1. Another error 64?
After posting one of the reasons why ISA Server 2006 can come up with the generic error 64 in one of my posts, some readers asked me if this is the ultimate reason for this error. The answer is: it is not! Since the error 64 is generic it needs to be carefully interpreted, my previous post about this error mentions the “error 64” with the message: “host not available”.
This post will explain in more details why the error message below showed in the ISA Server 2006 Logging could occur while you are browsing Internet.
Figure 1 – Another error 64.
The error above was caught while the user was trying to browse www.fabrikam.com and download the Windows XP SP2 file. To simulate this problem I used the following lab:
Figure 2 – Lab used to simulate this problem.
2. Understanding the nature of this error
The 64: "The specified network name is no longer available" is a win32 error originally called ERROR_NETNAME_DELETED, this error is mapped in the winerror.h as:
//
// MessageId: ERROR_NETNAME_DELETED
// MessageText:
// The specified network name is no longer available.
In the network level, this problem could be cause by:
Network connectivity problems have various causes, but they typically occur because of incorrect network adapters, incorrect switch settings, faulty hardware, or driver issues. Some connectivity symptoms are intermittent and do not clearly point to any one of these causes.
Per KB325487.
Which means that is more under the TCP/IP level, which is controlled by the Windows OS rather than ISA Server itself.
3. Simulating the Problem
To simulate this problem I used a tool called Network Emulator for Windows and added high latency and random packet loss. Besides I also used the Web Application Stress Tool to add more load to my web server and really simulate a situation where server is busy. Now let’s take a look in the netmon trace got from the external interface of the ISA Server:
ISA Server sends the HTTP GET for the destination server:
12:39:13.355 192.168.1.113 192.168.1.95 HTTP HTTP:Request, GET /
- Http: Request, GET /
Command: GET
+ URI: /
ProtocolVersion: HTTP/1.1
Via: 1.1 ISACONTN1
If-None-Match: "304054985f13c91:4b2"
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)
Host: www.fabrikam.com
If-Modified-Since: Wed, 10 Sep 2008 16:09:25 GMT
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-us
UA-CPU: x86
Connection: Keep-Alive
HeaderEnd: CRLF
Destination server sends the answer:
12:39:13.745 192.168.1.95 192.168.1.113 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /
A HTTP GET is sent to get the XP SP2 file:
12:39:31.751 192.168.1.113 192.168.1.95 HTTP HTTP:Request, GET /XPSP2.zip
Destination server answers:
12:39:32.142 192.168.1.95 192.168.1.113 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /XPSP2.zip
The file starts to be transferred:
12:39:32.242 192.168.1.95 192.168.1.113 TCP TCP:Flags=...A...., SrcPort=HTTP(80), DstPort=2050
12:39:32.242 192.168.1.113 192.168.1.95 TCP TCP:Flags=...A...., SrcPort=2050, DstPort=HTTP(80)
Suddenly the destination server resets the connection:
12:39:32.424 192.168.1.95 192.168.1.113 TCP TCP:Flags=.....R.., SrcPort=HTTP(80), DstPort=2050
12:39:32.584 192.168.1.95 192.168.1.113 TCP TCP:Flags=.....R.., SrcPort=HTTP(80), DstPort=2050
At this point the session was lost and the error showed in figure 1 appeared in the log.
4. Conclusion
What it is important for you after reading this post is to really understand that ISA Server for scenarios like this only externalize the problem. You need to focus on the real problem and start that by verifying:
· Which device is in between ISA and Internet?
o Don’t think that just because you have only a router in front of ISA Server that you will be “free of errors”. Routers do have updates and potential problems also.
· Can you sniffer the outside traffic to have the real picture of what comes into your network before hits the external interface of ISA Server?
o If you get the netmon trace only on the external interface of ISA and you have more devices in front of it you could be masquerading the real issue since you can’t see the clear traffic.
· If ISA is really the edge device, make sure that network interface card is update, the switch where ISA is connected is working properly, etc.
o Many administrators are only concern with updates on the OS level and forgot to address key updates do the drivers and active network devices.
Almost of the time the investigation of those errors occurs around ISA Server rather than in ISA Server itself. Keep your mind open to a broader set of possibilities instead of focus all our time and efforts in troubleshoot only ISA Server.
Last week we (ISA Server Team in Texas) faced an interesting issue where remote Outlook Clients using RPC over HTTPs were not able to communicate with the internal Exchange Server. Pretty challenge case since on the ISA Server side there was nothing really obvious missing, netmon also didn’t help that much, but the old netstat tool was “The MAN” to alert us about the issue. The problem ended up to be caused by Port Exhaustion on ISA Server 2006 and netstat helped us to identify that. The approach used was the same as explained by this great post from DS Team about Port Exhaustion.
It is important to bring here the scalability problem when the ISA is not correctly sized, mainly when you are publishing Outlook Anywhere. To really know the impact that Outlook Anywhere (AKA RPC over HTTPs) can cause read the article Outlook Anywhere Scalability with Outlook 2007, Outlook 2003, and Exchange 2007. After reading this article, make sure to correct size your ISA Server 2006 using the ISA Server 2006 Capacity Planning Simulator.
For tuning purpose you also can use the TcpTimedWaitDelay registry key to faster release TCP socket connection, read the article Avoiding TCP/IP Port Exhaustion for more details. Although this article is for BizTalk, the context of the problem is the same since it is something related to the Windows OS level where the application (in this case ISA) is affected.
