Link to home
Start Free TrialLog in
Avatar of dxbdxb2009
dxbdxb2009

asked on

ISA Server Issue.

HI EEs,
Greetings for the day,
I have ISA 2004 with SP3,
Since 2 day back it was working well, but now user is experiencing slow browsing, & some time they can not browse anything,
In ISA i can see the error below:

"Alert Information
Description: ISA Server detected a network adapter connected to multiple networks: Address 190.171.0.1 belongs to network 'library' and address 190.170.41.1 belongs to network 'VIP'.
<br>ISA Server detected routes through the network adapter Local Area Connection that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 190.170.0.0-190.170.0.255;190.170.2.0-190.170.40.255;190.170.42.0-190.170.255.254;190.171.1.0-190.171.255.254;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur.
<br>ISA Server detected routes through the network adapter Internet that do not correlate with the network to which this network adapter belongs. When networks are configured correctly, the IP address ranges included in each array-level network must include all IP addresses that are routable through its network adapters according to their routing tables. Otherwise valid packets may be dropped as spoofed. The following ranges are included in the network's IP address ranges but are not routable through any of the network's adapters: 190.170.0.0-190.170.0.255;190.170.2.0-190.170.40.255;190.170.42.0-190.170.255.255;190.171.1.0-190.171.255.255;. Note that this event may be generated once after you add a route, create a remote site network, or configure Network Load Balancing and may be safely ignored if it does not re-occur"


Any Curable solution / advice would be greatly appreciated,

Many thanks in advance.
Avatar of JezNolan
JezNolan
Flag of United Kingdom of Great Britain and Northern Ireland image

Can you give me an ipconfig /all from the ISA server?
Avatar of dxbdxb2009
dxbdxb2009

ASKER

Hi,
below are the following ipconfig/all of ISA:
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : kitserver
   Primary Dns Suffix  . . . . . . . : domain.com
   Node Type . . . . . . . . . . . . : Unknown
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Internet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : D-Link DFE-530TX PCI Fast Ethernet Adapte
r (rev.C)
   Physical Address. . . . . . . . . : 00-11-95-90-DA-E0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 193.173.1.4
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 193.173.1.1
   DNS Servers . . . . . . . . . . . : 127.0.0.1

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Marvell Yukon 88E8056 PCI-E Gigabit Ether
net Controller
   Physical Address. . . . . . . . . : 00-1C-25-D2-42-90
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 190.171.0.1
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   IP Address. . . . . . . . . . . . : 190.170.41.1
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   IP Address. . . . . . . . . . . . : 190.170.1.1
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :

Kindly advice asap..

thanks in advance...
Dear JezNolan:
can you advice any curable solution...pls.... My ISA is very slow & I am getting 25-30 calls/hr..pls help..
Also attaching some more snap-short of errors i logged in ISA2004 here with..
Kindly have a look & advice..
many thanks in advance..
123.jpg
1234.jpg
12345.jpg
anything changed on network or ISA server itself recently in terms of network settings etc or any new routes etc created.

not sure if this is something being caused by DNS Servers.
do you use local DNS if yes are they working ok. are you using DNS forwarders on these DNS servers if yes check external DNS servers or try using 8.8.8.8

i had similar slow browsing issues in past and it was all due to my DNS server.
thanks for yo reply...
nothing chand in the network..or in ISA..or no new routes edited...
yes..i have inrnal dns installed in ISA itself...which used the forwarder...also tried to use google dns...8.8.8.8 but the issue is the same...

One more error i will share with you..is ....
when i am trying to browing some time i get this error :
Network Access Messenage: the page can not be displayed..
error code : 10060 : connection time out
Source : firewall
kindly advice any other curable solution...
there is much stuff on google relating to this particular error. as there are number of things on ISA and network setup that can affect. try reading this and they got some configuration advise on bottom .

http://forums.isaserver.org/m_240108000/mpage_1/key_/tm.htm#240108000

i Belive you are using porxy on client browsers and all configured correctly.

how about browsing on ISA server itself , is it same issue or better.
I tried everything i can search & apply...as per my understanding of ISA...
No proxy is set on any client pc ...
even on ISA i can not browse anything..
pls help and advice..
double check if your both Network configurations are correct. give quick read and compare your settings in this article.
http://www.isaserver.org/tutorials/configuring_isa_server_interface_settings.html

can you also provide bit more details about your environment.

ISA is it dedicated ISA server only or being used for something else looks like you got DNS running on this.
thanks for your reply .... i am reading the link provided here....
ISA is running only with DNS..nothing else..
any workaround for below error:
"Alert Information
Description: ISA Server detected a network adapter connected to multiple networks: Address 190.171.0.1 belongs to network 'library' and address 190.170.41.1 belongs to network 'VIP'.
<br>ISA Server detected routes through adapter Local Area Connection that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 190.170.0.0-190.170.0.255;190.170.2.0-190.170.41.0;190.170.41.201-190.170.255.254;190.171.0.0-190.171.0.0;190.171.0.201-190.171.255.254;.
<br>ISA Server detected routes through adapter Internet that do not correlate with the network element to which this adapter belongs. For best practice, the address range of an ISA Server network should match the address ranges routable through the associated network adapter as defined in the routing table. Otherwise valid packets may be dropped as spoofed. (This alert may occur momentarily when you create a remote site network. You may safely ignore this message if it does not reoccur.)  The address ranges in conflict are: 190.170.0.0-190.170.0.255;190.170.2.0-190.170.41.0;190.170.41.201-190.171.0.0;190.171.0.201-190.171.255.255"
what shell I do to remove these..
Can these issue become the reason to work ISA very very slow....resulting slow browsing on client's PC..
I am attaching some screen short of my ISA config here with....for your ready reference..
chaching.JPG
chaching-propr.JPG
firewal.JPG
networks-chachine.JPG
networks-networks.JPG
networks-rules.JPG
networks-sets.JPG
Hi H-Singh: I have read the link you provided & configured both interface as advised here...

Even issue is the same..do i have to restart ISA Server?

I just have noticed some rejected requested by ISA in the Monitoring tab as below:

----------------------------------------------------------------------------------------------------------------------------
1. The response was rejected because a compressed response was not requested.      

Description: ISA Server was unable to process a response body from /compressiontest. The server supplied a compressed response although ISA Server did not request compression. The response was discarded.

----------------------------------------------------------------------------------------------------------------------------

----------------------------------------------------------------------------------------------------------------------------
2. Intrusion detected:      

Description: ISA Server detected an Internet Protocol (IP) half-scan attack from IP address 190.171.0.176.
----------------------------------------------------------------------------------------------------------------------------
How i can set the compression in Genral tab to work around this..?.

I can see there are some PCs which are spreading or attacking with half-scan attack ..but unfortunattly we have 200 PC running on Wireless (get the IP from WAP DHCP) so it seems very difficult to find out that PC.
Is it possible we can secure or block such attacks on ISA level (ISA is installed with updated ESET Anti virus)

Kindly advice / suggest...

Many thanks in advance....
Sorry - I got stuck on a job. I think H-Singh has more knowledge than me in this regard anyway.
that's ISA job to protect and block these bad requests if coming from your internal network but yea make sure your outbound policies are configured correctly not to allow any traffic that you don't want to go out may be HTTP and HTTPS only what users need except some specific ones.

yes if you made some changes to network adaptors then reboot is required to correctly bring these to affect.

when website browsing times out, did you try to ping the IP of site on same time. may be do a test of continous Ping to IP of site and browse at same time . atleast we can find out if its DNS.

as still my mind going toward DNS,
so ISA is your only DNS server in network and it has set DNS forwarders.

also check your public IP for blacklists etc even it wont affect internet browsing but just to see if there are really some bad PC sending bad stuff out. that means ISA traffic rules needs tighting .
Maybe we need to set DNS on the internal NIC and not the external?
yes DNS should be on LAN,  i didn't notice if it was on WAN.  

here is another good article on network adaptors.

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
until your basic Network Adaptor Config is not right , there are going to be hell lot of small issues here and there.

mark them correctly LAN / WAN to identify easily
follow above link guide about more details on configs. DNS/GW/suffix etc.

thing with ISA if configured and setup correctly its great if not its big pain in ***

you don't have much complex policy rules so i don't see any much complexity in this so just make sure network adaptors are configured correctly and DNS server setup as it should be.

reboot and do some tests.
thanks H-Singh for you valuable reply & support,

.".......but yea make sure your outbound policies are configured correctly not to allow any traffic ....." = How & where i can be sure about this...? where shell I check ? pls advice.?

I did not tried with pining...well I just tried form one of the client pc as well as on ISA...I tried pinging to yahoo.com & its IP address....most of the packates are lost..(see the attached screen short) here with. = I notiesed that from both ping windows packates are being lost. from clinet PC & ISA Server.

