• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10319
  • Last Modified:

ISA 2006 SP1 'Failed connection attempt' 10054 An existing connection was forcibly closed by the remote host

I have a few questions regarding ISA server 2006. 1st let me explain the configuration. Exchange 2007 server on server 2008 serves as the hub transport server as well as the client access server. Isa Server 2006 used as the back firewall and is attached to the domain. The ISA server is only setup to publish an activesync rule. In the ISA configuration under Networks, Internal, Domains-I have added *.mydomain.com in the Domain names tab. Is this necessary? What exactly is this affecting? I noticed also in the logs that every once in a while I will get a "'Failed connection attempt' 10054 An existing connection was forcibly closed by the remote host" error on the ISA server. Even though I get this error, I am still able to function with ActiveSync on all the mobile devices. Because this unit is in production, I would like to clear up this error as soon as possible.
Thanks in advance
0
MGS-TECH
Asked:
MGS-TECH
  • 14
  • 12
1 Solution
 
Keith AlabasterCommented:
More info would be useful. Where are teh Exchange services - all behind ISA or some behind and the CAS in front?

The domain tab is normally for sites that will be contacted directly - this is normally for outbound, not inbound traffic.
The 'error' message you report is received and logged by ISA - not generated by ISA. This could be as simple as a timed-out connection from exchange shutting down a session. Open the ISA gui - select monitoring - alerts. Anything listed here?
Make sure .net 1.1 is installed on the ISA - then run the ISA best practice analyser.  
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
 
MGS-TECHAuthor Commented:
Thanks for the response!
The exchange services are all behind ISA.
The alerts I received are Configuration error.

Description: ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.10.255-192.168.10.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
External:0.0.0.1-126.255.255.255,128.0.0.0-192.168.9.255,192.168.11.0-192.168.87.255,192.168.89.0-223.255.255.255,240.0.0.0-255.255.255.254;


This is what I have configured for my Internal Network
Start-192.168.10.0    End-192.168.10.0
Start-192.168.10.1    End-192.168.10.254


I figured I had to add my domain to the domain tab, because I need to contact my DC's for authentication on my local network. Do I have a configuration error anywhere?
Please let me know.

Thanks,
0
 
Keith AlabasterCommented:
Where is the DMZ - a third interface on ISA or the space between the ISA external NIC and the inside NIC of the external firewall?

open the ISA gui - select configuration - networks -  excluding external of course - then go through each network in turn and properties - addresses.
Each nic should contain ALL the ip addresses that are available through that nic - and only those behind that nic.

For example if you had three nics on ISA, external, dmz and internal. DMZ holds the 192.168.20.0 /24 subnet and internally you had 192.168.0.0 /23

On the internal LAT addresses you would have listed 192.168.0.0 - 192.168.1.255 - you MUST include the subnet ID AND the broadcast address.

On the DMZ LAT addresses tab you would have 192.168.20.0 - 192.168.20.255

External is not relevant as it assumes ALL addresses that are not in the internal or DMZ lat.

Assuming ISA is a domain member - as recommended in all best-practice papers - the ISA can contact internal DC's by adding a rule in the ISA firewall policy allowing relevant protocols FROM internal & localhost TO internal & localhost - all users (you don't want to have to put system service accounts in here lol)

Keith
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MGS-TECHAuthor Commented:
I only have 2 NICS on the ISA server. Internal and DMZ.
Internal is the 192.168.10.0 network
DMZ is the 192.168.88.0 network

Dmz network is connected to a Sonicwall Firewall.
So if I understand you correctly I need to configure the internal network as follows:
192.168.10.0-192.168.10.255                instead of what I currently have:  
Start-192.168.10.0    End-192.168.10.0
Start-192.168.10.1    End-192.168.10.254

Am I correct in this assumption?
0
 
Keith AlabasterCommented:
Absolutely
0
 
MGS-TECHAuthor Commented:
After making this change do I need to reboot?
0
 
Keith AlabasterCommented:
For example, you have omitted the .255 address. If you think that all elements that use a broadcast will transmit to the .255 address - then everyone of those will be seen as a spoof as the .255 address is not being seen as on the inside of ISA :)
0
 
Keith AlabasterCommented:
no - its immediate
0
 
MGS-TECHAuthor Commented:
Thank you for all your help. I will award you the points. However, I have one more question that I wonder if you can help me with. Every once in a while in the logging on ISA I get the following error.

Failed Connection Attempt
Log type Web Proxy Reverse
Status: 10054 An existing connection was forcibly closed by the remote host.
Rule: EAS

This happens intermittenly and occurs quite often. Anything I need to do on this?
Thanks for all your help.
0
 
Keith AlabasterCommented:
Probably not. That message is normally passed back to ISA as the result of something rather than ISA being the creator of the message. An example could be a session timeout, a connection - such as rdp - that is abnormally terminated and the like.

if you wanted to, install .net 1.1 on the ISA and run up the BPA.

http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
 
MGS-TECHAuthor Commented:
After making the internal network change and rebooting I now get this configuration error

Description: The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
External:0.0.0.1-126.255.255.255,128.0.0.0-192.168.9.255,192.168.11.0-192.168.87.255,192.168.89.0-223.255.255.255,240.0.0.0-255.255.255.254
0
 
Keith AlabasterCommented:
What other entries do you have in the LAT? There should ONLY be those inside the isa
0
 
MGS-TECHAuthor Commented:
How do I find this out. Where do I configure the LAT?
0
 
Keith AlabasterCommented:
configuration - networks - internal - properties - addresses - stands for local address table
0
 
MGS-TECHAuthor Commented:
The only thing I have in the Internal Network is the range  
192.168.10.0-192.168.10.255

0
 
Keith AlabasterCommented:
but you have two network cards?
0
 
Keith AlabasterCommented:
then you may want to try rebooting but I have never had to
0
 
MGS-TECHAuthor Commented:
I have 2 NICs
One Internal 192.168.10.0 Network
One DMZ       192.168.88.0 Network
I did reboot after I made the intial change
0
 
Keith AlabasterCommented:
Then we have a much more fundamental issue than the ones we have looked at already.

An ipconfig /all from the ISA Server please
Also the output from a route print
0
 
MGS-TECHAuthor Commented:
  Physical Address. . . . . . . . . : 00-1A-A0-21-C0-27
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.2
                                       192.168.10.63

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   Physical Address. . . . . . . . . : 00-1B-21-10-1C-E9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.88.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.88.1











H:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1a a0 21 c0 27 ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...00 1b 21 10 1c e9 ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.70     20
          0.0.0.0          0.0.0.0     192.168.88.1     192.168.88.2     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.70    192.168.10.70     20
    192.168.10.70  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255    192.168.10.70    192.168.10.70     20
     192.168.88.0    255.255.255.0     192.168.88.2     192.168.88.2     10
     192.168.88.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.88.255  255.255.255.255     192.168.88.2     192.168.88.2     10
        224.0.0.0        240.0.0.0    192.168.10.70    192.168.10.70     20
        224.0.0.0        240.0.0.0     192.168.88.2     192.168.88.2     10
  255.255.255.255  255.255.255.255    192.168.10.70    192.168.10.70      1
  255.255.255.255  255.255.255.255     192.168.88.2     192.168.88.2      1
Default Gateway:      192.168.88.1
===========================================================================
Persistent Routes:
  None
0
 
MGS-TECHAuthor Commented:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

H:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : isa
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controlle
r
   Physical Address. . . . . . . . . : 00-1A-A0-21-C0-27
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.2
                                       192.168.10.63

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   Physical Address. . . . . . . . . : 00-1B-21-10-1C-E9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.88.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.88.1











H:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1a a0 21 c0 27 ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...00 1b 21 10 1c e9 ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.70     20
          0.0.0.0          0.0.0.0     192.168.88.1     192.168.88.2     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.70    192.168.10.70     20
    192.168.10.70  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255    192.168.10.70    192.168.10.70     20
     192.168.88.0    255.255.255.0     192.168.88.2     192.168.88.2     10
     192.168.88.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.88.255  255.255.255.255     192.168.88.2     192.168.88.2     10
        224.0.0.0        240.0.0.0    192.168.10.70    192.168.10.70     20
        224.0.0.0        240.0.0.0     192.168.88.2     192.168.88.2     10
  255.255.255.255  255.255.255.255    192.168.10.70    192.168.10.70      1
  255.255.255.255  255.255.255.255     192.168.88.2     192.168.88.2      1
Default Gateway:      192.168.88.1
===========================================================================
Persistent Routes:
  None
0
 
Keith AlabasterCommented:
here we go....
First thing - you cannot have a default gateway on both nics. Its a networking no-no, not supported by MS and will send ISA bonkers. Think what a default gateway is.... it is the address the server will send traffic to if it does not know what else to do becuase it does not have a route. Which default gateway do you think ISA will be using when you ask it to go out to the internet? In reality it could be either in your situation... You can see that on your route print - you have two 0.0.0.0 entries and the first listed is the INTERNAL subnet - that is just SO wrong... lol

SO.. dump the internal default gateway.

You have not shown the DNS entries on the external nic - the external nic should not have any dns entries at all or should use the internal dns server ip addresses - exactly the same as the internal nic does.  This forces ISA to use the same dns servers - internal ones - just make sure you have an access rule allowing outbound dns from internal to external (or DMZ for you)

0
 
MGS-TECHAuthor Commented:
I have removed the Internal Gateway of 192.168.10.1
The DMZ Nic doesn't have any DNS settings configured
0
 
Keith AlabasterCommented:
Thats fine :) some people don't like to leave it empty and so put in the internal dns server ip addresses.  Yous should now only see one entry for 0.0.0.0 in the route print output.
0
 
MGS-TECHAuthor Commented:
That is now what I see. Thanks for all your help. It is much appreciated.
0
 
Keith AlabasterCommented:
welcome :)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 14
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now