I worked on a case recently where ISA server’s service was stopping and hanging intermittently and Administrator had to reboot it to get it to work again.
As usual with such performance issues, We put the performance counters on the ISA server , Please refer to my blog post, for TMG, http://blogs.technet.com/b/sooraj-sec/archive/2013/01/07/tmg-performance-counters-template.aspx and for ISA server http://blogs.technet.com/b/sooraj-sec/archive/2010/09/12/isa-server-stops-responding-the-user-requests-and-its-required-to-reboot-the-isa-server-or-restart-the-firewall-service-scenario1.aspx.
Ideally we should let performance counters to run for at least a day to understand the trends, in scenario like the one i m discussing, we should have the perfmon data collected when issue was experienced.
I looked at data and found memory pool for SSL counter to be dropping from 100 percent to 0 during high load as we can see, counter highlighted in black , in following snapshot.
This is a memory pool that handles SSL connections, We have a KB article(http://support.microsoft.com/kb/842438) that explains the problem that can happen because of it.
Following section in above KB provides detail about it
For the Secure Sockets Layer (SSL) connection request pool, no estimation formula is available now. However, you can obtain the current pool size from the event data and pick a reasonably larger number. For example, doubling the pool size is a reasonable estimate at the first time.
so in this scenario, we doubled its value and then monitored the server, After putting the regkey for this counter we did not experience this issue.
I have also written another blog post for memory pool for http http://blogs.technet.com/b/sooraj-sec/archive/2011/01/10/eventid-31212-proxyvmemalloc3psize-registry-value-calculation.aspx .