"RPC Server is unavailable" when atempting to remote into ISA 2004 server
Dear Experts,
We deployed a new ISA 2004 Standard Server with SP3 into our organization and it was functioning fine for about a month now. Today remote users reported that they are unable to VPN into the network (PPTP), I pointed some of the remote users to the old ISA server temporarily.
After rebooting the server everything seemed fine for about an hour, later I tried to remote into the server (mstsc) and I receive the following message:
"The system cannot log you onn due to the following error:
The RPC Server is unavailable.
Please try again or consult your system administrator"
I rebooted the server and tried again.. still no luck. I noticed that Routing and Remote Access were disabled on the ISA. I did run repair on the network connections, then started the Routing and Remote Access.
I had also started both services (which were disabled):
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Our internal network is 10.0.0.0- 10.0.0.255
I noticed that ISA is throwing a lot of error messages stating that:
"ISA Server detected routes through the network adapter outside LAN that do not correlate with the network to which this network adapter belong. Then later in the message it lists 10.0.1.0-10.255.255.254"
I had a similar issue on the old ISA server and when we corrected the LAN to 10.0.0.0 - 10.0.0.255 we started getting other error messages.
After the ISA server with the issue was restarted I noticed that users are now able to VPN in to our network, but we are still unable to remote into it.
ISA BPA Tool lists the following:
Policy rule blocks FTP Uploads
Policy rule blocks FTP Uploads
Receive Side SCaling (RSS) is enabled by the OS
TCP Accelerator (TCPA) is enabled by the OS
Configuration error - same as the error I listed above in the question
The lower and Upper limits of the source port range for an access rule are equal (Stream/Download/IM block on 1214)
The RADIUS server can not be accessed
VPN Connection failure signaled x times (users were not able to VPN in earlier)
There are no cvertificates in the local computer store (we will not be publiching any SSL certs on this server)
Outlook WebAccesspublishing rule listends on HTTP (this rule will be disabled once HTTPS and SSL are ready)
Path maximum Transmission Unit (MTU) discovery is disabled
All of the Firewall System Policy rules are enabled with the exception for the ones below:
4 Allow Remote Logging to trusted servers using NETBIOS
13 Allow VPN site-to-site traffic to ISA server
14 Allow VPN site-to-site traffic from ISA server
16 Allow remote SQL logging from ISA server to selected servers
18 Allow HTTP/HTTPS requests from ISA server to selected servers
19 Allow access from trusted computers to the firewall client installation share on ISA server
20 Allow remote performance monitoring of ISA server from trusted servers
24 Allow SecurID
25 Allow remote monitoring from ISA server to trusted servers, using MOM Agent
26 Allow HTTP traffic from IS server to all network (for CRL downloads)
29 Allow HTTP from ISA server to selected computers for Conetnet download jobs
Any help is greatly appreciated.
We deployed a new ISA 2004 Standard Server with SP3 into our organization and it was functioning fine for about a month now. Today remote users reported that they are unable to VPN into the network (PPTP), I pointed some of the remote users to the old ISA server temporarily.
After rebooting the server everything seemed fine for about an hour, later I tried to remote into the server (mstsc) and I receive the following message:
"The system cannot log you onn due to the following error:
The RPC Server is unavailable.
Please try again or consult your system administrator"
I rebooted the server and tried again.. still no luck. I noticed that Routing and Remote Access were disabled on the ISA. I did run repair on the network connections, then started the Routing and Remote Access.
I had also started both services (which were disabled):
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Our internal network is 10.0.0.0- 10.0.0.255
I noticed that ISA is throwing a lot of error messages stating that:
"ISA Server detected routes through the network adapter outside LAN that do not correlate with the network to which this network adapter belong. Then later in the message it lists 10.0.1.0-10.255.255.254"
I had a similar issue on the old ISA server and when we corrected the LAN to 10.0.0.0 - 10.0.0.255 we started getting other error messages.
After the ISA server with the issue was restarted I noticed that users are now able to VPN in to our network, but we are still unable to remote into it.
ISA BPA Tool lists the following:
Policy rule blocks FTP Uploads
Policy rule blocks FTP Uploads
Receive Side SCaling (RSS) is enabled by the OS
TCP Accelerator (TCPA) is enabled by the OS
Configuration error - same as the error I listed above in the question
The lower and Upper limits of the source port range for an access rule are equal (Stream/Download/IM block on 1214)
The RADIUS server can not be accessed
VPN Connection failure signaled x times (users were not able to VPN in earlier)
There are no cvertificates in the local computer store (we will not be publiching any SSL certs on this server)
Outlook WebAccesspublishing rule listends on HTTP (this rule will be disabled once HTTPS and SSL are ready)
Path maximum Transmission Unit (MTU) discovery is disabled
All of the Firewall System Policy rules are enabled with the exception for the ones below:
4 Allow Remote Logging to trusted servers using NETBIOS
13 Allow VPN site-to-site traffic to ISA server
14 Allow VPN site-to-site traffic from ISA server
16 Allow remote SQL logging from ISA server to selected servers
18 Allow HTTP/HTTPS requests from ISA server to selected servers
19 Allow access from trusted computers to the firewall client installation share on ISA server
20 Allow remote performance monitoring of ISA server from trusted servers
24 Allow SecurID
25 Allow remote monitoring from ISA server to trusted servers, using MOM Agent
26 Allow HTTP traffic from IS server to all network (for CRL downloads)
29 Allow HTTP from ISA server to selected computers for Conetnet download jobs
Any help is greatly appreciated.
