CaptainGiblets
asked on
internal dns requests through isa 2004
we keep getting these in isa 2004
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: DNS
Source: Internal ( 0.0.0.0:0)
Destination: External ( 0.0.0.0:0)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 146484ms Original Client IP: 0.0.0.0
Client agent:
as you can see it has a 146 second processing time, and users have been reporting a lot of slow browsing lately.
Is this meant to be like this? We do get a lot of other connections that look like this
Log type: Firewall service
Status: The operation completed successfully.
Rule: DNS
Source: Internal ( 0.0.0.0:0)
Destination: External ( 0.0.0.0:0)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 0.0.0.0
Client agent:
Also, what could be stopping the original client ip address from showing up in the list? It makes it a lot harder to debug problems.
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: DNS
Source: Internal ( 0.0.0.0:0)
Destination: External ( 0.0.0.0:0)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 146484ms Original Client IP: 0.0.0.0
Client agent:
as you can see it has a 146 second processing time, and users have been reporting a lot of slow browsing lately.
Is this meant to be like this? We do get a lot of other connections that look like this
Log type: Firewall service
Status: The operation completed successfully.
Rule: DNS
Source: Internal ( 0.0.0.0:0)
Destination: External ( 0.0.0.0:0)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 0.0.0.0
Client agent:
Also, what could be stopping the original client ip address from showing up in the list? It makes it a lot harder to debug problems.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have sorted the IP Address issue
so i am now recieving logs that look like this
Closed Connection MR-HY-ISA 01/09/2011 09:11:50
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: DNS
Source: Internal (dc1.domain.local 192.168.16.202:55679)
Destination: External (google-public-dns-a.googl e.com 8.8.8.8:53)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 146031ms Original Client IP: 192.168.xx.xxx
Client agent:
so i am now recieving logs that look like this
Closed Connection MR-HY-ISA 01/09/2011 09:11:50
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: DNS
Source: Internal (dc1.domain.local 192.168.16.202:55679)
Destination: External (google-public-dns-a.googl
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 146031ms Original Client IP: 192.168.xx.xxx
Client agent:
ASKER
sorry for double post - i have disabled the dns filter which still brings the same results
I also get these requests from the ISA server to the internal dns server
Closed Connection MR-HY-ISA 01/09/2011 10:06:10
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Allow DNS from ISA Server to selected servers
Source: Local Host ( ISA INTERNAL IP:23359)
Destination: Internal ( DNS SERVER:53)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 60000ms Original Client IP: isa internal ip
Client agent:
I also get these requests from the ISA server to the internal dns server
Closed Connection MR-HY-ISA 01/09/2011 10:06:10
Log type: Firewall service
Status: A connection was gracefully closed in an orderly shutdown process with a three-way FIN-initiated handshake.
Rule: Allow DNS from ISA Server to selected servers
Source: Local Host ( ISA INTERNAL IP:23359)
Destination: Internal ( DNS SERVER:53)
Protocol: DNS
User:
Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 60000ms Original Client IP: isa internal ip
Client agent:
Wow - that one was old :)
ASKER
It sat on my list however we have given up with ISA / TMG now that MS have given up with it as well so we moved to Sonicwall instead and EE told me I had to answer it :)
ASKER
External NIC has no DNS address.
Internal NIC points to our 2 DC's which run DNS
All computers point to the same 2 DC's
The 2 DC's point to eachother, and in the forwarders i have 8.8.8.8 and 8.8.4.4
After our ISA server, we have a load balancer, where everything is set to route though our cisco router, which also points to the same DNS addresses.
Cant seem to pinpoint the reason for the slow responses. Also, is there any reason why the Source / Original client IP wouldnt be recorded?