View All Microsoft Isa Posts Ask A New Question

ISA 2006 and RPC problem - tra

Wednesday, July 25, 2007 10:36 AM

Hallo All,

I have a strange behaviour with a fresh installed ISA Server 2006 in a
Windows 2003 environment.

The scenario: 10.1.1.146 (FAISA03) is ISA server internal NIC, 10.1.1.101
and .105 are the domain controllers.

When I log on the server it takes a long (very long!) time in "Applying your
personal settings".

This is the event on ISA server Application log:
----------------------------------------
ERRORE EVENT VIEWER
Event Type:       Error
Event Source:    Userenv
Event Category: None
Event ID:   1053
Date:        7/25/2007
Time:                3:27:58 PM
User:        NT AUTHORITY\SYSTEM
Computer: FAISA03
Description:
Windows cannot determine the user or computer name. (The RPC server is
unavailable. ). Group Policy processing aborted.
----------------------------------------

And these are the events in ISA log (sorry, rows are very long):
----------------------------------------
Original Client IP Client Agent       Authenticated Client    Service
Server Name        Referring Server Destination Host Name Transport   MIME
Type Object Source        Source Proxy     Destination Proxy
Bidirectional       Client Host Name        Filter Information        Network
Interface       Raw IP Header   Raw Payload      GMT Log Time        Source
Port        Processing Time  Bytes Sent Bytes Received   Result Code
HTTP Status Code       Cache Information      Error Information        Log
Record Type        Authentication Server  Log Time   Client IP    Destination
IP     Destination Port        Protocol     Action       Rule  Client
Username Source Network  Destination Network        HTTP Method      URL

10.1.1.101                         FAISA03    -               TCP   -
No            -       10.1.1.146 45 00 00 28 00 61 40
00 80 06 e3 76 0a 01 01 65 0a 01 01 92 01 85 04 d4 4e 8b c5 e3 ce b3 7d 3c 50
11 ff fe 32 24 00 00       7/25/2007 1:48:26 PM 389        0      0      0
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED           0x0        0x0
Firewall      -       7/25/2007 3:48:26 PM 10.1.1.101 10.1.1.146 1236
Unidentified IP Traffic  Denied Connection                      Internal
Local Host  -        -

10.1.1.101                         FAISA03    -               TCP   -
No            -       10.1.1.146 45 00 00 28 00 64 40
00 80 06 e3 73 0a 01 01 65 0a 01 01 92 01 85 04 da 0d 0e f4 67 9e c1 2c 3b 50
11 ff fe c6 0a 00 00        7/25/2007 1:48:26 PM 389        0      0      0
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED           0x0        0x0
Firewall      -       7/25/2007 3:48:26 PM 10.1.1.101 10.1.1.146 1242
Unidentified IP Traffic  Denied Connection                      Internal
Local Host  -        -

10.1.1.101                         FAISA03    -               TCP   -
No            -       10.1.1.146 45 00 00 30 00 66 00
00 80 06 23 6a 0a 01 01 65 0a 01 01 92 00 87 04 db 90 6b cd 51 8e c6 ad 25 70
12 40 00 8d 0b 00 00     7/25/2007 1:48:28 PM 135        0      0      0
0xc0040034 FWX_E_SEQ_ACK_MISMATCH             0x0   0x0        Firewall
-       7/25/2007 3:48:28 PM 10.1.1.101 10.1.1.146 1243 Unidentified IP
Traffic       Denied Connection                      Internal     Local Host
-       -

10.1.1.146                         FAISA03    -               TCP   -
No            -                              7/25/2007
1:48:34 PM 1243 21015       0      0        0x8007274c WSAETIMEDOUT
0x0   0x0   Firewall      -       7/25/2007 3:48:34 PM        10.1.1.146
10.1.1.101 135   RPC (all interfaces)     Failed Connection Attempt
[System] Allow RPC from ISA Server to trusted servers           Local Host
Internal     -       -

