ISA 2004 - with windows 2003 server SP2, Error Code 502 Proxy The ISA Server denied specified Uniform Resource Locator URL 12202

Dear all we are facing problem with the ISA server 2004 installed on Windows 2003 Server with Service pack 2.
The ISA server is connected behind a PIX 525 Firewall as follows
INTERNET ----- PIX 525 ----SWITHC REAL IP
             |
             |
             |
             |

         DMZ    ZONE--------------- ISA SERVER

Since past 2 days we are facing some issues with the browsing, the hotmail, Gmail & yahoo mail cannot be opened, its giving us the following error,

X
      Network Access Message: The page cannot be displayed

      Explanation: There is a problem with the page you are trying to reach and it cannot be displayed.

Try the following:
"      Refresh page: Search for the page again by clicking the Refresh button. The timeout may have occurred due to Internet congestion.
"      Check spelling: Check that you typed the Web page address correctly. The address may have been mistyped.
"      Access from a link: If there is a link to the page you are looking for, try accessing the page from that link.
If you are still not able to view the requested page, try contacting your administrator or Helpdesk.

      Technical Information (for support personnel)
"      Error Code: 502 Proxy Error. The ISA Server denied the specified Uniform Resource Locator (URL). (12202)
"      IP Address: 10.0.1.108
"      Date: 7/7/2009 5:57:07 AM
"      Server: fw01.kfsh.med.sa
"      Source: proxy
No configuration changes were done in past two weeks, suddenly this problem started, if we browse directly without the ISA server everything seems to be fine.
Please help me to solve this issue, also our ISA VPN is not working

Alert Information
Description: ISA Server detected routes through the network adapter Internal that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter External that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 10.0.8.0-10.1.255.255;10.2.2.0-10.3.255.255;10.4.2.0-10.5.255.255;10.6.2.0-10.7.255.255;10.8.2.0-10.9.255.255;10.10.2.0-10.11.255.255;10.12.2.0-10.13.255.255;10.14.2.0-10.15.255.255;10.16.2.0-10.17.255.255;10.18.2.0-10.19.255.255;10.20.2.0-10.21.255.255;10.22.2.0-10.23.255.255;10.24.2.0-10.25.255.255;10.26.2.0-10.27.255.255;10.28.2.0-10.29.255.255;10.30.2.0-10.31.255.255;10.32.2.0-10.33.255.255;10.34.2.0-10.35.255.255;10.36.2.0-10.37.255.255;10.38.2.0-10.39.255.255;10.40.2.0-10.41.255.255;10.42.2.0-10.43.255.255;10.44.2.0-10.45.255.255;10.46.2.0-10.47.255.255;10.48.2.0-10.48.255.255;10.49.2.0-10.49.255.255;10.50.2.0-10.51.255.255;10.52.2.0-10.53.255.255;10.54.2.0-10.55.255.255;10.56.2.0-10.57.255.255;10.58.2.0-10.69.255.255;10.70.2.0-10.89.255.255;10.90.2.0-10.255.255.254;30.0.0.0-30.0.1.255;50.0.0.0-50.0.1.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.

Open in new window

ISA-Error.jpg
hotmail-error.jpg
KFSH-Internet-Architecture.jpg
LVL 8
yasirirfanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
ISA is actively deniing the page.  So something changes somewhere even if you don't know it happened.
"fw01.kfsh.med.sa" does not look like anything related to hotmail, gmail, or yahoo mail to me, but I could be wrong.
The live monitoring log will show the Denies and they will show the Rule that is doing it.
If the Rule is the "Default Rule" then it just means that no "allow" rule anywhere in your Rule List matches the traffic that ISA see.  If no rule on the list match the traffic the traffic is automatically stopped by the Default Rule,...it is the same idea as the Implicit Deny that Cisco products use.
The Alert listed can usually be ignored with Remote Access VPN Clients.  There is a breif period of time where the VPN Users received IP# is dynamically switched from the Internal Network to the VPN Users Network,...that mild delay is sometimes enough to cause a false positive with that alert.
As far as the VPN not working,...can't help there.  Just having "it doesn't work" is not enough detail to work with.  Probably should focus on the other problems first.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.