My fellow friend Tom Shinder wrote this week about the articles that we were migrating from ISA to TMG and he was surprise with the TMG in Hork Mode (as he said), later he posted about the difference between TMG MBE and TMG EBS in another post. I understand the confusion since it was not 100% clear and this is what we also trying to do when we are reviewing the articles. If you observe the session “applies to” it will have TMG MBE or EBS (or both).
However today we have all the remaining answers for you in the following new site:
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/threat-management-gateway-mbe.aspx
What about system requirements?
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-system-requirements.aspx
Wonder about license? Check more info here:
http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/tmg-mbe-pricing-licensing.aspx
Enjoy TMG (with or without EBS) J
We just released an update for ISA (2000, 2004 and 2006) and TMG MBE for the behavior that Jim Harrison explained in a post about MS08-037 on ISA Team Blog.
They are available at:
957298
Forefront Threat Management Gateway, MBEhttp://www.microsoft.com/downloads/details.aspx?FamilyId=E974422F-42B0-426C-8852-FF8E67264909
956570
ISA Server 2006 update
http://www.microsoft.com/downloads/details.aspx?FamilyId=E96A6E20-0C04-4C7D-9F3E-207B02AE29CC
956637
ISA Server 2000 update
http://www.microsoft.com/downloads/details.aspx?FamilyId=1455D4E6-A0B5-4583-82F1-EE8239FCA207
958024
ISA Server 2004 Standard Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=0AB83F12-653B-4BE1-BEFE-594C4EF62BAA
ISA Server 2004 Enterprise Edition:
http://www.microsoft.com/downloads/details.aspx?FamilyId=55CE3623-2F7B-4900-9A2F-7E2AA2FE9C50
Yesterday I was playing a little bit with IE8 when I received the following warning message in IE window:
Internet Explorer has modified this page to prevent a potential cross-site-scripting attack.
Yep, that’s right: IE8 now mitigates XSS attack by using the built in XSS Filter. Do you want to know more about this? Check this great explanation/demo below:
http://msdn.microsoft.com/en-us/library/cc994337(VS.85).aspx
Also, you can review why IE Team adopted this new approach to prevent XSS attack:
http://blogs.msdn.com/ie/archive/2008/09/29/statistical-validation-of-the-ie8-xss-filter.aspx
Have you ever received one of the errors below while browsing a web site?
The page cannot be displayed
There is a problem with the page you are trying to reach and it cannot be displayed.
Technical Information (for support personnel) Error Code: 502 Proxy Error. The HTTP message includes an unsupported header or an unsupported combination of headers. (12156)
This could be caused due a response from a web server that begins with a space or tab character in the HTTP Header. If you have ISA Server 2006 SP1 the fix for that is already built in, however you still need to create the registry key described in KB935693. This KB has an example of the HTTP header that was captured using Netmon and how it looks like.
Note: This KB was also reviewed for TMG MBE and also applies to it.
The global Forefront Edge Security Team worked hard for the last 45 days to review and validate the old ISA articles and see if they were applicable for TMG. As result we have the first wave of articles already live at Microsoft KB Web Site. You can review it here.
One question that arrives sometimes is how to get a fully updated ISA Server 2004 SP3 (plus post SP3 updates) system upgraded (in place) to ISA Server 2006 with SP1 on it. This question comes in a really good moment because I can raise two recent situations that can drive you to make this decision of not use RTM version while upgrading to ISA Server 2006:
· If you have ISA Server 2004 with SP3 you are already used to Logging improvements. By upgrading to ISA Server 2006 RTM you will lose those functionalities since the RTM version of ISA Server 2006 doesn’t have that.
· Some previous experiences showed me that after making an in place upgrade from ISA Server 2004 SP3 to ISA Server 2006 RTM we can potentially get a blue screen (STOP 0x0000007f - UNEXPECTED_KERNEL_MODE_TRAP) due an issue that was fixed by KB944824. This issue was fixed in almost one year ago (previous to SP1) but guess what, RTM version does still having this issue.
So if you are planning this upgrade in place take the following steps to make sure that you are upgrading to ISA Server 2006 with SP1 built in:
1. Copy ISA Server 2006 CD to the C:\ISA Server 2006 Standard\ folder
2. Copy ISA Server 2006 SP1 to the C:\ISA Server 2006 Standard\FPC folder
3. Apply SP1 in the ISA 2006 Installation file by running:
C:\ISA Server 2006 Standard\FPC>Msiexec /a MS_FPC_Server.msi /p ISA2006-KB943462-X86-ENU.msp
4. Follow the Wizard to Apply the SP1.
5. After finish it, launch the Autorun.exe from the C:\ISA Server 2006 Standard folder.
6. Follow the wizard to upgrade you ISA Server 2004 Standard to ISA Server 2006 SP1.
For more information about in place upgrade from ISA Server 2004 to ISA Server 2006 use the official Microsoft Article for each version as show below:
Upgrade Guide for ISA Server 2006 Enterprise Edition
Upgrade Guide for ISA Server 2006 Standard Edition
This week at TechEd EMEA in Barcelona there will be lots of news about TMG and IAG/UAG. But one of that upcoming news was already announced yesterday, which is the new IAG SP2. For more information about that access the IAG Team blog at web site:
http://blogs.technet.com/edgeaccessblog/archive/2008/11/02/iag-sp2-it-is-all-about-the-application.aspx