10.1.1.101                         FAISA03    -               TCP   -
No            -       10.1.1.146 45 00 00 30 00 ce 00
00 80 06 23 02 0a 01 01 65 0a 01 01 92 00 87 04 e2 bf 23 27 5f 38 a2 f4 12 70
12 40 00 13 76 00 00       7/25/2007 1:48:38 PM 135        0      0      0
0xc0040034 FWX_E_SEQ_ACK_MISMATCH             0x0   0x0        Firewall
-       7/25/2007 3:48:38 PM 10.1.1.101 10.1.1.146 1250 Unidentified IP
Traffic       Denied Connection                      Internal     Local Host
-       -

10.1.1.101                         FAISA03    -               TCP   -
No            -       10.1.1.146 45 00 00 28 00 cf 40
00 80 06 e3 08 0a 01 01 65 0a 01 01 92 01 85 04 cb c8 23 94 3d 7f cf 27 cd 50
11 ff fe 8e 8e 00 00 7/25/2007 1:48:38 PM 389   0        0      0
0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED           0x0   0x0
Firewall      -       7/25/2007 3:48:38 PM 10.1.1.101 10.1.1.146 1227
Unidentified IP Traffic       Denied Connection                      Internal
Local Host  -       -
----------------------------------------

DCs System Logs often report this event:
----------------------------------------
Event Type:       Error
Event Source:    MRxSmb
Event Category: None
Event ID:   8003
Date:        7/25/2007
Time:                3:19:05 PM
User:        N/A
Computer: SRVDC001
Description:
The master browser has received a server announcement from the computer
FAISA03 that believes that it is the master browser for the domain on
transport NetBT_Tcpip_{F372B238-C45D-4B4C-9BF1-9E9C72F45337}. The master
browser is stopping or an election is being forced.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 00 00 00 00 03 00 58 00   ......X.
0008: 00 00 00 00 43 1f 00 c0   ....C..Ã€
0010: 00 00 00 00 00 00 00 00   ........
0018: 25 00 00 00 00 00 00 00   %.......
0020: 00 00 00 00 00 00 00 00   ........
----------------------------------------

All system policies relevant to RPC do NOT have â€œenforce strict RPC
complianceâ€ checked.

System policy #22 (Allow RPC from ISA Server to trusted servers) is enabled
from â€˜local hostâ€™ to â€˜internalâ€™

â€˜internalâ€™ network is set from 10.1.0.0 to 10.1.255.255, with address
10.255.255.255 added.

Trying to fix this problem I also created more rules and a new address range
â€˜ISA ufficiâ€™ including the unique IP of internal ISA Server NIC and a subnet
â€˜Server ufficiâ€™ with address range 10.1.0.0/16:

â€˜Server Uffici Traffic 01â€™  - Allow â€“ All Outbound traffic â€“ From â€˜internalâ€™
â€“ To Localhost and ISA Ufficiâ€™ â€“ All Users

â€˜Server Uffici Traffic 02â€™  - Allow â€“ All Outbound traffic â€“ From Localhost
and ISA Ufficiâ€™ â€“ To â€˜internalâ€™ â€“ All Users

RPC In â€“ Allow â€“ RPC Server (all interfaces) â€“ From â€˜Server Ufficiâ€™ â€“ To
Localhost and ISA Uffici â€“ All users

RPC Out â€“ Allow â€“ RPC (all interfaces) â€“ From Localhost and ISA Uffici â€“ To
Server Uffici â€“ All users

Of course, logoff phase takes a long (very long!) time too.

ISA was installed AFTER adding FAISA03 to the domain.

Any ideas?

Thanks in advance

trab

ISA 2006 and RPC problem - Phillip Windell

Wednesday, July 25, 2007 11:07 AM

And ISA uses what for is "DNS" in the TCP/IP config?

Was the ISA box a Domain Member before the ISA Software was installed?

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

Hi Phillip,More infos. - tra

Wednesday, July 25, 2007 11:58 AM

Hi Phillip,

More infos.

On ISA box I have installed Virtual Server 2005 R2 SP1 with no virtual
machines running and a third NIC connected to another network (in the future,
this will be a sub-domain network with its own DC). ISA behaviour is the same
with third NIC disabled and VS2005 services stopped so I believe neither of
them is related to the problem.

Both DCs (10.1.1.101 and .105) are DNS servers for the domain.
DCs are both Win2K3 R2 std eng x64, ISA server Win2K3 R2 std eng x86,
Microsoft Update reports "0" for each category on all servers.