DNS = what all I need to do with DNS = kindly advice..?
Yes my ISA in installed with AD + DNS + DNS forwarder.

No Public IP is not in the black list ...I have confirm by checking on some websites..

As you suspected on DNS I am also... package's are being lost...

Kindly advice...where I need to do something to get is solve..

I really appreciated your prompt & curable advice...as so far..

many thanks in advance.. once again...

.
ping.JPG
no prob, i know how its to be in difficult times when 100's user on your head with question why this not working.

anyway not sure what exactly is your situation. is it downtime ? affecting all users ?
or have you got alternative route in place for the time.

if all network adaptors are configured correctly. last thing you can check are there any windows update available.  
network adaptor drivers/firmware up to date ?
what is next to your ISA.  is it ISP's provided firewall in your office or just GW IP provided by ISP?
have to checked with ISP no issues on line itself ?
or to confirm did you try putting in any TMP router (if you got some basic router lying around , try putting that in add needed configs ) just to test if line and your other DNS Server works well. or is it only one DNS server if yes you can try use direct google dns on one client machine just for sake of line test.
as we don't want to blame ISA if its line fault .

not sure how comfartable you are with ISA rebuild . if its configs messed up then if its me in your place in same time we resolve issue in same time I can simply put another TMP router in place for the time and rebuild ISA from scratch by updating all needed updates on OS or drivers etc.
alll depends how critical is your situation.
sometimes rebuild takes less time then resolution or fixing issues. especially if you don't have much complex rules and setup on ISA which i think is not the case as you got only couple of policies.

did you build it first time or someone else.

as i had personal experience with ISA 2006 where we had to rebuild it to avoid wasting time in figuring out the issue.
but before going ahead make sure you do all other needed test,
make sure its not ISP issue and internet works perfectly fine with any other simple router.

does restart after making sure network configs are fine didnt help at all ?
i wish i had our ISA handy to check things for you as we replaced it with Watchguard .

have a coffee and plan your tasks , not to waste too much time in resolving.
back up your ISA configs allways. if you have loads website lists etc.
Change your DNS entry to your LAN side NIC first and re-boot. Make sure the ISA server is registering itself correctly with DNS on the internal rather than the external IP.
"...Change your DNS entry to your LAN side NIC first and re-boot..." do you mean I should put DNS IP 127.0.0.1 in my Internal NIC ... am i correct? or what IP I have to put?

And as there is no IP in the External DSN = so I have to keep it empty..correct?

".......Make sure the ISA server is registering itself correctly with DNS ..." how i can register ISA with DNS = kindly advice...

thanks for being & supporting me...
yes as allready mentioned by JezNolan i hope you checked adaptor configs and made sure DNS is only on LAN Adaptor and DNS Server has got forwarder setup.

Yes DNS IP 127.0.0.1  in your Internal LAN side Adaptor's IP settings.

NO DNS in External/WAN Adaptor IP settings.

make sure DNS Server has got some external DNS IP e.g. 8.8.8.8 in its forwarders.


@JezNolan,  he's ping request direct to IP itself also dropping. looking at that making me think out of DNS .  may be routing issues
Yes - I generally use the internal IP rather than 127.0.0.1, but that may be a matter of preference. Nothing in external for DNS.

In DNS manager on the ISA server make sure the entries in your domain for the ISA server are correct - this internal address.
thanks for you prompt support & reply,

as per your privouse link I already added 120.0.01 in Internal interface of ISA..

& in DNSMGMT.MSC it seems that all (internal IP Adresseses ) are configured..

here I am attaching the screen short of DNS Mgmt for your ready referance..

Kindly advice accordingly ...

Many thanks...
dns-mgmt.JPG
dns-mgmt.JPG
I can't see any forwarders IPs added to DNS Mgmt on second Image.

you need to add atleast one external DNS forwarded try adding 8.8.8.8

also i hope you added correct IP 127.0.0.1  not 120  or just add its own server IP itself 190.170.1.1
I have added 8.8.8.8 as forwarder & added its own 190.170.1.1  as a DNS in internal interface..

