Error 10060 while browsing Internet through ISA Server 2006

Error 10060 while browsing Internet through ISA Server 2006

  • Comments 2
  • Likes

1. Connection Timeout – you should believe.

 

It is very interesting how many people really don’t believe that when ISA triggers the error 10060 is because ISA didn’t receive an answer from the destination host. Most of the time the question after they receive this error is: Why ISA is timing out? How can I increase the timeout from ISA so it doesn’t show me this error? Why ISA is doing that?

 

Let’s demystify this and understand that ISA doesn’t do this, the timeout is a due the Windows Operating parameter under the TCP/IP stack or better saying the windows Sockets implementation called winsock. The parameters that controls this are: TcpMaxConnectRetransmissions,  TcpMaxDataRetransmissions and TCPInitialRtt located under HKLM\SYSTEM\CCS\Services\Tcpip\Parameters. Also, for ISA Server there is a KB191143 that explains in more details this registry setting.

 

It is not recommended to change this default registry setting for this parameter until you really understand why this is happening. Remember that ISA Server is only responsible to externalize the result of the time out by showing the error below:

 

Figure 1 – The infamous 10060 error.

 

Let’s go under the hood and see what happens when ISA shows this error.

 

2. Demo Scenario

 

The scenario where the user is receiving this error has the following topology:

 

 

Figure 2 – Diagram used in this network.

 

The downstream server is using the following configuration for webchain:

 

 

Figure 3 – Web Chain.

 

The following network monitor trace was taken from the external interface of the ISA Server downstream server:

 

Downstream ISA sends the SYN for TCP port 8080 to 192.168.40.10 (upstream):

10:08:05.779      192.168.1.113     192.168.40.10     TCP   TCP:Flags=......S., SrcPort=12493, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1953064972, Ack=0, Win=65535 (scale factor 0) = 65535

 

...no answer and then it try again:

10:08:08.743      192.168.1.113     192.168.40.10     TCP   TCP:[SynReTransmit #11]Flags=......S., SrcPort=12493, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1953064972, Ack=0, Win=65535 (scale factor 0) = 65535

 

Notice that after approximately 3 seconds the downstream server re-transmits the SYN and since it doesn’t receive an answer it tries it again:

10:08:14.762      192.168.1.113     192.168.40.10     TCP   TCP:[SynReTransmit #11]Flags=......S., SrcPort=12493, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1953064972, Ack=0, Win=65535 (scale factor 0) = 65535

 

Those attempts keep going on and on until it times out. It is important to emphasize that the TCP retransmission is a standard mechanism documented in RFC 2988.

 

3. Conclusion

 

Although this post shows as an example a webchain scenario, it is important to emphasize that this could be caused in any scenario where the destination host does not answer in timely manner. What you need to do prior to change any setting is use at least network monitor to see if ISA it is or not receiving answer from the destination server.

 

 

Author

Yuri Diogenes

Security Support Engineer

Microsoft CSS Forefront Security Edge Team

 

Technical Reviewer

Thomas Detzner

Escalation Engineer

Microsoft CSS Forefront Security Edge Team

Comments
  • 203 Microsoft Team blogs searched, 66 blogs have new articles in the past 7 days. 120 new articles found

  • Hi,

    i am using TMG2010 with two NICs, one for internal and 2nd for External(Internet), the configuration for both NICs are as below the order of NICs are Internal and then External,
    Configuration
    Internal Network:
    IP: 192.168.0.0
    DNS: 192.168.0.1
    External Network:
    IP: 73.67.87.x
    GW: 73.67.87.x

    External Network

    Default Gateway defined
    DNS Servers defined
    Register this connection’s address in DNS – Disabled
    File and Print Sharing for Microsoft Networks – Disabled
    Client for Microsoft Networks – Disabled
    NetBIOS over TCP/IP – Disabled
    Show icon in notification area when connected - Enabled
    Internal Network
    Default Gateway not defined
    DNS Servers defined
    Register this connection’s address in DNS – Enabled
    File and Print Sharing for Microsoft Networks – Disabled
    Client for Microsoft Networks – Enabled
    NetBIOS over TCP/IP – Enabled
    Show icon in notification area when connected – Enabled

    i am using internal DNS server like 192.168.0.1 and i use dns forwarder. i am using ISP DNS server ip in DNS forwarder tab.
    My DNS server is working fine for internal and external name resolution, after some time internet browsing stop suddenly, some time its stop after 2 to 3 hour some time it after 7 to 8 hour. when internet browsing stp then i can ping to external site like google, cnn and yahoo etc. i can also tracert to external sites and my request complete, its working ok, but when i donslookup then it show request timeout for external sites, but dns working ok for internal site. i have dns installed on active directory. i did not have dns server on TMG2010. My tmg2010 is upto date with SP2 and rollup5 from Microsoft.
    I got following error
    Technical Information (for support personnel)
    • Error Code 10060: Connection timeout
    • Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties.
    • Date: 9/24/2014 3:30:18 PM [GMT]
    • Server: abc.com
    • Source: Firewall

    Then i have to do following task for internet working.
    TMG Managenment Console-->Networking--> Network rules-->NAT address section and i have to change my External ip address then browsing start and working fine for some time.
    with these setting i have rum tmg2010 for 2 to 3 years its ok now it crated problem however i did not any change in rules or configuration, i have some publishing rules for exchange and websites which always working even when dns not working properly.
    can anyone help me to sort-out this issue.

    Thanks in advance.


Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment