?
Solved

ISA 2004 - with windows 2003 server SP2,  Error Code 502 Proxy The ISA Server denied specified Uniform Resource Locator URL 12202

Posted on 2009-07-06
2
Medium Priority
?
1,734 Views
Last Modified: 2012-06-27
Dear all we are facing problem with the ISA server 2004 installed on Windows 2003 Server with Service pack 2.
The ISA server is connected behind a PIX 525 Firewall as follows
INTERNET ----- PIX 525 ----SWITHC REAL IP
             |
             |
             |
             |

         DMZ    ZONE--------------- ISA SERVER

Since past 2 days we are facing some issues with the browsing, the hotmail, Gmail & yahoo mail cannot be opened, its giving us the following error,

X
      Network Access Message: The page cannot be displayed

      Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
"      Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
"      Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
"      Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

      Technical Information (for support personnel)
"      Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
"      IP Address: 10.0.1.108
"      Date: 7/7/2009 5:57:07 AM
"      Server: fw01.kfsh.med.sa
"      Source: proxy
No configuration changes were done in past two weeks, suddenly this problem started, if we browse directly without the ISA server everything seems to be fine.
Please help me to solve this issue, also our ISA VPN is not working

Alert Information
Description: ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter External that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Open in new window

ISA-Error.jpg
hotmail-error.jpg
KFSH-Internet-Architecture.jpg
0
Comment
Question by:yasirirfan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 1080 total points
ID: 24795120
ISA is actively deniing the page.  So something changes somewhere even if you don't know it happened.
"fw01.kfsh.med.sa" does not look like anything related to hotmail, gmail, or yahoo mail to me, but I could be wrong.
The live monitoring log will show the Denies and they will show the Rule that is doing it.
If the Rule is the "Default Rule" then it just means that no "allow" rule anywhere in your Rule List matches the traffic that ISA see.  If no rule on the list match the traffic the traffic is automatically stopped by the Default Rule,...it is the same idea as the Implicit Deny that Cisco products use.
The Alert listed can usually be ignored with Remote Access VPN Clients.  There is a breif period of time where the VPN Users received IP# is dynamically switched from the Internal Network to the VPN Users Network,...that mild delay is sometimes enough to cause a false positive with that alert.
As far as the VPN not working,...can't help there.  Just having "it doesn't work" is not enough detail to work with.  Probably should focus on the other problems first.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
ISA Server detected routes through the network adapter LAN that do not correlate with the network to which this network adapter belongs What does this mean and how can one go about correcting it? In simple terms, this error message indicates t…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses
Course of the Month8 days, 12 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question