ISA dropping SYN packets

I am finding it very slow browsing on some websites, and after some investigation I found that ISA have the following entry in its logs: "fwx_e_tcp_not_syn_packet_dropped".
We have a standard EdgeFirewall setup with 2 NICS.
Setup is as follows: NIC1 to ADSL router
NIC2 to private network.
The problem is that is does not happen constantly but seems to be intermittent.
I have no idea what this could be,please help.
Client Agent	Authenticated Client	Service	Referring Server	Destination Host Name	Transport	HTTP Method	MIME Type	Object Source	Source Proxy	Destination Proxy	Bidirectional	Filter Information	Network Interface	Raw IP Header	Raw Payload	GMT Log Time	Source Port	Processing Time	Bytes Sent	Bytes Received	Cache Information	Error Information	Authentication Server	Original Client IP	Log Time	Client IP	Destination IP	Destination Port	Protocol	Action	Rule	Result Code	HTTP Status Code	Client Username	Source Network	Destination Network	URL	Server Name	Log Record Type	Client Host Name
			-		TCP	-	-				No	-		45 00 00 28 3c be 40 00 80 06 00 00 c0 a8 02 02 d1 55 e1 93	d8 1c 00 50 1a 31 03 f4 3e 0c be 84 50 11 ff 31 47 eb 00 00	2009/04/30 01:26:20 PM	55324	0	0	0	0x0	0x0	-	2009/04/30 03:26:20 PM	80	HTTP	Denied Connection		0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED			Local Host	External	-	XBLOX-S01	Firewall

Open in new window

Who is Participating?
Raj-GTConnect With a Mentor Systems EngineerCommented:
1. do you have all the updates installed on your ISA? (
2. Do you have default gateway entries defined on both interfaces of ISA?
3. Can you check the Internal network definition in ISA and confirm it includes the whole subnet including the network and broadcast IPs?
Raj-GTSystems EngineerCommented:
Are the clients configured to use ISA as their default geteway? This error can occur if you have multiple gateways to the same resource in the network and the clients are not using ISA as their gateway.

The log entry you posted points to local node  Is that the only one that has the issue, or is it across all the nodes on the local network?  If that's the only one, check the machine's IP and browser configuration.  The FWX_E_TCP_NOT_SYN_PACKET_DROPPED means ISA received some packets that are in the middle of a conversation, but it's not aware of the start of the conversation (SYN_PACKET), so it considered those erroneous and dropped them.  This might be a result of inconsistent routing information, which could be casued by ICMP redirect, proxy settings independent of ISA, etc.  For all the clients on the local network, they should know no other gateway and proxy than the ISA server.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

wilcoswAuthor Commented:
We only have one gateway, and that is ISA.
The IP is the public address of NIC2, and is connected to the ADSL router. The problem only points to the address, because it is ISA that makes the request for the client.
For established connections on clients' behalf, the source address should be the client address, not the ISA public interface; am I wrong on that?  Otherwise every entry would have the same source, which won't be very helpful.  Besides, the log entry posted did say source network to be "Local host", which I missed - that should tell me is the ISA interface... For a request originating from the inside, it'd be "Internal network" I think.  So it's kinda peculiar that it's a failed request actually coming from ISA itself.  That feels like a route redirect issue.  Your ADSL probably doesn't know/understand it's linked to an ISA; it's treating it just like a regular computer on LAN (you're using a private IP for ISA external interface), which is supposed to respond to ICMP redirects - that's something ISA definitely doesn't like.  Not sure how to remedy that yet though...
wilcoswAuthor Commented:
Yes we are using a private IP for ISA on the public interface, but we are making use of NAT on our Router, that has the actual public IP. Any other ideas would be greatly appreciated.
techhealthConnect With a Mentor Commented:
All good suggestions from Raj-GT.  Want to add one: do you have DNS servers specified on both interfaces (internal & external)?

It'd be helpful if we can see your ipconfig /all output and routing table on your ISA.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.