The three NICs ISA Box are configured as follows:

- WAN: 192.168.102.12/24; gateway 192.168.102.1; no DNS; bindings: TCP/IP
- LAN (Internal): 10.1.1.146/16; no gateway; DNS 10.1.1.101 and .105;
bindings: Client for MS Networks; File and printing sharing for MS Networks,
TCP/IP
- LAN (other network): 10.152.100.102/16; no gateway; no DNS; bindings:
Client for MS Networks, File and printing sharing for MS Networks, TCP/IP

For your second question, as I stated in my original post:


Thanks

trab

Ok, that all looks good. I don't see anything wrong with it. - Phillip Windell

Wednesday, July 25, 2007 12:08 PM

Ok, that all looks good.  I don't see anything wrong with it.

What are the specs of the Internal Network Definition?
Address Ranges in particular?

Also if SP2 for Server2003 has been applied it has been known to cause
communication problems.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

ISA 2006 and RPC problem - tra

Wednesday, July 25, 2007 12:28 PM

Internal network was auto-defined during ISA installation:
- from 10.1.0.0 to 10.1.255.255
- from 10.255.255.255 to 10.255.255.255

Win2k3 SP2 is applied: the server was installed after SP2 release, from then
it is offered as critical update instead of all former updates.
I also applied KB925403 but nothing changed.

The behaviour is really strange, as all traffic between ISA and DCs works:
DNS, MS CIFS on TCP/445, LDAP on TCP/389, TIME, Kerberos... all BUT RPC and
unidentified traffic on higher, variable ports from DCs to ISA (as you can
see from original log)!

trab

ISA 2006 and RPC problem - Phillip Windell

Wednesday, July 25, 2007 2:56 PM

It should be 10.0.0.0 --10.255.255.255
Or at a minimum 10.1.0.0 -- 10.1.255.255
Pick one, not both, because they overlap
The second will cover you if you expand with the 10.152.x.x segment you
mentioned.
I don't think this is your original problem, but it should be corrected
anyway.


I'd recommend disabling some of the "extras" that were added by SP2.  The
three problem ones that have become somewhat "famous" are EnableTCPA,
DisableTaskOffload, and EnableRSS.  They are found in the registry at:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\

Some may already exist, some you may have to create.

They are all DWord Values

EnableRSS=0
EnableTCPA=0
DisableTaskOffload=1

Probably want to reboot everything after that.

If that doesn't work you can always put things back like they were.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

Hello Trab,Thank you for using newsgroup! - v-kzha

Wednesday, July 25, 2007 10:12 PM

Hello Trab,

Thank you for using newsgroup!

I'd like to thanks Phillip for his continuous help.

Thanks & Regards,

Ken Zhao

Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security <http://www.microsoft.com/security>
====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





--------------------
Microsoft,
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6
cfa07/ts_rules.doc
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.ms
px

Thanks, now it works, even with third NIC and all Virtual Server bindings - tra

Friday, July 27, 2007 1:18 PM

Thanks, now it works, even with third NIC and all Virtual Server bindings
enabled!  :-)))

Working with virtualization, I've already had troubles related to
TaskOffload parameter but I think the problem is different for ISA. I
described the problem in an article recently published on Technet italian web
site. Sorry, my article is in italian only, but the issue is well detailed in
KB888750.
Maybe the explanation in a default Win2K3-SP2 scenario is that ISA drops
the packets as it thinks to be under attack?

Greetings

trab

ISA 2006 and RPC problem - tra

Friday, July 27, 2007 1:20 PM

Still no MVP for Philip? ;-)

ISA 2006 and RPC problem - Phillip Windell

Friday, July 27, 2007 4:24 PM

I'm not sure of all the inner details and I don't fully understand what
those "new" features in SP2 are really supposed to do,...but I know that
when strange communication issues pop up after SP2 is applied that making
those changes seems to fix it.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

ISA 2006 and RPC problem - Phillip Windell

Friday, July 27, 2007 4:27 PM

Not sure what you asking.  Am I am MVP?,..no I am not.

I used to be.  There is a period of time that has to pass before being
re-elgible, which I think is 6 months. That would put me around August or
after.  I don't remember all the details.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

Previous Microsoft Isa conversation.