Solved

ISA Firewall Issue

Posted on 2010-11-14
20
1,900 Views
Last Modified: 2013-04-15
Hi Guys,

I've run into an issue that's been ongoing for the past month or so, the firewall on my ISA server keeps stopping every few days, which then blocks my remote access to it and also causes all my OWA and POP3 users to lose connectivity.

it happens after I receive the following error:

The ISA Server Web filter failed to log information to MSDE Database ISALOG_20101114_WEB_000 in path C:\Program Files\Microsoft ISA Server\ISALogs. The MSDE Error description is: Unspecified error
. The problem may be resolved by restarting the MSSQL$MSFW service.


once i start the firewall, all gets back to normal.

It's currently logging to a MSDE database, I have read a couple of things and they mentioned I should rather log to a W3C DB and also reduce the number of active logs.

Any ideas on the above? This is a live system and I cant have any downtime so, experimenting is not really an option.

HELP!
0
Comment
Question by:YOlanie_Visser
  • 9
  • 8
  • 2
  • +1
20 Comments
 

Expert Comment

by:nsguruprasad
ID: 34134359
What is the ISA version? Service Pack? Did you try reapplying the service pack already installed?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34134721
That behaviour is by design.
The root cause of the problem is the fact that ISA cannot write to the database.
If ISA cannot write to the database, then the firewall services would stop.

Remember that the MSDE database has a 10 concurrent connection limit, so the amount of activity on your server will affect the ISA's performance and writing ability.
Have a look at the resources available on that machine, consider how busy the Server is...

I had to resolve a similar issue with ISA protecting a VERY busy web server by configuring ISA to write to a SQL 2000 database.

Additionally you may wish to reduce the logging activities of ISA itself...generally I prefer logging as much detail as possible.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34134759
Tutorials on Re-configuring ISA to use a SQL db can be found on www.isaserver.org.
Downtime should be limited to restarting the Firewall service.
0
 

Author Comment

by:YOlanie_Visser
ID: 34134787
It does not have SP1, are there any risks involved in the installation,?  like i said I cannot risk anything
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34134808
I've done a few remote upgrades which have completed seamlessly.
Although as a safety precaution I did have a engineer onsite incase I lost connectivity.

I've also done remote installation of ISA and it automatically creates the firewall rule enabling the host from which the installation was completed to successfully re-connect to the ISA Server after reboot.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34138459
Lets take a step back here....

ISA - all forms - can handle upwards of 5000 active user connections so a limit of 10 connections is not relevant in this case. While in most cases the 'normal' conditions of MSDE apply, many don't as the MSDE database used is specific to ISA - this is why other systems cannot connect to it.

As asked in the very first response post - what version of ISA are you using and which service pack - if any - is applied?

What is the size of the database? Is there sufficient free disk space on the drive where the database is being held?
Have you tried backing up the configuration through the ISA gui, removing ISA and reinstalling cleanly then restoring the config back through the gui?



0
 

Author Comment

by:YOlanie_Visser
ID: 34142591
Keith,

 - the version is 5.0.5720.157, no SP
- The logs folder is 1GB and the log files vary from 60MB to 120MB
 - there are 13.5GB of space free on the hard drive.
- I have not tried to uninstall it due to the downtime and due to my current location, I have no one on location.

I reduced the logging activity and the problem persists...it's actually gotten worse and the firewall is crashing daily and not weekly any more.


0
 

Author Comment

by:YOlanie_Visser
ID: 34142615
If I changed the DB to W3C, could this be a temp solution to this problem?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34142940
@keith, I've always been an admirer of your work, so I'm not gonna argue with your knowledge.
What I've stated above is something that happened to me in a production environment, solution was applied as mentioned above. 4 years later no re-occurrence of issue.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 71 total points
ID: 34142943
ISA Server 2006 Version numbers

5.0.5272.100           24.01.2006            Beta 1
5.0.5720.100           25.07.2006            RTM - Final Version
5.0.5720.157           16.01.2007            RTM with Exchange Publishing Update
5.0.5721.240           11.09.2007            RTM with Supportability Update

So you are on ISA 2006 - good, a supported version - but bad, if you don't have the service pack 1 and the other updates for ISA 2006 deployed as there were issues. Just off to work so you may want to just google for ias 2006 sp1 and the isa 2006 supportability update and read about them. Don't get me wrong, not saying this is your issue for the moment but it sure isn't helping.
 
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:YOlanie_Visser
ID: 34144059
Does anyone know of any program that can monitor a service in this case the Microsoft firewall, start it up if it stops ect?. I've tried the recovery option, but for some odd reason that does not work.
And need a temp solution whilst trouble shooting this problem...each time this happens all the POP and OWA users lose connectivity..
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34144680
Opalis is a Microsoft product that can monitor and restart services...
They actually bought the Company, but yeah I think there are some upgrade options for SCM subscribers. Check the website http://www.microsoft.com/systemcenter/en/us/opalis.aspx

However, as mentioned above, if the ISA Server cannot write entries to the datatabase then the firewall service will stop.

Look for other issue related to the MSDE engine; it is not neccessarily an ISA issue . . .
Your temporary/permanent solution may be to point this to a SQL Server . . .
0
 

Author Comment

by:YOlanie_Visser
ID: 34144757
SQL Express could be an option? although the DB is limited to 4 GB
0
 

Author Comment

by:YOlanie_Visser
ID: 34144971
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34145061
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 429 total points
ID: 34145067
Some best practises for performance tuning ISA 2006
http://technet.microsoft.com/en-us/library/bb794835.aspx
0
 

Author Comment

by:YOlanie_Visser
ID: 34145238
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34145465
The only problem I have with temporary solutions is that they typically become permanent solutions.
I would never recommend that you switch off logging, especially for a firewall...
I've never done that myself

I'll suggest reading the following links:
http://technet.microsoft.com/en-us/library/bb794817.aspx
Under the "Attack Mitigation" section you'll see some information on "Disable Firewall Service Lockdown due to Logging Failures"

Here is the link for ISA 2004: http://technet.microsoft.com/en-us/library/cc302466.aspx
Here is a guy who says it's the same script:
http://www.cgoosen.com/2009/07/isa-2006-disable-lockdown-on-log-failure/

P.S. I've not tested this scripts myself so I cannot comment further pointing to these articles.
0
 

Author Comment

by:YOlanie_Visser
ID: 34154474
I guess I'll attempt changing it to text logging as a start. are there any consequences? or is it a simple changeover? will I need to restart the ISA? I've read a couple of articles where it would still carry on logging on to MSDE after it had been changed to log to W3C.

Sorry about being so paranoid, but down time is a real issue.

thanks!

0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34154565
There is no mention of a restart of the firewall services in this article...http://www.isaserver.org/tutorials/Firewall-Logging-Microsoft-SQL-database.html

If required then the downtime would not be more then 2 minutes.
If the restart does take longer then there are other issues to consider.

You should remember that sometimes downtime is required to implement a fix.
Unfortunately that is one of the things that you have only so much or so little control over...
Although, planned downtime is considerably less irating than unscheduled downtime due to system crashing.

Remember as soon as the conditions are met then your firewall service will stop.
By design, that is the behaviour of ISA Server.

http://technet.microsoft.com/en-us/library/cc302466.aspx - Using this script to disable the stopping of the firewall services does not have any mention of a restart either...maybe look at getting that fix applied first so that the services stays up even when logging fails.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

In all versions of ISA Server and the current version of FTMG, the default https protocol uses TCP port 443 and 563 only. This cannot be changed within the ISA or FTMG GUI and must be completed from a Windows cmd prompt on the ISA Server itself. …
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now