website statistics
ISA Server 2006 Firewall Service not starting - Yuri Diogenes's Blog - Site Home - TechNet Blogs

Yuri Diogenes's Blog

Thoughts from a Senior Content Developer @ Microsoft Data Center, Devices & Enterprise Client – CSI (Enterprise Mobility Team)

ISA Server 2006 Firewall Service not starting

ISA Server 2006 Firewall Service not starting

  • Comments 1
  • Likes

1. Introduction

 

One of the most painful issues to resolve on ISA Server is when the Firewall Service stops and doesn’t come up again. Many times this happens without a previous warning and most of the times is because ISA is failing to load something or to commit some kind of configuration that was made. In this particular scenario, Firewall administrator claims that he didn’t change anything and believe or not he didn’t. ISA Server was untouchable for months and one day, after installing a security patch on Windows and restart the server, Firewall Service didn’t start.

 

In situations like that is easy to blame the patch, because the first thing that comes in people’s mind is: well, if it was working and after installing a patch stopped working, it got be the patch. Although this makes sense (logically speaking) it might not be true (technically speaking). This particular case confirmed that: after firewall administrator uninstalled the patch (not really a good security recommendation) the issue persisted.

 

Let’s see the approach to fix this issue.

 

2. Starting from the Basics

 

Start from the simplest thing which is: review the event viewer. In this case here the sequence of events that I found it:

 

Event Type:        Error

Event Source:    Microsoft ISA Server Web Proxy

Event Category:                None

Event ID:              14127

Date:                     8/2/2009

Time:                    9:43:36 AM

User:                     N/A

Computer:          ISACONTN1

Description:

The Web Proxy filter could not initialize (error code 501.3357.5.0.5723.493).

 

Event Type:        Error

Event Source:    Microsoft ISA Server Web Proxy

Event Category:                None

Event ID:              14127

Date:                     8/2/2009

Time:                    9:43:38 AM

User:                     N/A

Computer:          ISACONTN1

Description:

The Web Proxy filter could not initialize (error code 505.78.5.0.5723.493).

 

Event Type:        Error

Event Source:    Microsoft Firewall

Event Category:                None

Event ID:              14060

Date:                     8/2/2009

Time:                    9:43:38 AM

User:                     N/A

Computer:          ISACONTN1

Description:

ISA Server could not load the application filter Web Proxy Filter ({4CB7513E-220E-4C20-815A-B67BAA295FF4}). FilterInit failed with the error code 0x80070006. To attempt to activate this application filter again, stop and restart the Firewall service.

 

Event Type:        Error

Event Source:    Microsoft Firewall

Event Category:                None

Event ID:              14001

Date:                     8/2/2009

Time:                    9:43:38 AM

User:                     N/A

Computer:          ISACONTN1

Description:

Firewall Service failed to initialize. Previous event log entries might help determine the proper action.

 

In this case these events are very generic and really don’t say much, but it gives us an idea of the sequence of failures that we have.

 

3. Going Further

 

On issues related to Firewall Service not starting, one thing that is very handy is understand what is happening during the time that Firewall Service is starting. Which files is he loading? To better see what is happening I used WinDBG to attach to Firewall Service. I did that on a working system to see the sequence that I have and repeated the same in the system that was broken. Here it is the steps that I used on my working system:

 

0. On the system that is working I stopped Firewall Service.

1. Open WinDBG (if you don’t have, download it here).

2. Started Firewall Service, open WinDBG, click on File / Attach to a Process, choose the wspsrv.exe process as shown below and click OK.

 

Figure 1 – Attaching WiDBG to Firewall Service Process.

 

3. In the command window type g and press ENTER. The g command will starts executing this process and wait for a manual Break or will break for an external cause (if the process quits for example).

4. On my working system the following sequence appear:

 

(e94.1e8): Unknown exception - code 000006d9 (first chance)

ModLoad: 0c8e0000 0c909000   C:\Program Files\Microsoft ISA Server\authdflt.dll

ModLoad: 60290000 602f5000   C:\Program Files\Microsoft ISA Server\CookieAuthFilter.dll

ModLoad: 0c9b0000 0c9ef000   C:\Program Files\Microsoft ISA Server\ACECLNT.dll

ModLoad: 67de0000 67e05000   C:\Program Files\Microsoft ISA Server\sdmsg.dll

ModLoad: 71ca0000 71cf8000   C:\WINDOWS\system32\kerberos.dll

ModLoad: 766e0000 766ec000   C:\WINDOWS\system32\cryptdll.dll

(e94.1e8): Unknown exception - code 000006d9 (first chance)

