Error 64 “ The specified network name is no longer available” while accessing a HTTPS site through ISA 2006

 

Here’s some info on an interesting support issue I worked the other day. If you happen to
run into this one day, maybe this will help you get it resolved.

Issue:

We have a website published through ISA 2006. The site is configured for both HTTP and HTTPS access from the ISA server. When a user connects to the site over HTTP, the site comes up fine.

But when he tries over HTTPS, he gets a ‘page cannot be displayed’.

Troubleshooting and Resolution:

We started with live logging on the ISA console while doing a repro of the issue. We were seeing ‘Failed Connection Attempts’ for the traffic coming from the test machine used for the repro, with the error message: Error 64 “The specified network name is no longer available”

This error is very generic and there can be multiple reasons which would translate to this error code.The most common one is when the backend server is performing a dirty TCP connection reset.

So, to check this further, we collected a network monitor trace on the internal NIC of ISA server.

We filtered down to the traffic that is of interest to us.

clip_image001

clip_image001[5]

 

 

So this clearly indicates that the backend server is Resetting the TCP connection prematurely and this is triggering the ‘64 Error’.

Investigating further, we identified that the backend device is a 3rd party load balancer. And for some unknown reasons, the ISA server was failing at the SSL handshake stage.

So, we had the 3rd party support team collect a dump of the SSL settings on the Load Balancer and identified the following:

clip_image004

Then, we went back to the Network Monitor trace (the earlier screenshot) and compared this with the ciphers advertised by ISA server in the client hello. RSA_WITH_RC4_128_MD5 is not part of the Cipher list sent by the ISA server.

Due to this, the 2 peers are not able to successfully choose a common encryption scheme and the SSL handshake fails.

After identifying this, we had the 3rd party vendor enable additional Ciphers which are accepted by ISA server.

Once we did this, the published site was accessible from the internet.

The issue was resolved!!

Hope this would be helpful when you are troubleshooting website accessibility issues through ISA server…especially with 3rd party load balancers in the infrastructure.

Author:

Karthik Divakaran

Security Support Engineer - Microsoft Forefront Edge Team

Reviewers:

Suraj Singh

Security Support Escalation Engineer - Microsoft Forefront Edge Team

Richard Barker

Security Sr. Support Escalation Engineer – Microsoft Forefront Edge Team