Then I tried pinging with domain name & ip addresses with yahoo & google but here i got the same issue...

kindly see the attached screen short & advice...
ping-to-google.JPG
ping-to-yahoo.JPG
did you get chance to try other methods to make sure your ISP Line is all ok. I mean TMP router.  just to confirm its definately ISA causing the trouble.

also all default system rules allowing DNS out from localhost/ISA are in place , they are hidden until you tick to see these. can't really put instructions as I don't have ISA anymore.

and Ping out from ISA itself having same issues.

do you have only one LAN subnet ?
Finally Can you post screen shot of IP Settings of your all adaptors on ISA itself. and also one from any client machine.
hi  H-Singh..

do I have to try my ISP's public DNS i.e. 213.42.20.20 ...?

below are the tracert i run on ISA...

Kindly advice any solution to workaround..

sorry to bother you much...

I am in trouble ..pls help...
tracert-to-Yahoo.JPG
SOLUTION
Avatar of JezNolan
JezNolan
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
yes agree with JezNolan.

as allready mentioned somehow to test the Line itself.

plz test and then tell us the results. so we can atleast be sure if its ISA causing the issue or not.


are you comfartable with doing this test.
leaving for the day, best luck and I hope you will get this resolved by morning.
Also I am getting I am getting rejected alterts  of compression as below:

------------------------------------------------------------------------------------------
 The response was rejected because a compressed response was not requested.    
Description: ISA Server was unable to decompress a response body from /static/site-min-edbb7e3d2098f.css because the response was compressed by the deflate method, which is not supported by ISA Server. This happens when a Web server is configured to supply responses compressed by the deflate method regardless of the type of compression requested.

If you want ISA Server to block such responses, configure the policy rule's HTTP policy to block the Content-Encoding header in responses. Otherwise, such responses will be forwarded without decompression to the client and can be cached.

You can cancel or reduce the frequency of the alert generated by this event in ISA Server Management.
-------------------------------------------------------------------------------------

I am attaching here with the current configuration of my "Define HTTP Compression Preferences" settings for your ready reference..

Kindly have a look & advice...

It would really appreciated if you can advice me promptly .....many thanks once again...
compresstion1.JPG
compresstion2.JPG
compresstion3.JPG
welcome & thanks JezNolan for joining....

I connected the laptop directly to the ADSL router with the 192.169.1.2 & tried to ping to  yahoo with IP & NAME....package are being lost here as well but i can compare these are less compare to putting ISA between..
Here with I am attaching the screen short as well...
Kindly have a look & advice...
many thanks in advance..
ping-with-laptop.jpg
This is confusing me - why is your ISA server set up with public IPs on both sides and your ADSL router on a private IP?
I am very sorry JezNolan....
I checked my laptop it got the automatic IP  i.e. 193.173.1.3
I confirm it is not in 192.168.1.2...it was my typo
If is it possible or feasible for you i can share my ISA screen to you..using teamviewer...
pls share your email id ..if you can..
kindly advice..
many thanks...
Hi JezNolan...
I just run some more test ping to some other domain like google.com..cisco.com using my laptop.... i can see that from laptop pinging/connectivity is seems good & 98% ping sent are with success.....
kindly advice how should i troubleshoot this issue...
many thanks...
I'm on a train heading home for the day I'm afraid. Another question for you - ISA is using public IPs both sides - why is that?
Hi JezNolan,
thanks for your reply,
I really dont know why it was configured public IP on both side...(done by previous IT admin)
As it was working fine I did not touch/think to modify this....
Where I can start troubleshooting this issue..
Kindly advice..
many thanks in advance...
I'm not an ISA expert - I actually have a strong dislike for the product because it never behaves quite how you expect it to. So I hope H-Singh comes back in as well to help out.

To me it looks like you have some sort of routing issue and this may be caused by the multiple IP addresses on the cards and the networks set up in ISA.

I think we need to start with the basics first. Can you let me know the range of IP addresses the ISP has given you for your DSL connection and whether your ADSL router is set to NAT the traffic to your network. I also would like to know why you are using such massive public IP ranges on the internal side to your ISA server as this does not look right at all.

You are using a class C entire range of public IPs on the outside
- 192.173.1.1-192.173.1.254 (254 addresses)
You are using two different class B public ranges on the inside
- 190.171.0.1-190.171.255.254 (65534 addresses)
- 190.170.0.1-190.170.255.254 (65534 addresses)

This seems very wrong indeed to me unless I am missing something.
i think best to do Team viewer and see you environment , As via this I can't really get the real overview of your complete network diagram.

or if you have a network diagram to share. that can help us to understand your IP sceheme.

am in meeting till next 2 hours and will chat to you later on .

h.singh@dbslaw.co.uk
thanks a lot H-Singh & JezNolan for your great support & help...I will always remember & appreciate your help & extended support,

@ JezNolan : I will reply you with my IPs details soon with network diagram
@ H-Singh : I will share TV id & Pwd with you on your email after 3-4 hrs when you will be free to look & advice..

