28 Juni 2010 12:27
I current have a ISA 2004 box running on Server 2003 that I am upgrading to a virtual Server 2008 R2 Enterprise with TMG 2010. The software installed fine and instead of backing up the current config I decided to start fresh and rebuild the rules I needed. I did so then swapped the two machines. I could not access the internet through the new box. I watched the logging and the only error I got (repeatedly) was 10060 Web Proxy (Forward) which indicates the remote website timed out. When I looked at my WAN NIC however I had lots of sent packets but 0 received. I reviewed my rules, they were fine, but still same problem. I then tried to ping www.microsoft.com and DNS resolved to the correct server and IP but I got no reply. So I tried yahoo.com and google.com and same thing, DNS resolved but no replies. So I tried some comptuers on the internal network, same issue....DNS resolved but websites timed out and the 10060 error came up in the logging screen. I also tried our Outlook Web Access and Outlook Mobile Access....both of those timed out from the internet trying to get into our network.
I have 3 physical NIC's assigned to TMG, one for the LAN (IP and subnet, no gateway, DNS of my internal network which I did try taking out without a change), one for the WAN (IP, Subnet, and gateway which is my ISP's router, and DNS from my ISP), and one for the DMZ (again IP and subnet no gateway, no DNS). All the IP settings are identical to the old ISA 2004 box.
Finally I added a Allow ALL protocols from Any network to Any network and put that rule as the first one. Same issue....DNS resolved but 10060 errors. I brought up the old ISA 2004 box and put the ISA 2004 and TMG 2010 setup screens next to each other, went through every setting and made sure they were the same which they were. I then wanted to make sure it wasn't something stupid like my internet provider didn't happened to go out at the same time as the changeout so I disconnected the TMG servers NICs, plugged the old ISA servers NICs back in and booted up and everything worked fine on the old server still.
What did I miss?
28 Juni 2010 16:33
Do you have any device in front of TMG like a firewall or something?
Can you acces internet from te TMG itself?
Could you take a Netmon trace and follow the HTTP traffic, right from the TCP handshake, see what happens to the HTTP Get requests.
Check this KB:
Regards, Amit Saxena. Keep Walking!
29 Juni 2010 0:59
The only device is our Adtran box provided by our ISP. There is no firewall on it....everything is passed right through to the 4 ports on it (one that the ISa/TMG is plugged into). I thought maybe it had something stuck in it's ARP table since it saw a different MAC so I unplugged it, gave it a couple minutes, and plugged it back in. Still nothing (maybe it's still holding the arp table and the IP to mac no longer matches....)
No I cannot access the internet from TMG itself, found that odd also. If I plug in another PC to our Adtran box it works fine.
Our ISA 2004 is back in place so doing the netmon will probably be a couple days (to swap stuff around again).
Yeah I saw that KB but I didn't think it applied for this situation.
29 Juni 2010 7:02
if TMG is running in a VM on Hyper-V and you did not see any traffic in the virtual NIC properties, I think the problem is related to Hyper-V.
Try to resolve the problem with the following steps:
1) remove the NIC from the Hyper-V config and reboot the virtual machine
2) Enter NETSH INT IPV4 RESET ALL on the virtual machine
3) reconnect the NIC in the Hyper-V config
4) reconfigure the NIC with apropriate IP addresses and monitor if you now see traffic in the NIC properties
regards Marc Grote aka Jens Baier - www.nt-faq.de - www.it-training-grote.de - www.forefront-tmg.de
29 Juni 2010 13:05
Possibly but I do see lots of packets SENT but 0 recieved. I have had some HyperV issues with NIC cards but its usually when drivers or firmware is updated on the host then you need to delete then and recreate.
I'm going to assign the TMG box a IP address not currently used by ISA 2004 (we have 5 external IPs). This should rule out the arp table issue. If it works then I need to figure out how to clear the arp table. If it doesn't work then I'll try resetting the NIC.
29 Juni 2010 13:56
You can clean the ARP by using the commnad "apr -d".
I can at this stage say that taking the data (per the first post) should help you the best.
Regards, Amit Saxena. Keep Walking!
29 Juni 2010 14:27
I assigned the TMG computer another external IP address to make sure it wasn't a wierd arp table issue with our incoming line and it still had the same issues, sent packets but none recieved. I have cleared the VM's own arp table multiple times with no change.
So I followed Marc's advice...in the VM I uninstalled the NIC and shut down. Once shut down I removed the NIC from the VM config. Started the VM back up and did a NETSH INT IPV4 RESET ALL. Shut it down again, added the NIC back in, and booted it back up. Reconfigured the NIC and have the exact same issue....sent packets but none recieved and in TMG logging it gives the 10060 Web Proxy (Forward) error saying the remote host timed out, which I know is not true.
I have both boxes on the network (with different external IPs) so I can test but I'm not sure what else to try. I did try doing some pinging:
TMG's external IP to itself: Works
ISA's external IP to itself: Works
TMG External IP to ISA's External IP : Destination Host Unreachable (????)
ISA External IP to TMG: External IP: Nothing (even with the Allow Everything from Everywhere rule turned on. )
The destination unreachable doesn't make sense...the WAN connection is the only one with a gateway set although maybe this will be a hint to the issue for someone. To furthur isolate it I disabled the DMZ NIC so I'm down to only the LAN and WAN NICs. Also went into Advanced Settings and put the WAN NIC at the top of the list. Also tried another netsh reset and put all the IP info back in.....still nothing.
29 Juni 2010 15:19
Check the routing configuration. Are you getting any alters in the montiroting for misconfigurations or spoofings? Did you give DG at exernal and only one DG? Check the routing table. Check the netmon for traffic timeouts.
Regards, Amit Saxena. Keep Walking!
29 Juni 2010 15:25
Ok...this problem just got easier (kinda). I uninstalled TMG off the server and rebooted. I then setup my network cards exactly as described at http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html . Once that was done I tried browsing the internet directly and the page timed out.
So I did a Tracert www.microsoft.com and got back a "ServerName [ExternalIP] reports: Destination host unreachable".
I then disabled all the NIC's then re-enabled just the WAN NIC. Still nothing.
So now it HAS to be a issue with that NIC, which is one of a two port NIC (the other port is being used for the LAN connection and works fine). I uninstall the NIC from the VM, shut down, remove it from the VM, remove it from HyperV network interfaces, uninstall it from the host, scan for hardware, and reset it all back up. Boot up the TMG VM, reset up the NIC and IT WORKS.
I go into a command prompt, ping www.google.com and I get a reply. Going to go back through setting up TMG, import my settings (I backed them up before uninstalling), and I have a feeling I should be fine now.
Moral of the story: HyperV + Virtual Network Interfaces = Tricky.
- Ditandai sebagai Jawaban oleh Sprint 29 Juni 2010 15:25