You have 2 NIC's installed -- 1 external and 1 internal? The RPC Server unavailable occurs with multiple interfaces and the binding order is not correct. Go to the advanced properties of the network interfaces and configure the binding order. You May have to play with it a bit...
Ref this post for same issue,
https://www.experts-exchange.com/questions/22643018/RPC-Server-is-Unavailable-with-ISA2004.html
Let me know if you need any more help on this
https://www.experts-exchange.com/questions/22643018/RPC-Server-is-Unavailable-with-ISA2004.html
Let me know if you need any more help on this
ASKER
I'm looking at it, but I'm not sure what to change.... If I go to the NIC properties > ADvanced, the only options i have there , are
Windows Firewall.. and Internet Connection sharing...
On the general Tab i have the following chacked:
Client for MS Networks
File and Print Sharing for MS Networks
HP Network Cofig Utility
Internet Protocol TCP/IP
I did notice that in the artcilce you referenced Keith was suggesting to create a rulke for TCP, I have already created that rule and verified that System Firewall Rule for RPC is also there, stil no luck.
Windows Firewall.. and Internet Connection sharing...
On the general Tab i have the following chacked:
Client for MS Networks
File and Print Sharing for MS Networks
HP Network Cofig Utility
Internet Protocol TCP/IP
I did notice that in the artcilce you referenced Keith was suggesting to create a rulke for TCP, I have already created that rule and verified that System Firewall Rule for RPC is also there, stil no luck.
ASKER
I also did not state in the question that I can not ping the ISA server, but I can only ping certain servers and clients from ISA server. I'm able to ping one of the Two DOmain Controllers. Also able to browse the web and users still able to VPN in.
Open the ISA gui, select monitoring - logging - click start query.
What do you see appear in the real time log?
Are you sure it is rpc that is failing rather than Kerberos calls etc?
What ISA SP are you running?
have you run the up the ISA BPA?
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
needs .net 1.1
You are on 2003 R2? Are you running SP2 also?
This might be worth a look (ISA runs NAT as you can imagine)
http://support.microsoft.com/kb/927695
What do you see appear in the real time log?
Are you sure it is rpc that is failing rather than Kerberos calls etc?
What ISA SP are you running?
have you run the up the ISA BPA?
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
needs .net 1.1
You are on 2003 R2? Are you running SP2 also?
This might be worth a look (ISA runs NAT as you can imagine)
http://support.microsoft.com/kb/927695
ASKER
ISA 2004 SP3
I did run the ISA BPA tool, I published the results in the bottom part of the question.
Will run the query right now and will also review those articles you posted in a few minutes.
Not sure if this is RPC or kerberos to be honest with you. No updates were installed recently.
2003 Server Standard Edition.
Right now in query, I only get results for ISA server`s public IP address and OWA`s external IP, nothign else..
Can't ping the ISA from any internal resources (servers, clients etc).
I did run the ISA BPA tool, I published the results in the bottom part of the question.
Will run the query right now and will also review those articles you posted in a few minutes.
Not sure if this is RPC or kerberos to be honest with you. No updates were installed recently.
2003 Server Standard Edition.
Right now in query, I only get results for ISA server`s public IP address and OWA`s external IP, nothign else..
Can't ping the ISA from any internal resources (servers, clients etc).
What do you mean by cant ping isa form internal resource ? got to fix this first ? windows fireall should be turned off in ISA
ASKER
Windows Firewall is turned off. I think we have updated the DNS server yesterday in the TCP/IP properties yesterday, this might be where this issue has started.
Exactly right, I'm unable to ping the isa by it`s IP or the FQDN from other servers or client PCs on the network. WEhen I attempt to remote in, I do get to the logon screen but after inserting the credentials, I get the error message about RPC server being unavailable.
Exactly right, I'm unable to ping the isa by it`s IP or the FQDN from other servers or client PCs on the network. WEhen I attempt to remote in, I do get to the logon screen but after inserting the credentials, I get the error message about RPC server being unavailable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the problem.- DNS. External nic had our ISP`s DNS. Internal NIC had DNS pointing to DCs that also has our ISP`s DNS. WSe left the DNS on th einternal NIC intact and removed the DNS fromthe External NIC on ISA. Once the services are stopped on the old ISA, then DNS settings may change on the new ISA firewall.
Thank you for your help, I really appreciate it.
Thank you for your help, I really appreciate it.
glad that the issue was fixed....