Troubleshooting: ISA Server Reports Show No Traffic

As you know, ISA Server has a reporting feature. However, sometimes you may find that the report doesn’t contain any traffic. The number of requests, bytes-in and bytes out are all 0. This article will discuss the causes of these problems in ISA Server 2004 and ISA Server 2006.

 

To troubleshoot this issue, you need to know the process of report creation. ISA Server logs all traffic in its logs. By default the logs are in the ISALogs folder in the ISA Server installation folder.

 

A daily summary is created every day at 12:30 AM for the previous day’s traffic, based on the log. By default the summaries are created in the ISASummaries folder. The report will be created based on the summaries.

Now you can troubleshoot the issue using this process:

1.0 Check if the logs are correct.

1.1 Check if the Firewall Log, Web Proxy log are enabled. If not, enable them.

1.2 ISA Server 2004/2006 can use text file, MSDE and SQL Server for traffic logging. Open the relevant files to check if the traffic is logged correctly. If not, investigate why the traffic is not successfully logged.

Note: When you use text file or MSDE logging, the log files should exist in the specified log folder. However, sometimes you may find that previous logs are deleted and only current log files in use exist. This may happen because ISA Server has a feature that deletes old log files when there is not enough free disk space. Please check if there is sufficient free disk space for ISA Server logs. You can configure the Log file storage limits settings for both the Firewall log and the Web Proxy log.

 

There is an interesting scenario in which there is sufficient free disk space, but the ISA Server Firewall service still deletes all old log files. We discovered that this issue is related to disk quotas. Ensure that the Network Service account has enough free space in its disk quota for the log files. You can disable disk quotas. For more information on disk quotas, see Managing Disk Quotas in Windows Server 2003 and Windows XP.

2.0 Check if the daily summaries are created correctly

You can open the .ILS file in the summaries folder with Access. Then you can check if the traffic summaries are correct. Normally, if a summary doesn’t contain any traffic, the file size is about 144K bytes.

 

2.1 If the log files are correct but daily summaries contain no traffic, the problem occurs when the Firewall Service tries to read the logs. This typically happens when MSDE or SQL server is used for logging. Further troubleshooting is needed. For example, the query may timeout. To increase the timeout value setting, edit DatabaseQueryTimeout in the registry. (See KB 895190 for more details).

 

Known issue: If ISA Server 2004 Standard Edition (RTM with SP1) uses SQL Server for logging, the report will contain no traffic. This issue is fixed in SP2. (KB 895190)

3.0 Troubleshooting

A small hint for troubleshooting: when you troubleshoot the issue that the daily summary is empty, you may need to create a report several times to verify results. To do this, please follow the steps below:

 

3.1 Delete the corresponding daily summary. For example, if you want to create a report for yesterday’s traffic, delete the summary for yesterday.

 

3.2 Change this registry entry to the proper date:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Reports]

LastDailySummaryDate

 

This entry is binary. For example, the value may be: 00 00 00 00 40 12 e3 40. In Hex format, it is 0x40e3124000000000. Every day, the value increases 0x2000000000 (in Hex). So, after one day, it becomes 0x40e3126000000000. In Binary format, this is 00 00 00 00 60 12 e3 40. To restore the value to be yesterday, we need to subtract 0x2000000000 from it.

 

3.3 Create the report again. The daily summary will be recreated in the process.

 


Abraham Wang

Escalation Engineer

Microsoft China