• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10455
  • Last Modified:

ISA 2006 SP1 'Failed connection attempt' 10054 An existing connection was forcibly closed by the remote host

I have a few questions regarding ISA server 2006. 1st let me explain the configuration. Exchange 2007 server on server 2008 serves as the hub transport server as well as the client access server. Isa Server 2006 used as the back firewall and is attached to the domain. The ISA server is only setup to publish an activesync rule. In the ISA configuration under Networks, Internal, Domains-I have added *.mydomain.com in the Domain names tab. Is this necessary? What exactly is this affecting? I noticed also in the logs that every once in a while I will get a "'Failed connection attempt' 10054 An existing connection was forcibly closed by the remote host" error on the ISA server. Even though I get this error, I am still able to function with ActiveSync on all the mobile devices. Because this unit is in production, I would like to clear up this error as soon as possible.
Thanks in advance
0
MGS-TECH
Asked:
MGS-TECH
  • 14
  • 12
1 Solution
 
Keith AlabasterEnterprise ArchitectCommented:
More info would be useful. Where are teh Exchange services - all behind ISA or some behind and the CAS in front?

The domain tab is normally for sites that will be contacted directly - this is normally for outbound, not inbound traffic.
The 'error' message you report is received and logged by ISA - not generated by ISA. This could be as simple as a timed-out connection from exchange shutting down a session. Open the ISA gui - select monitoring - alerts. Anything listed here?
Make sure .net 1.1 is installed on the ISA - then run the ISA best practice analyser.  
http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
 
MGS-TECHAuthor Commented:
Thanks for the response!
The exchange services are all behind ISA.
The alerts I received are Configuration error.

Description: ISA Server detected routes through the network adapter DMZ that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 192.168.10.255-192.168.10.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
External:0.0.0.1-126.255.255.255,128.0.0.0-192.168.9.255,192.168.11.0-192.168.87.255,192.168.89.0-223.255.255.255,240.0.0.0-255.255.255.254;


This is what I have configured for my Internal Network
Start-192.168.10.0    End-192.168.10.0
Start-192.168.10.1    End-192.168.10.254


I figured I had to add my domain to the domain tab, because I need to contact my DC's for authentication on my local network. Do I have a configuration error anywhere?
Please let me know.

Thanks,
0
 
Keith AlabasterEnterprise ArchitectCommented:
Where is the DMZ - a third interface on ISA or the space between the ISA external NIC and the inside NIC of the external firewall?

open the ISA gui - select configuration - networks -  excluding external of course - then go through each network in turn and properties - addresses.
Each nic should contain ALL the ip addresses that are available through that nic - and only those behind that nic.

For example if you had three nics on ISA, external, dmz and internal. DMZ holds the 192.168.20.0 /24 subnet and internally you had 192.168.0.0 /23

On the internal LAT addresses you would have listed 192.168.0.0 - 192.168.1.255 - you MUST include the subnet ID AND the broadcast address.

On the DMZ LAT addresses tab you would have 192.168.20.0 - 192.168.20.255

External is not relevant as it assumes ALL addresses that are not in the internal or DMZ lat.

Assuming ISA is a domain member - as recommended in all best-practice papers - the ISA can contact internal DC's by adding a rule in the ISA firewall policy allowing relevant protocols FROM internal & localhost TO internal & localhost - all users (you don't want to have to put system service accounts in here lol)

Keith
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
MGS-TECHAuthor Commented:
I only have 2 NICS on the ISA server. Internal and DMZ.
Internal is the 192.168.10.0 network
DMZ is the 192.168.88.0 network

Dmz network is connected to a Sonicwall Firewall.
So if I understand you correctly I need to configure the internal network as follows:
192.168.10.0-192.168.10.255                instead of what I currently have:  
Start-192.168.10.0    End-192.168.10.0
Start-192.168.10.1    End-192.168.10.254

Am I correct in this assumption?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Absolutely
0
 
MGS-TECHAuthor Commented:
After making this change do I need to reboot?
0
 
Keith AlabasterEnterprise ArchitectCommented:
For example, you have omitted the .255 address. If you think that all elements that use a broadcast will transmit to the .255 address - then everyone of those will be seen as a spoof as the .255 address is not being seen as on the inside of ISA :)
0
 
Keith AlabasterEnterprise ArchitectCommented:
no - its immediate
0
 
MGS-TECHAuthor Commented:
Thank you for all your help. I will award you the points. However, I have one more question that I wonder if you can help me with. Every once in a while in the logging on ISA I get the following error.

Failed Connection Attempt
Log type Web Proxy Reverse
Status: 10054 An existing connection was forcibly closed by the remote host.
Rule: EAS

This happens intermittenly and occurs quite often. Anything I need to do on this?
Thanks for all your help.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Probably not. That message is normally passed back to ISA as the result of something rather than ISA being the creator of the message. An example could be a session timeout, a connection - such as rdp - that is abnormally terminated and the like.

if you wanted to, install .net 1.1 on the ISA and run up the BPA.

http://www.microsoft.com/downloads/details.aspx?FamilyID=D22EC2B9-4CD3-4BB6-91EC-0829E5F84063&displaylang=en
0
 
MGS-TECHAuthor Commented:
After making the internal network change and rebooting I now get this configuration error

Description: The routing table for the network adapter Internal includes IP address ranges that are not defined in the array-level network Internal, to which it is bound. As a result, packets arriving at this network adapter from the IP address ranges listed below or sent to these IP address ranges via this network adapter will be dropped as spoofed. To resolve this issue, add the missing IP address ranges to the array network.
The following IP address ranges will be dropped as spoofed:
External:0.0.0.1-126.255.255.255,128.0.0.0-192.168.9.255,192.168.11.0-192.168.87.255,192.168.89.0-223.255.255.255,240.0.0.0-255.255.255.254
0
 
