ISA 2006, 500 Internal Server Error. The request is not supported. (50) staples.com not available!
- We recently upgraded to ISA 2006 from ISA 2004. Now, many web sites give an error (see below). Help!
ISA 2006, on Win2k3, all current on patches and SP's. Single edge Firewall / router configuration.
Steps to reproduce:
1) Go to www.staples.com
2) Add any product to the cart
The following web page comes up immediatly:
I've already disabled the compresesion filter (fixed the problem in ISA 2004), DiffServe filter, HTTP Filter, and Caching Compressed Content Filter. Caching is turned off. In General prefferences, HTTP Compression is enabled, but no sites are configured. (all web filters had been turned on initially, except for Authentication Delegation Filter, which I disabled to allow some web sites to be published).Technical Information (for support personnel) - Error Code: 500 Internal Server Error. The request is not supported. (50)
- IP Address: 72.246.110.125
- Date: 8/13/2009 8:33:21 PM [GMT]
- Server: Server-FWall-2.example.local
- Source: proxy
Under Firewall Policy, the outbound rule has max headers at 32k, any payload length, and max URL at 16k, no verify normalization and block high bit off. No blocking of responses containing Windows executables, all methods, all extensions, send original header, and send default header.
As near as I can tell it's 'wide open' but still not working.
I checked the logging tab and there are no firewall rules that are denying the request, I get pretty much the same info as above.
I find it very hard to believe that pretty much 'out of the box' ISA 2006 doesn't allow you to book hotel rooms at Marriot or order products from Staples. This was a problem in 2004, and it's obviously still a problem in 2006 :(
I've checked ISA Server.org but no answers there either.
Any ideas?
== John ==
P.S. Response from the Firewall logs:
Original Client IP Client Agent Authenticated Client Service Referring Server Destination Host Name Transport HTTP Method MIME Type Object Source Source Proxy Destination Proxy Bidirectional Client Host Name Filter Information Network Interface Raw IP Header Raw Payload GMT Log Time Source Port Processing Time Bytes Sent Bytes Received Cache Information Error Information Authentication Server Log Time Client IP Destination IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client Username Source Network Destination Network URL Server Name Log Record Type
0.0.0.0 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Yes Proxy 72.246.110.125 TCP GET Internet - - - Req ID: 0cdeeb8f - - - 8/13/2009 8:59:04 PM 0 5359 4258 1957 0x3040000 0xd00 8/13/2009 1:59:04 PM 192.168.253.8 72.246.110.125 80 http Failed Connection Attempt Outbound
Access 50 The request is not supported. anonymous Internal External http://72.246.110.125/office/supplies/StaplesAddToCart?ST_viewFrom=sku&langId=-1&storeId=10001&productId=221478&errorUrl=sku&URL=yourorder&catalogId=10051&quantity_1=1&partNumber_1=733726&cmArea_1=FEATURED:SC3:CG75&ST_minLeadTime_1=1&ST_maxLeadTime_1=1 SERVER-FWALL-2 Web Proxy Filter
== John ==
All Replies
- John,
With all you've done, it's likely that you've also broken other ISA functionality that you _do_ want, such as caching, compression, etc.
Put your web filters back the way you found them.
Odds are very good that some configuration you've chosen has caused this.
Do you have (or can you get) a network capture from both side of ISA while testing this?
Please gather IDP data during the repro state:
1. Get ISABPA and install it on the ISA Server
..at the ISA …
2. Start | All Programs | Microsoft ISA Server | ISA Tools | ISA Data Packager
3. Select Collect data using one of the following repro scenarios
4. Select Web Proxy and Web publishing
5. Click Next
6. In the next page, click Start data collection
..IDP will run through its preparatory process
7. when prompted, hit <space> to start the data capturing
..at the client…
8. Perform your repro
..at the ISA …
9. Wait a few seconds and hit <space> again to stop the capture
Respond here with a link to the data and a list of relevant IPs (client, ISA).
Jim Harrison Forefront Edge CS - Staples appears to be using akamai and I believe the hand off back and forth between akamai and staples is causing the issue. I'm mussing about with rules to try and make it work, at the moment will report back later if I succeed.
Thanks,
Doug
Failed Connection Attempt 8/14/2009 1:44:38 PM Log type: Web Proxy (Forward) Status: 50 The request is not supported. Rule: Source: Destination: External (a96-6-242-125.deploy.akamaitechnologies.com 96.6.242.125:80) Request: GET http://www.staples.com/office/supplies/StaplesAddToCart?ST_viewFrom=sku&langId=-1&storeId=10001&productId=274733&errorUrl=sku&URL=yourorder&catalogId=10051&quantity_1=1&partNumber_1=764400&cmArea_1=FEATURED:SC3:CG75&ST_minLeadTime_1=1&ST_maxLeadTime_1=1 Filter information: Req ID: 0770f544 Protocol: http User: anonymous - Additional information
- Client agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.1; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; InfoPath.2; .NET CLR 3.0.4506.2152; .NE
- Object source: Internet (Source is the Internet. Object was added to the cache.)
- Cache info: 0x3040000 (Response includes the CACHE-CONTROL: NO-CACHE or PRAGMA: NO-CACHE header. Response includes the EXPIRES header. Response includes the SET-COOKIE header.)
