Solved

isa 2006 - array query

Posted on 2012-03-21
25
570 Views
Last Modified: 2012-08-12
hi ive configured my isa 2006 member server and all internal users receive internet access as normal.

ive run: msbpa and their is a configuration issue with my internal nic 1 - it mentions about 'array' and not sure if i should be installing this as ive been reading about 'array' and it was referring to 2 x isa and i only have 1 x isa!!

eventviewer - firewall has stopped

qns 1.  can anyone help ?
ISA-NIC-ARRAY-ISSUE.dot
0
Comment
Question by:mikey250
  • 15
  • 5
  • 4
25 Comments
 
LVL 5

Assisted Solution

by:abhishek1986
abhishek1986 earned 251 total points
Comment Utility
You can have only one ISA. You need not have 2 ISA's if you are worried about it.
I think that the problem is related to not having a network being defined in the Configuration-----------> Network tab...
Can you verify that all your network sets are added to the Proper Network tabs?
0
 

Author Comment

by:mikey250
Comment Utility
hi yes i realise that i can have 1 nic instead of 2 nics, but i will stick with 2 nics to learn for the time being as will need to know!!!:)

ive attached some screenshots!

im not even sure if this can actually effect my remote vpn ie locating files on server!!!!uuumm
firewall-policy.dot
network-rules.doc
network-rule-p2.doc
0
 
LVL 5

Expert Comment

by:abhishek1986
Comment Utility
I am sorry but what is the exact problem and what help are you seeking for?
I am not getting your issues.
Can you explain a bit about it.
0
 

Author Comment

by:mikey250
Comment Utility
im not sure how to rectify the nic issue.  other experts have said my configuration is correct and they could not see where nic issue was!!

ive attached a screenshot.:)
ISA-NIC-ARRAY-ISSUE.dot
0
 
LVL 5

Assisted Solution

by:abhishek1986
abhishek1986 earned 251 total points
Comment Utility
I saw the message earlier. But is it causing any problems to any of your clients?
This error occurs at times when there are inconsistencies between the network defined in the Network Object of ISA and network route of windows.
But that should not be any problem to the users if you have defined the networks that the clients are assigned to, properly in the ISA.
If you are worried about it, can you tell what the IP Range 10.x.x.x is used for?
Also, can you post result of Route Print from Command prompt and all the Networks that are added to the ISA Configuration?
0
 

Author Comment

by:mikey250
Comment Utility
hi although yes my clients do have internet access.

yes i am concerned about how to put it right!!!

my isa/internal range is: 10.0.0.1 - 10.0.0.254 - set in isa and nothing else
my isa/external is: 192.168.0.3 - address does (not) change although allocated via my netgear router box/built-in dhcp.  ipconfig /all on isa shows correctly isp internet ip addressing as expected.

yes i have done 'route print' and i have nothing set except for default settings/configured settings that appear ok to me!! ive attached!:)

as a result the 'firewall switches' off in 'eventviewer' and not sure what impact this has!!
route-print.doc
0
 
LVL 5

Assisted Solution

by:abhishek1986
abhishek1986 earned 251 total points
Comment Utility
Go to ISA console:
Arrays->ISAArray(Name)->Configuration->Network
In the networks tab, what are the Networks defined in the NIC Card?
If the address do not match the ones in the route  print in windows then the error like the one you are getting is shown.
About the firewall, are you talking about the windows firewall?
ISA has its own in-built firewall which is appropriate for protection and you can disable or stop the Windows Firewall service all together without worrying.
0
 

Author Comment

by:mikey250
Comment Utility
hi abhishek1986, my laptop had an issue but resolved now!!

regarding the 'firewall policy' i was referring to isa!!

i will look at network tab and compare!!

thanks for responding!!:)
0
 
LVL 5

Expert Comment

by:abhishek1986
Comment Utility
I am sorry, but do you mean ISA Firewall, or the Windows firewall service in ISA Machine?
If ISA firewall is down, the clients won't get internet access at all, so it can not be down, since you are saying that clients are getting their net connections just fine.
0
 

Author Comment

by:mikey250
Comment Utility
hi apologies for taking a while to come back.:)

no you mis-interpret as my main thread has a 'screenshot' attached of the error.  ive attached again and yes my internal users have internet access but this nic issue i have not got a clue what needs changing possibly in 'network rules' i assume!!!
ISA-NIC-ARRAY-ISSUE.doc
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 249 total points
Comment Utility
I do not believe you have 'printed  the internal nic address sets placed within the ISA GUI before - if you had I would have pointed out immdediately that they are wrong.

