Solved

ISA 2004 - with windows 2003 server SP2,  Error Code 502 Proxy The ISA Server denied specified Uniform Resource Locator URL 12202

Posted on 2009-07-06
2
1,717 Views
Last Modified: 2012-06-27
Dear all we are facing problem with the ISA server 2004 installed on Windows 2003 Server with Service pack 2.
The ISA server is connected behind a PIX 525 Firewall as follows
INTERNET ----- PIX 525 ----SWITHC REAL IP
             |
             |
             |
             |

         DMZ    ZONE--------------- ISA SERVER

Since past 2 days we are facing some issues with the browsing, the hotmail, Gmail & yahoo mail cannot be opened, its giving us the following error,

X
      Network Access Message: The page cannot be displayed

      Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
"      Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
"      Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
"      Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

      Technical Information (for support personnel)
"      Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
"      IP Address: 10.0.1.108
"      Date: 7/7/2009 5:57:07 AM
"      Server: fw01.kfsh.med.sa
"      Source: proxy
No configuration changes were done in past two weeks, suddenly this problem started, if we browse directly without the ISA server everything seems to be fine.
Please help me to solve this issue, also our ISA VPN is not working

Alert Information
Description: ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter External that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Open in new window

ISA-Error.jpg
hotmail-error.jpg
KFSH-Internet-Architecture.jpg
0
Comment
Question by:yasirirfan
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 270 total points
ID: 24795120
ISA is actively deniing the page.  So something changes somewhere even if you don't know it happened.
"fw01.kfsh.med.sa" does not look like anything related to hotmail, gmail, or yahoo mail to me, but I could be wrong.
The live monitoring log will show the Denies and they will show the Rule that is doing it.
If the Rule is the "Default Rule" then it just means that no "allow" rule anywhere in your Rule List matches the traffic that ISA see.  If no rule on the list match the traffic the traffic is automatically stopped by the Default Rule,...it is the same idea as the Implicit Deny that Cisco products use.
The Alert listed can usually be ignored with Remote Access VPN Clients.  There is a breif period of time where the VPN Users received IP# is dynamically switched from the Internal Network to the VPN Users Network,...that mild delay is sometimes enough to cause a false positive with that alert.
As far as the VPN not working,...can't help there.  Just having "it doesn't work" is not enough detail to work with.  Probably should focus on the other problems first.
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Configure TMG 2010 as a transparent Proxy 9 860
Microsoft ISA server 2006 2 701
ISA 2006 Allow specific client access to a HTTPS site 17 417
use IIS Arr as proxy 3 236
Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question