Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 876
  • Last Modified:

ISA dropping SYN packets

Hi,
I am finding it very slow browsing on some websites, and after some investigation I found that ISA have the following entry in its logs: "fwx_e_tcp_not_syn_packet_dropped".
We have a standard EdgeFirewall setup with 2 NICS.
Setup is as follows: NIC1 to ADSL router
NIC2 to private network.
The problem is that is does not happen constantly but seems to be intermittent.
I have no idea what this could be,please help.
Client Agent	Authenticated Client	Service	Referring Server	Destination Host Name	Transport	HTTP Method	MIME Type	Object Source	Source Proxy	Destination Proxy	Bidirectional	Filter Information	Network Interface	Raw IP Header	Raw Payload	GMT Log Time	Source Port	Processing Time	Bytes Sent	Bytes Received	Cache Information	Error Information	Authentication Server	Original Client IP	Log Time	Client IP	Destination IP	Destination Port	Protocol	Action	Rule	Result Code	HTTP Status Code	Client Username	Source Network	Destination Network	URL	Server Name	Log Record Type	Client Host Name
			-		TCP	-	-				No	-		45 00 00 28 3c be 40 00 80 06 00 00 c0 a8 02 02 d1 55 e1 93	d8 1c 00 50 1a 31 03 f4 3e 0c be 84 50 11 ff 31 47 eb 00 00	2009/04/30 01:26:20 PM	55324	0	0	0	0x0	0x0	-	192.168.2.2	2009/04/30 03:26:20 PM	192.168.2.2	209.85.225.147	80	HTTP	Denied Connection		0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED			Local Host	External	-	XBLOX-S01	Firewall

Open in new window

0
wilcosw
Asked:
wilcosw
  • 3
  • 2
  • 2
2 Solutions
 
Raj-GTSystems EngineerCommented:
Are the clients configured to use ISA as their default geteway? This error can occur if you have multiple gateways to the same resource in the network and the clients are not using ISA as their gateway.

Thanks,
Raj
0
 
techhealthCommented:
The log entry you posted points to local node 192.168.2.2.  Is that the only one that has the issue, or is it across all the nodes on the local network?  If that's the only one, check the machine's IP and browser configuration.  The FWX_E_TCP_NOT_SYN_PACKET_DROPPED means ISA received some packets that are in the middle of a conversation, but it's not aware of the start of the conversation (SYN_PACKET), so it considered those erroneous and dropped them.  This might be a result of inconsistent routing information, which could be casued by ICMP redirect, proxy settings independent of ISA, etc.  For all the clients on the local network, they should know no other gateway and proxy than the ISA server.
0
 
wilcoswAuthor Commented:
We only have one gateway, and that is ISA.
The IP 192.168.2.2 is the public address of NIC2, and is connected to the ADSL router. The problem only points to the 192.168.2.2 address, because it is ISA that makes the request for the client.
0
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

 
techhealthCommented:
For established connections on clients' behalf, the source address should be the client address, not the ISA public interface; am I wrong on that?  Otherwise every entry would have the same source, which won't be very helpful.  Besides, the log entry posted did say source network to be "Local host", which I missed - that should tell me 192.168.2.2 is the ISA interface... For a request originating from the inside, it'd be "Internal network" I think.  So it's kinda peculiar that it's a failed request actually coming from ISA itself.  That feels like a route redirect issue.  Your ADSL probably doesn't know/understand it's linked to an ISA; it's treating it just like a regular computer on LAN (you're using a private IP for ISA external interface), which is supposed to respond to ICMP redirects - that's something ISA definitely doesn't like.  Not sure how to remedy that yet though...
0
 
wilcoswAuthor Commented:
Yes we are using a private IP for ISA on the public interface, but we are making use of NAT on our Router, that has the actual public IP. Any other ideas would be greatly appreciated.
0
 
Raj-GTSystems EngineerCommented:
1. do you have all the updates installed on your ISA? (http://technet.microsoft.com/en-us/forefront/edgesecurity/bb734854.aspx)
2. Do you have default gateway entries defined on both interfaces of ISA?
3. Can you check the Internal network definition in ISA and confirm it includes the whole subnet including the network and broadcast IPs?
0
 
techhealthCommented:
All good suggestions from Raj-GT.  Want to add one: do you have DNS servers specified on both interfaces (internal & external)?

It'd be helpful if we can see your ipconfig /all output and routing table on your ISA.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now