I have also referred you to my article on EE regarding the basic setup of windows prior to ISA install and the initial ISA configuration/setup itself.

ISA MUST have the network ID and the broadcast address included therefore the internal nic addresses within the ISA gui network address tab would be 10.0.0.0 - 10.0.0.255 (as I believe I pointed out in other questions for you).

If you have excluded the .255 and the .0 address then the broadcast address of the internal LAN will be seen as an attack - so put it right.

Run up the ISA2006 best practice analyser on the ISA box. Let's see what you've got.
You can download it here.
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=811
0
 

Author Comment

by:mikey250
Comment Utility
hi keith originally im sure i did have it set as: 10.0.0.0 - 10.0.0.255, unless maybe i had done: 10.0.0.1 - 10.0.0.255 and changed it again but issue was still there.  i will put back as suggested network id - 0 & broadcast address 255 and reboot machine & run msbpa again!!

yes i did read that article as saved!!!
0
Get up to 2TB FREE CLOUD per backup license!

An exclusive Black Friday offer just for Expert Exchange audience! Buy any of our top-rated backup solutions & get up to 2TB free cloud per system! Perform local & cloud backup in the same step, and restore instantly—anytime, anywhere. Grab this deal now before it disappears!

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Don't need to reboot. :)
0
 

Author Comment

by:mikey250
Comment Utility
hi keith, oh well i did reboot anyway as it was just a double-check!:)

no this change did not make a difference ie now: 10.0.0.0 - 10.0.0.255

it states in msbpa: "isa server detected routes through the network adapter lan2 (which is my external address) that do not correlate with the network to which this network adapter belongs.  when networks are configured correctly the ip address ranges included in each array-level network must include ip address ranges but are not routable through any of the networks adapters: 10.255.255.255 - 10.255.255.255".

i understand what it means but not even sure after the change you suggested that i need some specific 'static' route although we did discuss this on a previous thread and you did suggest that it maybe something to do with my 'virgin media hardware provided ie: netgear router although the only thing i can think of is maybe the firmware, but i have spoken with my isp and they have said it is upto date.

other than the 'built-in dhcp on my netgear router box that has allocated a 'private address' to my isa/external nic, which stays the same as nothing else is plugged in and nothing else has been configured on netgear except for default settings. (dont forget my isa does detect my isp 'public addresses' via isa/external so that is not an issue as client machines have internet access as normal.

I just wanted to find out once and for all what this nic issue was and how to put it right!

i have also noticed when completing an isa 2006 fundamentals online/video practical course i have noticed intermitantly the 'firewall service' failing and rectifying itself so whether this is because of my nic query im not sure, but on reading i did not see any explanation to explain anythying other than what the 'msbpa' detected!
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 249 total points
Comment Utility
You are wrong - it has made a difference as, that setting at least, is now correct.

Static routes are not relevant to ISA. Static routes are for routing and this is undertaken as the OS level, ISA is not a router and therefore is not relevant to the ISA bpa.

I assume your external router's dhcp is only set with a 255.255.255.0 mask, not a 255.0.0.0?
0
 

Author Comment

by:mikey250
Comment Utility
when doing my isa 2006 fundemantal course it shows an option in configurations for 'ip routing' that is 'ticked' acting like a router of sorts in 'kernel mode' which is the 'core' of the 'os' due to 2 networks ie internal/external and improves performance.

but if 'ip routing' is turned off it forces the comms up a little higher in the 'osi model' via the isa software which is supposed to slow the comms a little.

although it can be disabled for some other specific requirement although the course does not alloborate on exactly what!!

i have prior to this removed the 'ip routing tickbox', but the nic configuration still showed so i re-added the 'tick' as it is the default setting anyhow!

yes my netgear external router/built-in dhcp is set with a class c: 192.168.0.0/24

i assumed when you have used 'isa' that you did not get this error & so why do i ?
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 249 total points
Comment Utility
I have around 800+ installations of ISA Server and Forefront TMG under my belt, am a Microsoft Certified Trainer for the two products and have been an Microsoft MVP for them since 2004 so yes, I guess that qualifies and you can say 'I have used ISA'...