Keith AlabasterEnterprise ArchitectCommented:
What other entries do you have in the LAT? There should ONLY be those inside the isa
0
 
MGS-TECHAuthor Commented:
How do I find this out. Where do I configure the LAT?
0
 
Keith AlabasterEnterprise ArchitectCommented:
configuration - networks - internal - properties - addresses - stands for local address table
0
 
MGS-TECHAuthor Commented:
The only thing I have in the Internal Network is the range  
192.168.10.0-192.168.10.255

0
 
Keith AlabasterEnterprise ArchitectCommented:
but you have two network cards?
0
 
Keith AlabasterEnterprise ArchitectCommented:
then you may want to try rebooting but I have never had to
0
 
MGS-TECHAuthor Commented:
I have 2 NICs
One Internal 192.168.10.0 Network
One DMZ       192.168.88.0 Network
I did reboot after I made the intial change
0
 
Keith AlabasterEnterprise ArchitectCommented:
Then we have a much more fundamental issue than the ones we have looked at already.

An ipconfig /all from the ISA Server please
Also the output from a route print
0
 
MGS-TECHAuthor Commented:
  Physical Address. . . . . . . . . : 00-1A-A0-21-C0-27
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.2
                                       192.168.10.63

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   Physical Address. . . . . . . . . : 00-1B-21-10-1C-E9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.88.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.88.1











H:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1a a0 21 c0 27 ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...00 1b 21 10 1c e9 ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.70     20
          0.0.0.0          0.0.0.0     192.168.88.1     192.168.88.2     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.70    192.168.10.70     20
    192.168.10.70  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255    192.168.10.70    192.168.10.70     20
     192.168.88.0    255.255.255.0     192.168.88.2     192.168.88.2     10
     192.168.88.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.88.255  255.255.255.255     192.168.88.2     192.168.88.2     10
        224.0.0.0        240.0.0.0    192.168.10.70    192.168.10.70     20
        224.0.0.0        240.0.0.0     192.168.88.2     192.168.88.2     10
  255.255.255.255  255.255.255.255    192.168.10.70    192.168.10.70      1
  255.255.255.255  255.255.255.255     192.168.88.2     192.168.88.2      1
Default Gateway:      192.168.88.1
===========================================================================
Persistent Routes:
  None
0
 
MGS-TECHAuthor Commented:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

H:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : isa
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Internal:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controlle
r
   Physical Address. . . . . . . . . : 00-1A-A0-21-C0-27
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.10.70
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.10.1
   DNS Servers . . . . . . . . . . . : 192.168.10.2
                                       192.168.10.63

Ethernet adapter DMZ:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 GT Desktop Adapter
   Physical Address. . . . . . . . . : 00-1B-21-10-1C-E9
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.88.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.88.1











H:\>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 1a a0 21 c0 27 ...... Broadcom 440x 10/100 Integrated Controller
0x10004 ...00 1b 21 10 1c e9 ...... Intel(R) PRO/1000 GT Desktop Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     192.168.10.1    192.168.10.70     20
          0.0.0.0          0.0.0.0     192.168.88.1     192.168.88.2     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
     192.168.10.0    255.255.255.0    192.168.10.70    192.168.10.70     20
    192.168.10.70  255.255.255.255        127.0.0.1        127.0.0.1     20
   192.168.10.255  255.255.255.255    192.168.10.70    192.168.10.70     20
     192.168.88.0    255.255.255.0     192.168.88.2     192.168.88.2     10
     192.168.88.2  255.255.255.255        127.0.0.1        127.0.0.1     10
   192.168.88.255  255.255.255.255     192.168.88.2     192.168.88.2     10
        224.0.0.0        240.0.0.0    192.168.10.70    192.168.10.70     20
        224.0.0.0        240.0.0.0     192.168.88.2     192.168.88.2     10
  255.255.255.255  255.255.255.255    192.168.10.70    192.168.10.70      1
  255.255.255.255  255.255.255.255     192.168.88.2     192.168.88.2      1
Default Gateway:      192.168.88.1
===========================================================================
Persistent Routes:
  None
0
 
Keith AlabasterEnterprise ArchitectCommented:
here we go....
First thing - you cannot have a default gateway on both nics. Its a networking no-no, not supported by MS and will send ISA bonkers. Think what a default gateway is.... it is the address the server will send traffic to if it does not know what else to do becuase it does not have a route. Which default gateway do you think ISA will be using when you ask it to go out to the internet? In reality it could be either in your situation... You can see that on your route print - you have two 0.0.0.0 entries and the first listed is the INTERNAL subnet - that is just SO wrong... lol

SO.. dump the internal default gateway.

You have not shown the DNS entries on the external nic - the external nic should not have any dns entries at all or should use the internal dns server ip addresses - exactly the same as the internal nic does.  This forces ISA to use the same dns servers - internal ones - just make sure you have an access rule allowing outbound dns from internal to external (or DMZ for you)

0
 
MGS-TECHAuthor Commented:
I have removed the Internal Gateway of 192.168.10.1
The DMZ Nic doesn't have any DNS settings configured
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thats fine :) some people don't like to leave it empty and so put in the internal dns server ip addresses.  Yous should now only see one entry for 0.0.0.0 in the route print output.
0
 
MGS-TECHAuthor Commented:
That is now what I see. Thanks for all your help. It is much appreciated.
0
 
Keith AlabasterEnterprise ArchitectCommented:
welcome :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

  • 14
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now