Mean while I suspect some PC got infected with viruses/worms...so till the time I will quickly try to find those out & install with anti-viruses...

Will come back & post here as soon as I am back..

thanks guys once again..

Kindly be with me..

see you soon
Yes first clean your computers
Also what are ISA server hardware specs
What's ur line speed

I believe you done line test using laptop direct bypassing ISA to confirm line is fine
Yes first clean your computers  =  working on it
ISA server hardware specs = it is a Lenovo PC with 2 Gigs RAM & P4 Processor
What's ur line speed  = 40 Mbps
line test using laptop direct bypassing ISA  = Yes...ofcourse  I directly connected it to my DSL router...

Rest info..i will update soon..

thanks once again....
Hi
am back to my desk now, lets see your network Diagram first if you have one. just to get clear picture of your setup . if you can prepare and show us something like one a attached so that we can get clear view of your network setup.


then you can drop me mail to share screen.
my-Network.jpg
Hi H-Singh ...thanks for your reply..

I am still cleaning my PC ..... as I got 10-12 PC got infected .....
I suspect some more..
kindly give me some time to have them clear..
will update you..as soon as I am finish...
thanks once again..
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hi H-Singh,
I apologies... I could not reply you Y'day since I was not able to clean all PCs,
& unfortunately some more BAD PCs are left for installing updated AV & cleaning,
Kindly give me some more time to make my intranet/LAN clean so we can clearly come to know where is the issue..
& yes...I install & update AV then put it on scanning & then rebooting them...
Kindly be with me ..I will update you as soon as I finish with all..
many thanks once again..
Hi H-Singh,

sorry for delay reply,

As per my suspection & your suggestion, the issue is coz of virus & BAD PCs,
I confirm it is coz of virus, I just disconnected some core switches from my Core backbone switch in my server room, then monitor in ISA (Ping windows) Ping susses rate is 100% & as soon as I connect the switch back to .... ISA (Ping Window) start dropping some packages,

As I also can see these is some "Intrusion_detected" alerts in ISA_monitoring window (Image attached here with)
then i tried to block these attaching IP Addresses using FW_Rule wizards ...but later I thought...that those PCs can get the different IPs as I am using WAP's DHCP to assign IPs to all most PCs,
Kindly advice is there any way I can block these PCs with there MAC addresses in ISA 2004,

Many thanks once again..
Intrusion-detected.jpg
Ok now you atleast know the root cause of issue
I would advise to clean BAD PCs and make sure you have proper protection on all pcs

Check your ISA policies and make sure you allow only good traffic out or say whatever is needed
So if its only browsing then allow only HTTP and HTTPs out and block everything else except for your servers for some other needed traffic

See if ur ISA server resources when all PC on network what's RAM proc usage on server it might be getting too much bad traffic requests and then instead of easily dropping Bad packets it starts dropping others as well or not copping up with load
As I believe even loads bad PC there if ISA server is powerfull enough in terms of hardware etc then it should successfully filter nd stop bad traffic and shouldn't affect good traffic

Anyway your on right track so sort these bad pcs

Always use good AV
Hi H-Singh

I could do it only coz of you help...!
Your are really great ...
Kindly allow me to remove/clean BAD PCs from the network...
I will keep you posted as soon as I finish...I still can see some more "Intrusion_detected" attaches on ISA,
Many thanks once again..
@ H-Singh,
I am back...
I found approx 22 BAD PCs & I am still on searching /installing.
But I am a bit relax that ISA is back to work..
Kindly accept my hearty thanks with the Points & have a look on my next question related to this post below:
https://www.experts-exchange.com/questions/28114528/ISA-Server-2004-Problem.html
Glad you managed to sort this out.

regarding your second question i will let some other experts also shed some light on that. but initial thought your IP configs on Adaptors doesn't seem much helpful to me. or may be Adaptor Names not correct.

as WAN and LAN both looks like for public IPs and I tried pinging I can't ping any IP on your WAN Adaptor yea may be its blocked by purpose.

but am shocked that I can ping IP that is on your LAN Adaptor.
so something more complex is there and you need to review your complete network diagram upto top level from ISP to your end PC. once you have clear picture then it will be easy to find faults.