Here’s some info on an interesting support issue I worked the other day. If you happen to run into this one day, maybe this will help you get it resolved.
We have a website published through ISA 2006. The site is configured for both HTTP and HTTPS access from the ISA server. When a user connects to the site over HTTP, the site comes up fine.
But when he tries over HTTPS, he gets a ‘page cannot be displayed’.
Troubleshooting and Resolution:
We started with live logging on the ISA console while doing a repro of the issue. We were seeing ‘Failed Connection Attempts’ for the traffic coming from the test machine used for the repro, with the error message: Error 64 “The specified network name is no longer available”
This error is very generic and there can be multiple reasons which would translate to this error code.The most common one is when the backend server is performing a dirty TCP connection reset.
So, to check this further, we collected a network monitor trace on the internal NIC of ISA server.
We filtered down to the traffic that is of interest to us.
So this clearly indicates that the backend server is Resetting the TCP connection prematurely and this is triggering the ‘64 Error’.
Investigating further, we identified that the backend device is a 3rd party load balancer. And for some unknown reasons, the ISA server was failing at the SSL handshake stage.
So, we had the 3rd party support team collect a dump of the SSL settings on the Load Balancer and identified the following:
Then, we went back to the Network Monitor trace (the earlier screenshot) and compared this with the ciphers advertised by ISA server in the client hello. RSA_WITH_RC4_128_MD5 is not part of the Cipher list sent by the ISA server.
Due to this, the 2 peers are not able to successfully choose a common encryption scheme and the SSL handshake fails.
After identifying this, we had the 3rd party vendor enable additional Ciphers which are accepted by ISA server.
Once we did this, the published site was accessible from the internet.
The issue was resolved!!
Hope this would be helpful when you are troubleshooting website accessibility issues through ISA server…especially with 3rd party load balancers in the infrastructure.
Security Support Engineer - Microsoft Forefront Edge Team
Security Support Escalation Engineer - Microsoft Forefront Edge Team
Security Sr. Support Escalation Engineer – Microsoft Forefront Edge Team
Job well done mate. Nicely written.