ISA server stops responding the user requests and its required to reboot the ISA server or restart the firewall service.- Scenario1

Issue: ISA server stops responding the user requests and its required to reboot the ISA server or restart the firewall service.

Scenario1: ISA server is publishing various web services and its seen that suddenly it stops responding to user requests and its required to either reboot the server or restart the firewall service to get it to work again.

Setting Basics Right:

 As described in https://blogs.technet.com/b/yuridiogenes/archive/2008/08/06/intermittent-performance-problem-while-accessing-internet-through-isa-server-2006.aspx (basic section)by Yuri Diogenes .    Besides also make sure that network card binding order is correct i.e. internal NIC should be higher in the order then external NIC in dual NIC ISA/TMG servers.                   

 If after correcting above or checking above we still have the issue . There is another article that we can follow which I have mentioned later in my other recommendations section, We should collect the data to confirm if the problem is on the ISA/TMG server or outside.

Data collection: One of the approaches that we can take is:

Setting up Performance counters for ISA server

 1. Open Perfmon and added the following objects:

 ISA Server Firewall Packet Engine /*

ISA Server Firewall Service /*

ISA Server Web Proxy /*

Memory /*

Processor /*

Network Interface /*

Process /*

Physical Disk /*

2.Configure the maximum size file for 200- 250MB i.e. create a new when it gets full and set the refresh time to 20 seconds.

3. Start the perfmon capture.

Performance monitor analysis:

We find in perfomance monitor that backlogged packets counter has its Average value  142 at one point of time snap shot a and then in snap shot b we will see its Average is around 120 and this stays almost for a minute.

a.

 b.

Solution

 As per following section from article https://technet.microsoft.com/en-us/library/cc302601.aspx

Solving Deployment Problems

Solving deployment problems involves domain name resolution, domain controllers, TCP Nagle algorithms and delayed acknowledgements, and network problems.

Domain Name Resolution

ISA Server requires Domain Name System (DNS) for various name resolutions. For example, when receiving an HTTP request with a host name that is an IP address, ISA Server must perform a reverse DNS lookup to get the domain name of this IP address, because it could be blocked by some URL set.

When DNS does not respond in a timely manner, worker threads will be blocked on pending DNS responses, and the number of backlogged packets will consequently increase. The symptom is characterized by:

• \ISA Server Firewall Packet Engine\Backlogged Packets > 10
• \ISA Server Firewall Service\Worker Threads > 100
• Network captures show gaps of several seconds between DNS queries and their responses.

There are various ways to solve the problem depending on its nature. For more information, see:

• ISA Server Site and Content Rules Are Not Enforced for HTTP Content, at Microsoft Help and Support.
• Only the First Web Site Is Returned Using Web Publishing for Multiple Sites, at Microsoft Help and Support.

Domain Controller

ISA Server interacts with the domain controller in various authentication configurations. When the domain controller does not respond in a timely manner, worker threads will be blocked on pending authentication requests, and the number of backlogged packets will constantly increase. The symptom is characterized by:

• \ISA Server Firewall Packet Engine\Backlogged Packets > 10
• \ISA Server Firewall Service\Worker Threads > 100
• Network captures show gaps of several seconds between authentication requests to and the domain controller responses

In our case backlogged packets are way above the normal range. So in such a scenario Issue could be due to Could be due to reasons as explained below:

Other Recommendations

1. And recommendations in this post.https://blogs.technet.com/b/isablog/archive/2009/01/12/isa-server-2006-stops-answering-requests.aspx

2. Also make sure internal name resolution is configured properly and web proxy clients/firewall clients are configured properly as they depend on ISA server for name resolution and ISA depends on internal DNS server.

3. If you are using autodetect for web proxy client configuration then make sure WPAD is setup as per https://technet.microsoft.com/en-us/library/bb794779.aspx as this can also badly impact your overall DNS load on the DNS servers.

Will discuss other scenarios in my next blog post.