I have never had to enable IP routing in anything on an ISA or an FTMG box - there has never been a need. I control routing from the OS and the ISA from the ISA.

What else is on the outside of the ISA external nic - are there ANY other devices (of ANY kind) that could be set to use ANYTHING on the 10.x.y.z network?

Is there ANYTHING on the internal network of ANY kind that could be using a 10.x.y.z ip address that is NOT in the 10.0.0.0 - 10.0.0.255 range?
0
 

Author Comment

by:mikey250
Comment Utility
hi keith i dont doubt you as just trying to increase in depth knowledge but linking my understanding as also completed that fundamental course which prompted a question or 2 but understood the rest as was practical!!:)

either way adding 'ip routing or not' does not resolve the 'nic array' issue that appears in the 'alerts' tab and so wanted to get rid of it once and for all.

the isa/external nic via a cross-over cable is plugged into my hardware netgear router box.  which according to my isa course it states that while the isa is a firewall it also states as it explains and shows how deep the isa can dig into applications of the 'os' for eg and protect and that also adding a hardware firewall on the outside to the internet is preferred.

so other than that nothing at all as just the 'coaxial' cable via my netgear router box direct to internet!!  all other ports are unused!

note: when changing the internal address range to: 10.0.0.0 - 10.0.0.255 in isa2006/configuration/network/network rules tab - it appeared to make changes everywhere else & in firewall policy when i checked!

all my machines are in use for this specific network design so once ive completed my tasks i can then delete and re-install and configure/connect for a new design so know as each of my machines all have 'static' addresses via my dhcp as also added manually except for my single xp host pc.

while im currently working on this specific issue and to save on my electric i have switched off my:

- wds server
- wsus server
- xp host pc

switched on:

- master dc/ad/dns/dhcp server
- isa2006/internal/external server
- netgear router box (hardware)
- cisco layer 2 switch

nothing else!

im just wondering even though my client xp pc and all servers currently have internet access still, is there something ive added additional that has caused this 'nic array' 'alert'..
0
 

Author Comment

by:mikey250
Comment Utility
hi keith i appreciate you maybe busy but wanted to know if you had anymore ideas for the network array issue i have even though i have only 1 isa and just jogging your memory from passed comments from you: ?

- isa/internal is set to: 10.0.0.0 - 10.0.0.255

- isa external is set with my (hardware netgear router box) via built-in dhcp - 192.168.0.3/24 - direct to the internet.

- isa external - does already detect my isp public addresses as normal and via 'ipconfig /all'

- intermitantly isa firewall looses connectivity in the 'alerts tab', but re-syns itself and brings it back online.

- clients have internet access
0
 

Author Comment

by:mikey250
Comment Utility
hi keith i even 're-installed/re-configured' the 'dhcp relay agent', thinking this would resolve my issue of still receiving 'nic array issue' even though im only using 1 x isa 2006 server & all hosts still have access to the internet!!
0
 

Author Comment

by:mikey250
Comment Utility
im in the middle of configuring a new network and i have added another server which i will install isa 2006 and i can then check if i get that same 'array' issue.  if i do get it i will update this thread and allocate points as normal.  as long as it appears my configurations are ok from what i did before.

so i appreciate your input 'keith'!!!
0
 

Author Comment

by:mikey250
Comment Utility
hi keith, i have not forgotten about this thread just letting you know im still configuring my network and when i get to this part i will check and see if the 'nic array' issue still shows.  either way if it does i will (close) this thread and allocate you the points anyway!!
0
 

Accepted Solution

by:
mikey250 earned 0 total points
Comment Utility
hi keith just to let you know that 'array nic' issues has not re-appeared over these last few days and it appears basically i had not allowed all updates to be installed.  so job done!
0
 

Author Closing Comment

by:mikey250
Comment Utility
although it appears i had not installed all relevant updates on my isa, it appears this did the trick but either way the responses i got were definately good troubleshooting methods.  appreciated!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now