
Ref this post for same issue,

Let me know if you need any more help on this

Author Comment

ID: 22664022
I'm looking at it, but I'm not sure what to change.... If I go to the NIC properties > ADvanced, the only options i have there , are
Windows Firewall.. and Internet Connection sharing...
On the general Tab i have the following chacked:
Client for MS Networks
File and Print Sharing for MS Networks
HP Network Cofig Utility
Internet Protocol TCP/IP

I did notice that in the artcilce you referenced Keith was suggesting to create a rulke for TCP, I have already created that rule and verified that System Firewall Rule for RPC is also there, stil no luck.
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 22664263
I also did not state in the question that I can not ping the ISA server, but I can only ping certain servers and clients from ISA server. I'm able to ping one of the Two DOmain Controllers. Also able to browse the web and users still able to VPN in.
LVL 18

Expert Comment

ID: 22664322
Open the ISA gui, select monitoring - logging - click start query.
What do you see appear in the real time log?

Are you sure it is rpc that is failing rather than Kerberos calls etc?
What ISA SP are you running?
have you run the up the ISA BPA?
needs .net 1.1

You are on 2003 R2? Are you running SP2 also?
This might be worth a look (ISA runs NAT as you can imagine)
LVL 18

Expert Comment

ID: 22664325

Author Comment

ID: 22664394
ISA 2004 SP3
I did run the ISA BPA tool, I published the results in the bottom part of the question.
Will run the query right now and will also review those articles you posted in a few minutes.
Not sure if this is RPC or kerberos to be honest with you. No updates were installed recently.
2003 Server Standard Edition.
Right now in query, I only get results for ISA server`s public IP address and OWA`s external IP, nothign else..
Can't ping the ISA from any internal resources (servers, clients etc).
LVL 18

Expert Comment

ID: 22664490
What do you mean by cant ping isa form internal resource ? got to fix this first ? windows fireall should be turned off in ISA

Author Comment

ID: 22664553
Windows Firewall is turned off. I think we have updated the DNS server yesterday in the TCP/IP properties yesterday, this might be where this issue has started.
Exactly right, I'm unable to ping the isa by it`s IP or the FQDN from other servers or client PCs on the network. WEhen I attempt to remote in, I do get to the logon screen but after inserting the credentials, I get the error message about RPC server being unavailable.
LVL 18

Accepted Solution

sk_raja_raja earned 500 total points
ID: 22664781
did you try to provide your previous dns server on the properties and check ?

Author Closing Comment

ID: 31504014
Found the problem.- DNS. External nic had our ISP`s DNS. Internal NIC had DNS pointing to DCs that also has our ISP`s DNS. WSe left the DNS on th einternal NIC intact and removed the DNS fromthe External NIC on ISA. Once the services are stopped on the old ISA, then DNS settings may change on the new ISA firewall.
Thank you for your help, I really appreciate it.
LVL 18

Expert Comment

ID: 22665483
glad that the issue was fixed....

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question