Solved

"RPC Server is unavailable" when atempting to remote into  ISA 2004 server

Posted on 2008-10-07
12
1,267 Views
Last Modified: 2012-05-05
Dear Experts,

We deployed a new ISA 2004 Standard Server with SP3 into our organization and it was functioning fine for about a month now. Today remote users reported that they are unable to VPN into the network (PPTP), I pointed some of the remote users to the old ISA server temporarily.
After rebooting the server everything seemed fine for about an hour, later I tried to remote into the server (mstsc) and I receive the following message:
"The system cannot log you onn due to the following error:
The RPC Server is unavailable.
Please try again or consult your system administrator"

I rebooted the server and tried again.. still no luck. I noticed that Routing and Remote Access were disabled on the ISA. I did run repair on the network connections, then started the Routing and Remote Access.
I had also started both services (which were disabled):
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator

Our internal network is 10.0.0.0- 10.0.0.255
I noticed that ISA is throwing a lot of error messages stating that:
"ISA Server detected routes through the network adapter outside LAN that do not correlate with the network to which this network adapter belong. Then later in the message it lists 10.0.1.0-10.255.255.254"
I had a similar issue on the old ISA server and when we corrected the LAN to 10.0.0.0 - 10.0.0.255 we started getting other error messages.
After the ISA server with the issue was restarted I noticed that users are now able to VPN in to our network, but we are still unable to remote into it.

ISA BPA Tool lists the following:
Policy rule blocks FTP Uploads
Policy rule blocks FTP Uploads
Receive Side SCaling (RSS) is enabled by the OS
TCP Accelerator (TCPA) is enabled by the OS
Configuration error - same as the error I listed above in the question
The lower and Upper limits of the source port range for an access rule are equal (Stream/Download/IM block on 1214)
The RADIUS server can not be accessed
VPN Connection failure signaled x times (users were not able to VPN in earlier)
There are no cvertificates in the local computer store (we will not be publiching any SSL certs on this server)
Outlook WebAccesspublishing rule listends on HTTP (this rule will be disabled once HTTPS and SSL are ready)
Path maximum Transmission Unit (MTU) discovery is disabled

All of the Firewall System Policy rules are enabled with the exception for the ones below:
4 Allow Remote Logging to trusted servers using NETBIOS
13 Allow VPN site-to-site traffic to ISA server
14 Allow VPN site-to-site traffic from ISA server
16 Allow remote SQL logging from ISA server to selected servers
18  Allow HTTP/HTTPS requests from ISA server to selected servers
19 Allow access from trusted computers to the firewall client installation share on ISA server
20 Allow remote performance monitoring of ISA server from trusted servers
24 Allow SecurID
25 Allow remote monitoring from ISA server to trusted servers, using MOM Agent
26 Allow HTTP traffic from IS server to all network (for CRL downloads)
29 Allow HTTP from ISA server to selected computers for Conetnet download jobs


Any help is greatly appreciated.
0
Comment
Question by:technomic
  • 7
  • 5
12 Comments
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22663776
You have 2 NIC's installed -- 1 external and 1 internal? The RPC Server unavailable occurs with multiple interfaces and the binding order is not correct. Go to the advanced properties of the network interfaces and configure the binding order. You May have to play with it a bit...
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22663780
Ref this post for same issue,

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Q_22643018.html

Let me know if you need any more help on this
0
 
LVL 2

Author Comment

by:technomic
ID: 22664022
I'm looking at it, but I'm not sure what to change.... If I go to the NIC properties > ADvanced, the only options i have there , are
Windows Firewall.. and Internet Connection sharing...
On the general Tab i have the following chacked:
Client for MS Networks
File and Print Sharing for MS Networks
HP Network Cofig Utility
Internet Protocol TCP/IP

I did notice that in the artcilce you referenced Keith was suggesting to create a rulke for TCP, I have already created that rule and verified that System Firewall Rule for RPC is also there, stil no luck.
0
 
LVL 2

Author Comment

by:technomic
ID: 22664263
I also did not state in the question that I can not ping the ISA server, but I can only ping certain servers and clients from ISA server. I'm able to ping one of the Two DOmain Controllers. Also able to browse the web and users still able to VPN in.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22664322
Open the ISA gui, select monitoring - logging - click start query.
What do you see appear in the real time log?

Are you sure it is rpc that is failing rather than Kerberos calls etc?
What ISA SP are you running?
have you run the up the ISA BPA?
http://www.microsoft.com/downloads/details.aspx?FamilyId=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
needs .net 1.1

You are on 2003 R2? Are you running SP2 also?
This might be worth a look (ISA runs NAT as you can imagine)
http://support.microsoft.com/kb/927695
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22664325
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 2

Author Comment

by:technomic
ID: 22664394
ISA 2004 SP3
I did run the ISA BPA tool, I published the results in the bottom part of the question.
Will run the query right now and will also review those articles you posted in a few minutes.
Not sure if this is RPC or kerberos to be honest with you. No updates were installed recently.
2003 Server Standard Edition.
Right now in query, I only get results for ISA server`s public IP address and OWA`s external IP, nothign else..
Can't ping the ISA from any internal resources (servers, clients etc).
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22664490
What do you mean by cant ping isa form internal resource ? got to fix this first ? windows fireall should be turned off in ISA
0
 
LVL 2

Author Comment

by:technomic
ID: 22664553
Windows Firewall is turned off. I think we have updated the DNS server yesterday in the TCP/IP properties yesterday, this might be where this issue has started.
Exactly right, I'm unable to ping the isa by it`s IP or the FQDN from other servers or client PCs on the network. WEhen I attempt to remote in, I do get to the logon screen but after inserting the credentials, I get the error message about RPC server being unavailable.
0
 
LVL 18

Accepted Solution

by:
sk_raja_raja earned 500 total points
ID: 22664781
did you try to provide your previous dns server on the properties and check ?
0
 
LVL 2

Author Closing Comment

by:technomic
ID: 31504014
Found the problem.- DNS. External nic had our ISP`s DNS. Internal NIC had DNS pointing to DCs that also has our ISP`s DNS. WSe left the DNS on th einternal NIC intact and removed the DNS fromthe External NIC on ISA. Once the services are stopped on the old ISA, then DNS settings may change on the new ISA firewall.
Thank you for your help, I really appreciate it.
0
 
LVL 18

Expert Comment

by:sk_raja_raja
ID: 22665483
glad that the issue was fixed....
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now