Solved

ISA Firewall Issue

Posted on 2010-11-14
20
1,915 Views
Last Modified: 2013-04-15
Hi Guys,

I've run into an issue that's been ongoing for the past month or so, the firewall on my ISA server keeps stopping every few days, which then blocks my remote access to it and also causes all my OWA and POP3 users to lose connectivity.

it happens after I receive the following error:

The ISA Server Web filter failed to log information to MSDE Database ISALOG_20101114_WEB_000 in path C:\Program Files\Microsoft ISA Server\ISALogs. The MSDE Error description is: Unspecified error
. The problem may be resolved by restarting the MSSQL$MSFW service.


once i start the firewall, all gets back to normal.

It's currently logging to a MSDE database, I have read a couple of things and they mentioned I should rather log to a W3C DB and also reduce the number of active logs.

Any ideas on the above? This is a live system and I cant have any downtime so, experimenting is not really an option.

HELP!
0
Comment
Question by:YOlanie_Visser
  • 9
  • 8
  • 2
  • +1
20 Comments
 

Expert Comment

by:nsguruprasad
ID: 34134359
What is the ISA version? Service Pack? Did you try reapplying the service pack already installed?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34134721
That behaviour is by design.
The root cause of the problem is the fact that ISA cannot write to the database.
If ISA cannot write to the database, then the firewall services would stop.

Remember that the MSDE database has a 10 concurrent connection limit, so the amount of activity on your server will affect the ISA's performance and writing ability.
Have a look at the resources available on that machine, consider how busy the Server is...

I had to resolve a similar issue with ISA protecting a VERY busy web server by configuring ISA to write to a SQL 2000 database.

Additionally you may wish to reduce the logging activities of ISA itself...generally I prefer logging as much detail as possible.
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34134759
Tutorials on Re-configuring ISA to use a SQL db can be found on www.isaserver.org.
Downtime should be limited to restarting the Firewall service.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:YOlanie_Visser
ID: 34134787
It does not have SP1, are there any risks involved in the installation,?  like i said I cannot risk anything
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34134808
I've done a few remote upgrades which have completed seamlessly.
Although as a safety precaution I did have a engineer onsite incase I lost connectivity.

I've also done remote installation of ISA and it automatically creates the firewall rule enabling the host from which the installation was completed to successfully re-connect to the ISA Server after reboot.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34138459
Lets take a step back here....

ISA - all forms - can handle upwards of 5000 active user connections so a limit of 10 connections is not relevant in this case. While in most cases the 'normal' conditions of MSDE apply, many don't as the MSDE database used is specific to ISA - this is why other systems cannot connect to it.

As asked in the very first response post - what version of ISA are you using and which service pack - if any - is applied?

What is the size of the database? Is there sufficient free disk space on the drive where the database is being held?
Have you tried backing up the configuration through the ISA gui, removing ISA and reinstalling cleanly then restoring the config back through the gui?



0
 

Author Comment

by:YOlanie_Visser
ID: 34142591
Keith,

 - the version is 5.0.5720.157, no SP
- The logs folder is 1GB and the log files vary from 60MB to 120MB
 - there are 13.5GB of space free on the hard drive.
- I have not tried to uninstall it due to the downtime and due to my current location, I have no one on location.

I reduced the logging activity and the problem persists...it's actually gotten worse and the firewall is crashing daily and not weekly any more.


0
 

Author Comment

by:YOlanie_Visser
ID: 34142615
If I changed the DB to W3C, could this be a temp solution to this problem?
0
 
LVL 26

Expert Comment

by:Leon Fester
ID: 34142940
@keith, I've always been an admirer of your work, so I'm not gonna argue with your knowledge.
What I've stated above is something that happened to me in a production environment, solution was applied as mentioned above. 4 years later no re-occurrence of issue.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 71 total points
ID: 34142943
ISA Server 2006 Version numbers

5.0.5272.100           24.01.2006            Beta 1
5.0.5720.100           25.07.2006            RTM - Final Version
5.0.5720.157           16.01.2007            RTM with Exchange Publishing Update
5.0.5721.240           11.09.2007            RTM with Supportability Update

So you are on ISA 2006 - good, a supported version - but bad, if you don't have the service pack 1 and the other updates for ISA 2006 deployed as there were issues. Just off to work so you may want to just google for ias 2006 sp1 and the isa 2006 supportability update and read about them. Don't get me wrong, not saying this is your issue for the moment but it sure isn't helping.
 
