Some days ago a customer opened a case because an ISA array was randomly refusing all the incoming connections and a restart of the Firewall Service was required to make the connections be accepted again.

After a quick investigation we figured that the cause of the issue was that the Firewall Services went in Lockdown mode after a log failure. Both the Firewall and WebProxy logs were configured to use a Remote SQL server but the connection to the database was not reliable enough to support that critical array, managing a lot of traffic.

Hence, to provide a quick relief and stabilize the system, we chose another logging method: logging to Text Files.
There was not enough space left on the drive C: so we decided to log to a folder on drive E:

clip_image002

Switching to flat files logging failed however unexpectedly and the following error was logged in the Application log:

clip_image004

Event ID 11003, “The failure occurred during reading of logging configuration because the configuration property msFPCLogFileDirectory of the key SOFTWARE\Microsoft\Fpc\Storage\EffecTree1\Arrays\{GUID}\Logs\Proxy-WSP is not valid. Use the source location <location> to report the failure. The error description is: Access Denied.”

Seeing the “Access Denied” error, we checked the rights on the default log folder and found that on that folder SYSTEM and NETWORK SERVICES are assigned Full Control rights.

We also checked the target folder and found that the required rights were already in place – therefore nothing explained an “Access denied” error.

At this point we really needed to figure what is going wrong. Is the error really complaining about insufficient rights on the folder or on the mentioned registry key?

To troubleshoot this problem, we decided to capture a Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645) log while switching the logging method.

Process Monitor allows you to trace File System/ Registry and process/thread activity, along with the result codes. This way we hoped that we can see which exact operation which runs into an “Access Denied” error.

We repeatedthe operation and analyzed the generated PML file by only including “Access Denied” result codes in the display (we used the filteringcapabilities provided by Process Monitor).

This way we found the following:

clip_image006

What we saw is that ISA actually requires permission on the parent folder as well!

After assigning Full Control rights on E:\logfiles folder to SYSTEM and NETWORK SERVICE the switch to Text file logging worked correctly.

This issue is actually covered here:

http://technet.microsoft.com/en-us/library/cc302540.aspx

Event 11002 is Issued in the Event Viewer After Modifying the Default Location of the Logging Folder

Problem: After changing the location of the log folder when logging to a file or to an MSDE 2000 database, the following event is issued: Event 11002 Microsoft Firewall failed to start. The failure occurred during creation of logging module because the configuration property PropertyName is not valid. The error description is: The filename, directory name, or volume label syntax is incorrect.

Cause: Permissions were not configured appropriately on the customized logging folder.

Solution: Ensure that permissions are correctly configured. The Network Service must have read permissions from the root partition and any parent folder for the folder. On the logging folder itself, the following permissions are required:

  • Network Service: Full Control
  • System: Full Control
  • Administrators: Full Control

 

Authors
Gianni Bragante
Support Engineer
Microsoft CSS Forefront Edge Team

Technical Reviewer
Balint Toth
Support Escalation Engineer
Microsoft CSS Forefront Edge Team