Solved

ISA 2004 - with windows 2003 server SP2,  Error Code 502 Proxy The ISA Server denied specified Uniform Resource Locator URL 12202

Posted on 2009-07-06
2
1,721 Views
Last Modified: 2012-06-27
Dear all we are facing problem with the ISA server 2004 installed on Windows 2003 Server with Service pack 2.
The ISA server is connected behind a PIX 525 Firewall as follows
INTERNET ----- PIX 525 ----SWITHC REAL IP
             |
             |
             |
             |

         DMZ    ZONE--------------- ISA SERVER

Since past 2 days we are facing some issues with the browsing, the hotmail, Gmail & yahoo mail cannot be opened, its giving us the following error,

X
      Network Access Message: The page cannot be displayed

      Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
"      Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
"      Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
"      Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

      Technical Information (for support personnel)
"      Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
"      IP Address: 10.0.1.108
"      Date: 7/7/2009 5:57:07 AM
"      Server: fw01.kfsh.med.sa
"      Source: proxy
No configuration changes were done in past two weeks, suddenly this problem started, if we browse directly without the ISA server everything seems to be fine.
Please help me to solve this issue, also our ISA VPN is not working

Alert Information
Description: ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter External that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Open in new window

ISA-Error.jpg
hotmail-error.jpg
KFSH-Internet-Architecture.jpg
0
Comment
Question by:yasirirfan
2 Comments
 
LVL 29

Accepted Solution

by:
pwindell earned 270 total points
ID: 24795120
ISA is actively deniing the page.  So something changes somewhere even if you don't know it happened.
"fw01.kfsh.med.sa" does not look like anything related to hotmail, gmail, or yahoo mail to me, but I could be wrong.
The live monitoring log will show the Denies and they will show the Rule that is doing it.
If the Rule is the "Default Rule" then it just means that no "allow" rule anywhere in your Rule List matches the traffic that ISA see.  If no rule on the list match the traffic the traffic is automatically stopped by the Default Rule,...it is the same idea as the Implicit Deny that Cisco products use.
The Alert listed can usually be ignored with Remote Access VPN Clients.  There is a breif period of time where the VPN Users received IP# is dynamically switched from the Internal Network to the VPN Users Network,...that mild delay is sometimes enough to cause a false positive with that alert.
As far as the VPN not working,...can't help there.  Just having "it doesn't work" is not enough detail to work with.  Probably should focus on the other problems first.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are three types of ISA client that can be configured - these can be individual clients or multiples of a client on each PC or server SecureNAT. A SecureNAT client for ISA server is a client machine, work station or server, that has its defa…
I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question