0
 

Author Comment

by:YOlanie_Visser
ID: 34144059
Does anyone know of any program that can monitor a service in this case the Microsoft firewall, start it up if it stops ect?. I've tried the recovery option, but for some odd reason that does not work.
And need a temp solution whilst trouble shooting this problem...each time this happens all the POP and OWA users lose connectivity..
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34144680
Opalis is a Microsoft product that can monitor and restart services...
They actually bought the Company, but yeah I think there are some upgrade options for SCM subscribers. Check the website http://www.microsoft.com/systemcenter/en/us/opalis.aspx

However, as mentioned above, if the ISA Server cannot write entries to the datatabase then the firewall service will stop.

Look for other issue related to the MSDE engine; it is not neccessarily an ISA issue . . .
Your temporary/permanent solution may be to point this to a SQL Server . . .
0
 

Author Comment

by:YOlanie_Visser
ID: 34144757
SQL Express could be an option? although the DB is limited to 4 GB
0
 

Author Comment

by:YOlanie_Visser
ID: 34144971
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34145061
0
 
LVL 26

Accepted Solution

by:
Leon Fester earned 429 total points
ID: 34145067
Some best practises for performance tuning ISA 2006
http://technet.microsoft.com/en-us/library/bb794835.aspx
0
 

Author Comment

by:YOlanie_Visser
ID: 34145238
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34145465
The only problem I have with temporary solutions is that they typically become permanent solutions.
I would never recommend that you switch off logging, especially for a firewall...
I've never done that myself

I'll suggest reading the following links:
http://technet.microsoft.com/en-us/library/bb794817.aspx
Under the "Attack Mitigation" section you'll see some information on "Disable Firewall Service Lockdown due to Logging Failures"

Here is the link for ISA 2004: http://technet.microsoft.com/en-us/library/cc302466.aspx
Here is a guy who says it's the same script:
http://www.cgoosen.com/2009/07/isa-2006-disable-lockdown-on-log-failure/

P.S. I've not tested this scripts myself so I cannot comment further pointing to these articles.
0
 

Author Comment

by:YOlanie_Visser
ID: 34154474
I guess I'll attempt changing it to text logging as a start. are there any consequences? or is it a simple changeover? will I need to restart the ISA? I've read a couple of articles where it would still carry on logging on to MSDE after it had been changed to log to W3C.

Sorry about being so paranoid, but down time is a real issue.

thanks!

0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 429 total points
ID: 34154565
There is no mention of a restart of the firewall services in this article...http://www.isaserver.org/tutorials/Firewall-Logging-Microsoft-SQL-database.html

If required then the downtime would not be more then 2 minutes.
If the restart does take longer then there are other issues to consider.

You should remember that sometimes downtime is required to implement a fix.
Unfortunately that is one of the things that you have only so much or so little control over...
Although, planned downtime is considerably less irating than unscheduled downtime due to system crashing.

Remember as soon as the conditions are met then your firewall service will stop.
By design, that is the behaviour of ISA Server.

http://technet.microsoft.com/en-us/library/cc302466.aspx - Using this script to disable the stopping of the firewall services does not have any mention of a restart either...maybe look at getting that fix applied first so that the services stays up even when logging fails.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
switch connecting to ISA server 8 330
Server 2012 Domain Controler 4 467
Lync Client 2013 and TMG 2010 8 1,372
Looking for a Proxy Server 3 263
In Africa (and potentially where you live…), reliability of ISPs is questionable.  With the increased reliance on e-mail as one of the primary forms of communication, the costs to business are significant based on interuption of ISP Connectivity.  T…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question