- Processing time: 218 ms
- MIME type:
and some more review, the site uses self referencing urls, but add to cart uses fqdn urls. www.staples.com is a cname for www.staples.com.edgekey.net which is a cname for e581.r.akamaiedge.net and then when looking for nameservers for akamaiedge.net you get a funny message:
> set type=all > akamaiedge.net Server: Address: Non-authoritative answer: akamaiedge.net primary name server = internal.akamaiedge.net responsible mail addr = hostmaster.akamai.com serial = 1250284035 refresh = 90000 (1 day 1 hour) retry = 90000 (1 day 1 hour) expire = 90000 (1 day 1 hour) default TTL = 180 (3 mins) akamaiedge.net text = "This" "is" "not" "the" "nameserver" "you" "are" "looking" "for."- Edited byDoug Skranak Friday, August 14, 2009 9:13 PMformatting
- Edited byDoug Skranak Friday, August 14, 2009 9:14 PM
- Jim:
I understand your point, but staples.com hasn't worked since I did the ISA 2004 upgrade, and I carefully changed each filter, setting, etc. one at a time over weeks to attempt to isolate the issue. This isn't me scrabbling around breaking something, it's a product that has issues with major web sites :) (which may be flakey, but still ...)
ISA 2004 had the same issue, as I noted in my original post.
I'll pull the logs - do I have to post my public IP's? Would prefer not to do that, especially if I'm posting info about the firewall.
== John == - I wouldn't be concerned about posting your IPs; they're easily discoverable by anyone who wants to work for it.
IPs are not security mechanisms...
Jim Harrison Forefront Edge CS Sure, I'd agree with that, but posting IP's, plus a link to download the firewall config with a listing of any vulnerabilities or open holes would be ... :)
We host some sites and I wouldn't want people to start trying to hack into those sites. We just had a public flood attack earlier today. ISA shut down the IP due to connection limits - very cool!
Can you give me your email address? I can send the download link there.
I just noticed I didn't have HTTP/RPC (windows component) installed on one of the firewalls, but that didn't seem to help, but will restart in an hour when the office clears out.
I did a Wireshark trace on the client side, and there is just one request (GET) and the 500 internal server error response back, posted above.
Then I did a Netmon capture on the Firewall, and found something interesting
There is a HTTP/1.1.302.MovedTemporarily response that never makes it through ISA to the client:HTTP/1.1.302.Moved.Temporarily
Server:.IBM_HTTP_Server
Location:.http://www.staples.com/office/supplies/ <etc>
Content-Encoding:.gzip
Content-Length:.20
Content-Type:.text/html;.charset=ISO-8859-1
Content-Language:.en-US
Date:.Sat,.15.Aug.2009.00:25:24.GMT
Connection:.keep-alive
Set-Cookie:. <stuff>
Set-Cookie:. <stuff>
ZipCode Debug:.Cookie=present_value=present..ZipCodeCookie:.90001
Cache-Control:.no-cache="set-cookie,set-cookie2"
Expires:.Thu,.01.Dec.1994.16:00:00.<stuff>
So the client does a GET, passes through ISA, then the server sends back the HTTP/1.1.302.Moved.Temporarily
with a Gzip payload, and ISA passes back a 500 Internal Sever Error. The requeset is not supported.
Let me know your email, I'll send the file location, or just email the whole thing (it's only about 2Meg)
== John ==- Sounds like you've disabled compression and created an HTTP filter policy (signatures, file types, headers, etc.).
ISA supports GZip-compressed content, but not if you've disabled the filter or the functionality overall.
If you disable compression and create HTTP-filtering policies for response body content, ISA can't apply the HTTP filter policies because it can't decompress the content.
Jim Harrison Forefront Edge CS- Unproposed As Answer byJohn Gwinner Monday, August 17, 2009 10:19 PM
- Proposed As Answer byJim Harrison IsaDewd Monday, August 17, 2009 10:12 PM
- Compression was turned on, and it didnt' work.
I disabled compression as this was the fix for ISA 2004 and staples.com
We have no HTTP filter policy, or, it's nearly as open as it can be made, with the values mentioned above.
== John == - Everyone is getting wrapped around the axle on all the stuff that is disabled. let me be more clear here, as this has taken weeks of slow careful turning things off.
First I started with everything turned on, including compression.
staples.com gives the specified error
Then I disabled compression. Thought the problem was fixed as this fixed it in ISA 2004. Retested, no dice. Restarted ISA a few days later just to make sure, still didnt' work.
Each of the web filters mentioned was turned off, staples.com retested, and found to still not work.
I've never established an HTTP filter, other than what comes out of the box.
HTTP filtering is currently disabled, as is compression.
IP Fragments are not blocked.
IP Options filtering is turned off.
== John == - You're shotgunning; best not to change so much at one time, you can't tell which action has what effect.
Send your data link to jim@isatools.org and I'll see what there is to see...
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Sunday, August 30, 2009 11:13 PM
- Was the data ever disected? I am curious as to the outcome.
I've had exactly the same problem. Happens with www.lowes.com - after you drill down to say "Refrigerators" and select a fridge. On my primary ISA 2006 box I have both the Content compression filter and the HTTP Compression filter disabled. It fails as described.
On my back up ISA 2006 box both of these filters are enabled and Lowes works fine.
John- John Gwinner - did you send the files to Jim as requested? If you did I can ask Jim to comment. If not, I will dump the question. there is no point in leaving questions open where there is no likelihood of forward movement.
Keith - Jim - did you ever get the files? If not I will delete this question.
Thanks
Keith
Moderator
