[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1933
  • Last Modified:

ISA Firewall Issue

Hi Guys,

I've run into an issue that's been ongoing for the past month or so, the firewall on my ISA server keeps stopping every few days, which then blocks my remote access to it and also causes all my OWA and POP3 users to lose connectivity.

it happens after I receive the following error:

The ISA Server Web filter failed to log information to MSDE Database ISALOG_20101114_WEB_000 in path C:\Program Files\Microsoft ISA Server\ISALogs. The MSDE Error description is: Unspecified error
. The problem may be resolved by restarting the MSSQL$MSFW service.


once i start the firewall, all gets back to normal.

It's currently logging to a MSDE database, I have read a couple of things and they mentioned I should rather log to a W3C DB and also reduce the number of active logs.

Any ideas on the above? This is a live system and I cant have any downtime so, experimenting is not really an option.

HELP!
0
YOlanie_Visser
Asked:
YOlanie_Visser
  • 9
  • 8
  • 2
  • +1
7 Solutions
 
nsguruprasadCommented:
What is the ISA version? Service Pack? Did you try reapplying the service pack already installed?
0
 
Leon FesterCommented:
That behaviour is by design.
The root cause of the problem is the fact that ISA cannot write to the database.
If ISA cannot write to the database, then the firewall services would stop.

Remember that the MSDE database has a 10 concurrent connection limit, so the amount of activity on your server will affect the ISA's performance and writing ability.
Have a look at the resources available on that machine, consider how busy the Server is...

I had to resolve a similar issue with ISA protecting a VERY busy web server by configuring ISA to write to a SQL 2000 database.

Additionally you may wish to reduce the logging activities of ISA itself...generally I prefer logging as much detail as possible.
0
 
Leon FesterCommented:
Tutorials on Re-configuring ISA to use a SQL db can be found on www.isaserver.org.
Downtime should be limited to restarting the Firewall service.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
YOlanie_VisserAuthor Commented:
It does not have SP1, are there any risks involved in the installation,?  like i said I cannot risk anything
0
 
Leon FesterCommented:
I've done a few remote upgrades which have completed seamlessly.
Although as a safety precaution I did have a engineer onsite incase I lost connectivity.

I've also done remote installation of ISA and it automatically creates the firewall rule enabling the host from which the installation was completed to successfully re-connect to the ISA Server after reboot.
0
 
Keith AlabasterCommented:
Lets take a step back here....

ISA - all forms - can handle upwards of 5000 active user connections so a limit of 10 connections is not relevant in this case. While in most cases the 'normal' conditions of MSDE apply, many don't as the MSDE database used is specific to ISA - this is why other systems cannot connect to it.

As asked in the very first response post - what version of ISA are you using and which service pack - if any - is applied?

What is the size of the database? Is there sufficient free disk space on the drive where the database is being held?
Have you tried backing up the configuration through the ISA gui, removing ISA and reinstalling cleanly then restoring the config back through the gui?



0
 
YOlanie_VisserAuthor Commented:
Keith,

 - the version is 5.0.5720.157, no SP
- The logs folder is 1GB and the log files vary from 60MB to 120MB
 - there are 13.5GB of space free on the hard drive.
- I have not tried to uninstall it due to the downtime and due to my current location, I have no one on location.

I reduced the logging activity and the problem persists...it's actually gotten worse and the firewall is crashing daily and not weekly any more.


0
 
YOlanie_VisserAuthor Commented:
If I changed the DB to W3C, could this be a temp solution to this problem?
0
 
Leon FesterCommented:
@keith, I've always been an admirer of your work, so I'm not gonna argue with your knowledge.
What I've stated above is something that happened to me in a production environment, solution was applied as mentioned above. 4 years later no re-occurrence of issue.
0
 
Keith AlabasterCommented:
ISA Server 2006 Version numbers

5.0.5272.100           24.01.2006            Beta 1
5.0.5720.100           25.07.2006            RTM - Final Version
5.0.5720.157           16.01.2007            RTM with Exchange Publishing Update
5.0.5721.240           11.09.2007            RTM with Supportability Update

So you are on ISA 2006 - good, a supported version - but bad, if you don't have the service pack 1 and the other updates for ISA 2006 deployed as there were issues. Just off to work so you may want to just google for ias 2006 sp1 and the isa 2006 supportability update and read about them. Don't get me wrong, not saying this is your issue for the moment but it sure isn't helping.
 
0
 
YOlanie_VisserAuthor Commented:
Does anyone know of any program that can monitor a service in this case the Microsoft firewall, start it up if it stops ect?. I've tried the recovery option, but for some odd reason that does not work.
And need a temp solution whilst trouble shooting this problem...each time this happens all the POP and OWA users lose connectivity..
0
 
Leon FesterCommented:
Opalis is a Microsoft product that can monitor and restart services...
They actually bought the Company, but yeah I think there are some upgrade options for SCM subscribers. Check the website http://www.microsoft.com/systemcenter/en/us/opalis.aspx

However, as mentioned above, if the ISA Server cannot write entries to the datatabase then the firewall service will stop.

Look for other issue related to the MSDE engine; it is not neccessarily an ISA issue . . .
Your temporary/permanent solution may be to point this to a SQL Server . . .
0
 
YOlanie_VisserAuthor Commented:
SQL Express could be an option? although the DB is limited to 4 GB
0
 
YOlanie_VisserAuthor Commented:
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
Leon FesterCommented:
Some best practises for performance tuning ISA 2006
http://technet.microsoft.com/en-us/library/bb794835.aspx
0
 
YOlanie_VisserAuthor Commented:
Would it be a very bad idea to disable the firewall logging for the time being as a temporary measure?
0
 
Leon FesterCommented:
The only problem I have with temporary solutions is that they typically become permanent solutions.
I would never recommend that you switch off logging, especially for a firewall...
I've never done that myself

I'll suggest reading the following links:
http://technet.microsoft.com/en-us/library/bb794817.aspx
Under the "Attack Mitigation" section you'll see some information on "Disable Firewall Service Lockdown due to Logging Failures"

Here is the link for ISA 2004: http://technet.microsoft.com/en-us/library/cc302466.aspx
Here is a guy who says it's the same script:
http://www.cgoosen.com/2009/07/isa-2006-disable-lockdown-on-log-failure/

P.S. I've not tested this scripts myself so I cannot comment further pointing to these articles.
0
 
YOlanie_VisserAuthor Commented:
I guess I'll attempt changing it to text logging as a start. are there any consequences? or is it a simple changeover? will I need to restart the ISA? I've read a couple of articles where it would still carry on logging on to MSDE after it had been changed to log to W3C.

Sorry about being so paranoid, but down time is a real issue.

thanks!

0
 
Leon FesterCommented:
There is no mention of a restart of the firewall services in this article...http://www.isaserver.org/tutorials/Firewall-Logging-Microsoft-SQL-database.html

If required then the downtime would not be more then 2 minutes.
If the restart does take longer then there are other issues to consider.

You should remember that sometimes downtime is required to implement a fix.
Unfortunately that is one of the things that you have only so much or so little control over...
Although, planned downtime is considerably less irating than unscheduled downtime due to system crashing.

Remember as soon as the conditions are met then your firewall service will stop.
By design, that is the behaviour of ISA Server.

http://technet.microsoft.com/en-us/library/cc302466.aspx - Using this script to disable the stopping of the firewall services does not have any mention of a restart either...maybe look at getting that fix applied first so that the services stays up even when logging fails.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now