lor1974
asked on
Cannot get to specific website through ISA 2004
Hello Experts.
We are running ISA 2004, and cannot get to the website http://inpix.ca if the ISA client is running, or if the settings are in the browser. There is no problem getting to the website going directly through the gateway. In IE it gives a timeout error, and the following is what I see in the logs:
2011-02-11 13:48:13 w3proxy ISA - www.inpix.ca 209.44.116.101 80 21031 910 4482 http TCP GET http://www.inpix.ca/index.php/ - Inet 10060 0x6 URL Allow List Req ID: 08e56d1a Internal External 0x40 Failed
When I run a logging query, I do not even see the connection attempt.
Any ideas?
Thanks in advance
We are running ISA 2004, and cannot get to the website http://inpix.ca if the ISA client is running, or if the settings are in the browser. There is no problem getting to the website going directly through the gateway. In IE it gives a timeout error, and the following is what I see in the logs:
2011-02-11 13:48:13 w3proxy ISA - www.inpix.ca 209.44.116.101 80 21031 910 4482 http TCP GET http://www.inpix.ca/index.php/ - Inet 10060 0x6 URL Allow List Req ID: 08e56d1a Internal External 0x40 Failed
When I run a logging query, I do not even see the connection attempt.
Any ideas?
Thanks in advance
Can you resolve the webiste to ip from ISA box itself ?
ASKER
do you mean by pinging it? If so, When I ping from the ISA server I see the IP but get host unreachable
Actually I meant nslookup, but ping can resolve names.
please compare results ( nslookup from ISA and nslookup from client machine)
are the two returned IPs identical ? If so then the problem is not in name resolving.
the idea behind that is wen you using webproxy, then the name will be resolved on the ISA server not on the client machine, but using default gateway ( secure nat), the name will be resolved using client machine.
please compare results ( nslookup from ISA and nslookup from client machine)
are the two returned IPs identical ? If so then the problem is not in name resolving.
the idea behind that is wen you using webproxy, then the name will be resolved on the ISA server not on the client machine, but using default gateway ( secure nat), the name will be resolved using client machine.
ASKER
I see the same response from both:
Non-authoritative answer
Name: inpix.ca
Address: 209.44.116.101
Non-authoritative answer
Name: inpix.ca
Address: 209.44.116.101
ASKER
I ran a DNSreport on inpix.ca, and the A record 209.44.116.101 is the same as one of their NS records...is that normal?
Did you tried another browser ?
ASKER
same thing in firefox:
* Error Code 10060: Connection timeout
* Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
* Date: 2/11/2011 3:32:44 PM
* Server: isa.fcja.org
* Source: Firewall
* Error Code 10060: Connection timeout
* Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
* Date: 2/11/2011 3:32:44 PM
* Server: isa.fcja.org
* Source: Firewall
Yes - you would expect an A record to match an NS record.
Post the output of an ipconfig /all from the ISA box.
Post the output of an ipconfig /all from the ISA box.
ASKER
Windows IP Configuration
Host Name . . . . . . . . . . . . : isa
Primary Dns Suffix . . . . . . . : fcja.org
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fcja.org
Ethernet adapter DMZ - Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA311/312 PCI Adapter
Physical Address. . . . . . . . . : 00-40-F4-3E-BA-15
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.69
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
Ethernet adapter Internal - Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controlle
r
Physical Address. . . . . . . . . : 00-0F-FE-01-2F-2D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.128.27
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.128.12
192.168.128.5
NetBIOS over Tcpip. . . . . . . . : Disabled
Host Name . . . . . . . . . . . . : isa
Primary Dns Suffix . . . . . . . : fcja.org
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : Yes
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : fcja.org
Ethernet adapter DMZ - Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR FA311/312 PCI Adapter
Physical Address. . . . . . . . . : 00-40-F4-3E-BA-15
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.100.69
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.100.1
Ethernet adapter Internal - Local Area Connection 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Broadcom 440x 10/100 Integrated Controlle
r
Physical Address. . . . . . . . . : 00-0F-FE-01-2F-2D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.128.27
Subnet Mask . . . . . . . . . . . : 255.255.252.0
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . : 192.168.128.12
192.168.128.5
NetBIOS over Tcpip. . . . . . . . : Disabled
Config looks fine so no issue there.
If you open a web browser on ISA itself and access the same site - same result? You were asked this earlier but I didn't see a response back.
If it works OK like this - do you also have the web proxy settings applied on the ISA web browser? If not, put them in and retest - same result?
If you open a web browser on ISA itself and access the same site - same result? You were asked this earlier but I didn't see a response back.
If it works OK like this - do you also have the web proxy settings applied on the ISA web browser? If not, put them in and retest - same result?
ASKER
same result on isa...for whatever reason it cannot even get a ping response from the site.
Can you try a trace? - tracert www.inpix.ca
ASKER
When I run the trace from the ISA server I get the following:
Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:
1 1 ms 1 ms <1 ms x.x.x.x
2 2 ms 1 ms 1 ms 172.16.0.85
3 12 ms 12 ms 10 ms BX5-NEWYORK83_POS11-0-0_co re.net.bel l.ca [64.23
.187.89]
4 9 ms 9 ms 9 ms nLayer_bx5-newyork83.net.b ell.ca [67.69.246.90]
5 61 ms 58 ms 60 ms ae1-70g.cr1.nyc3.us.nlayer .net [69.31.95.153]
6 62 ms 61 ms 59 ms ae0-40g.cr1.nyc2.us.nlayer .net [69.31.95.122]
7 17 ms 17 ms 17 ms xe-1-3-1.cr1.mtl1.ca.nlaye r.net [69.22.142.110]
8 * * * Request timed out.
9 76 ms 177 ms 10 ms 209.44.125.128
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
When I run it directly through the gateway:
Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:
1 8 ms <1 ms <1 ms x.x.x.x
2 2 ms 1 ms 1 ms 172.16.0.85
3 15 ms 10 ms 12 ms bxX5-newyork83_POS9-0-0.ne t.bell.ca [64.230.18
42]
4 9 ms 9 ms 9 ms nlayer_bx5-newyork83.net.b ell.ca [67.69.246.90
5 9 ms 9 ms 9 ms ae1-70g.cr1.nyc3.us.nlayer .net [69.31.95.153]
6 9 ms 9 ms 9 ms ae0-40g.cr1.nyc2.us.nlayer .net [69.31.95.122]
7 17 ms 17 ms 17 ms xe-1-3-1.cr1.mtl1.ca.nlaye r.net [69.22.142.110
8 * * * Request timed out.
9 308 ms 266 ms 251 ms 209.44.125.128
10 170 ms 173 ms 283 ms ns1.inpix.tv [209.44.116.101]
Trace complete.
Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:
1 1 ms 1 ms <1 ms x.x.x.x
2 2 ms 1 ms 1 ms 172.16.0.85
3 12 ms 12 ms 10 ms BX5-NEWYORK83_POS11-0-0_co
.187.89]
4 9 ms 9 ms 9 ms nLayer_bx5-newyork83.net.b
5 61 ms 58 ms 60 ms ae1-70g.cr1.nyc3.us.nlayer
6 62 ms 61 ms 59 ms ae0-40g.cr1.nyc2.us.nlayer
7 17 ms 17 ms 17 ms xe-1-3-1.cr1.mtl1.ca.nlaye
8 * * * Request timed out.
9 76 ms 177 ms 10 ms 209.44.125.128
10 * * * Request timed out.
11 * * * Request timed out.
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 * * * Request timed out.
When I run it directly through the gateway:
Tracing route to inpix.ca [209.44.116.101]
over a maximum of 30 hops:
1 8 ms <1 ms <1 ms x.x.x.x
2 2 ms 1 ms 1 ms 172.16.0.85
3 15 ms 10 ms 12 ms bxX5-newyork83_POS9-0-0.ne
42]
4 9 ms 9 ms 9 ms nlayer_bx5-newyork83.net.b
5 9 ms 9 ms 9 ms ae1-70g.cr1.nyc3.us.nlayer
6 9 ms 9 ms 9 ms ae0-40g.cr1.nyc2.us.nlayer
7 17 ms 17 ms 17 ms xe-1-3-1.cr1.mtl1.ca.nlaye
8 * * * Request timed out.
9 308 ms 266 ms 251 ms 209.44.125.128
10 170 ms 173 ms 283 ms ns1.inpix.tv [209.44.116.101]
Trace complete.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Turned out that there was no internal problem that needed solving.