ModLoad: 635e0000 635f7000   C:\Program Files\Microsoft ISA Server\radiusauth.dll

ModLoad: 0ea10000 0ea2d000   C:\Program Files\Microsoft ISA Server\ldapfilter.dll

ModLoad: 61470000 614b1000   C:\Program Files\Microsoft ISA Server\LinkTranslation.dll

ModLoad: 60fe0000 61008000   C:\Program Files\Microsoft ISA Server\HttpFilter.dll

ModLoad: 72e50000 72f6a000   C:\WINDOWS\system32\msxml3.dll

ModLoad: 0f480000 0f493000   C:\Program Files\Microsoft ISA Server\complp.dll

ModLoad: 68100000 68124000   C:\WINDOWS\system32\dssenh.dll

(e94.998): Unknown exception - code 000006d9 (first chance)

(e94.998): Unknown exception - code 000006d9 (first chance)

(e94.998): Unknown exception - code 000006d9 (first chance)

(e94.998): Unknown exception - code 000006d9 (first chance)

(e94.998): Unknown exception - code 000006d9 (first chance)

(e94.998): Unknown exception - code 000006d9 (first chance)

ModLoad: 633b0000 633c2000   C:\Program Files\Microsoft ISA Server\pptpfltr.dll

ModLoad: 60780000 60795000   C:\Program Files\Microsoft ISA Server\ftpfltr.dll

ModLoad: 641c0000 641de000   C:\Program Files\Microsoft ISA Server\StrmFltr.dll

ModLoad: 61350000 61363000   C:\Program Files\Microsoft ISA Server\issfltr.dll

ModLoad: 60ae0000 60b16000   C:\Program Files\Microsoft ISA Server\h323fltr.dll

ModLoad: 609b0000 609e5000   C:\Program Files\Microsoft ISA Server\h323asn1.dll

 

I repeated the same sequence on the non working system and WinDBG stopped in the following module:

 

(c38.1b8): Unknown exception - code 000006d9 (first chance)

ModLoad: 635e0000 635f7000   C:\Program Files\Microsoft ISA Server\radiusauth.dll

ModLoad: 0ea10000 0ea2d000   C:\Program Files\Microsoft ISA Server\ldapfilter.dll

ModLoad: 61470000 614b1000   C:\Program Files\Microsoft ISA Server\LinkTranslation.dll

ModLoad: 60fe0000 61008000   C:\Program Files\Microsoft ISA Server\HttpFilter.dll

ModLoad: 72e50000 72f6a000   C:\WINDOWS\system32\msxml3.dll

ModLoad: 0f480000 0f493000   C:\Program Files\Microsoft ISA Server\complp.dll

ModLoad: 71bd0000 71be1000   C:\WINDOWS\system32\mpr.dll

(c38.1b8): Unknown exception - code 000006d9 (first chance)

(c38.1b8): Unknown exception - code 000006d9 (first chance)

ModLoad: 0eb90000 0eb9f000   C:\Program Files\Common Files\System\Ole DB\SQLOLEDB.RLL

eax=00000000 ebx=00000000 ecx=0006fdcc edx=00000000 esi=7c822028 edi=00000000

eip=7c82ed54 esp=0006fe18 ebp=0006ff0c iopl=0         nv up ei pl zr na pe nc

cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246

ntdll!KiFastSystemCallRet:

7c82ed54 c3              ret

Missing image name, possible paged-out or corrupt data. ç This happened because the wspsrv.exe process quit since it was not able to start.

 

Notice that on my working system I do not load this SQLOLEDB.RLL module, which immediately makes me think: what component ISA uses to communicate with SQL (if need)? Answer: Logging. Bingo !!! That was it; my system was using file text for logging while the non working system was using SQL.

 

4. Wait a minute, how this was working before?

 

Good question!! After identify that the issue was on the connectivity with SQL we engaged the database administrator that revealed his fault. He performed a migration of the hardware where SQL was located to a new hardware, restored the configuration but failed to give appropriate permissions to the ISA Server computer account. He fixed the issue using KB 838710, in particular the section called “How to set up SQL Server to accept the Open Database Connectivity (ODBC) from the ISA Server or from Microsoft Forefront Threat Management Gateway, Medium Business Edition”, step 7.

 

Comments
  • gosh! did i mention i am talking about TMG 2010.....

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment