locked
ISA Server 2006 SP1 and Security Update for ISA Server 2006 (KB 968078)

    Question

  • Hi,

    after Security Update for ISA Server 2006 (KB 968078) service "Microsoft ISA Server Control" doesn't start...

    Event Source: Microsoft ISA Server Control
    Event Category: None
    Event ID: 14109
    Description: The ISA Server Standard Edition cannot run. Either the server is using more than 4 processors, or it is configured to use the Active Directory service. Use the source location 100.281.4.0.2161.50 to report the failure. Contact Microsoft (R) Corporation for more information.

    we have 2 Quad Intel Xeon E5405 on Intel S5000PSL (8 processors in Windows 2003 R2 SP2)...
    as temporary workaround we disabled "Core Multi-Processing" in BIOS (got 2 processors in Windows 2003 R2 SP2)

    How can we resolve this problem?


    PS and also we had error:

    Event Source: TermService
    Event Category: None
    Event ID: 1036
    Description: Terminal Server session creation failed. The relevant status code was 0x2740.
    wich was resolved by http://support.microsoft.com/kb/555382

    Thanks,
    Artem

    Wednesday, April 15, 2009 7:43 AM

Answers

All replies


  • Please do this:
    1. get http://jim.isatools.org/tools/showprocs.zip
    2. extract it to your ISA Server on c:\showprocs
    3. open a command prompt (Start | Run | enter 'cmd' <enter>)
    4. in the command window, type the following:
       1. cd c:\showprocs
       2. showprocs >> .\showprocs.txt
    5. respond with the contents of the text file 'showprocs.txt'


    Jim Harrison Forefront Edge CS
    Wednesday, April 15, 2009 11:02 PM

  • Please do this:
    1. get http://jim.isatools.org/tools/showprocs.zip
    2. extract it to your ISA Server on c:\showprocs
    3. open a command prompt (Start | Run | enter 'cmd' <enter>)
    4. in the command window, type the following:
       1. cd c:\showprocs
       2. showprocs >> .\showprocs.txt
    5. respond with the contents of the text file 'showprocs.txt'


    Jim Harrison Forefront Edge CS


    Showprocs.exe Results

    OS Version: 5.2, Service Pack 2.0
    Found 2 Intel, Level 6, Revision 5894 logical processors.

    Active Processor mask: 0x3

    Processor Mask       : 0x1
    Relationship         : Package


    Processor Mask       : 0x1
    Relationship         : Processor Core
    Processor Core Flag  : 0


    Processor Mask       : 0x1
    Relationship         : Cache
    Cache Data
      Associativity      : 8
      Level              : 1
      LineSize           : 64 bytes
      Size               : 32768 bytes
      Type               : Data


    Processor Mask       : 0x1
    Relationship         : Cache
    Cache Data
      Associativity      : 8
      Level              : 1
      LineSize           : 64 bytes
      Size               : 32768 bytes
      Type               : Instruction


    Processor Mask       : 0x1
    Relationship         : Cache
    Cache Data
      Associativity      : 24
      Level              : 2
      LineSize           : 64 bytes
      Size               : 6291456 bytes
      Type               : Unified


    Processor Mask       : 0x2
    Relationship         : Package


    Processor Mask       : 0x2
    Relationship         : Processor Core
    Processor Core Flag  : 0


    Processor Mask       : 0x2
    Relationship         : Cache
    Cache Data
      Associativity      : 8
      Level              : 1
      LineSize           : 64 bytes
      Size               : 32768 bytes
      Type               : Data


    Processor Mask       : 0x2
    Relationship         : Cache
    Cache Data
      Associativity      : 8
      Level              : 1
      LineSize           : 64 bytes
      Size               : 32768 bytes
      Type               : Instruction


    Processor Mask       : 0x2
    Relationship         : Cache
    Cache Data
      Associativity      : 24
      Level              : 2
      LineSize           : 64 bytes
      Size               : 6291456 bytes
      Type               : Unified


    Processor Mask       : 0x3
    Relationship         : Numa Node
    Numa Node            : 0


    CPU Cores    : 2
    CPU Packages : 2
    Logical CPU  : 2
    Per-processor licenses required: 2

    Thursday, April 16, 2009 3:39 AM
  • PS and also we had error:

    Event Source: TermService
    Event Category: None
    Event ID: 1036
    Description: Terminal Server session creation failed. The relevant status code was 0x2740.
    wich was resolved by http://support.microsoft.com/kb/555382

    Since the update 968078 last night, we are not experiencing the 14109 problem, but event 1036 on all of our ISA 2006 servers, no matter whether they are virtually sitting on a HyperV box or are real machines. The fix in 555382 did nothing, RDP seems to be listening on all LAN adapters and changing it to one brought no change. Any ideas?
    Thursday, April 16, 2009 5:22 PM
  • Artem:

    Did you run the tool with or without "Core Multi-Processing" enabled? It appears that it was "without", since it only reports two Cores..?
    The good news is that this isn't a problem in the ISA patches.
    We'll have an update to this blog soon with the details of what is happening and why.

    Peter & Artem:

    The 1036 error can be caused if:
    1. you're server-publishing RDP through or to the ISA
    2. the Terminal Services service is bound to all interfaces
    3. the ISA RDP publishing listener starts before the RDP service starts.

    It's a race condition that's only solved by ensuring that the Terminal Services only bind to the ISA internal NIC.
    You may have to restart the machine for this to take effect.

    HTH,

    Jim Harrison
    Program Manager, Forefront Edge CS
    Jim Harrison Forefront Edge CS
    Thursday, April 16, 2009 11:40 PM
  • Artem:

    Did you run the tool with or without "Core Multi-Processing" enabled? It appears that it was "without", since it only reports two Cores..?
    The good news is that this isn't a problem in the ISA patches.
    We'll have an update to this blog soon with the details of what is happening and why.


    HTH,

    Jim Harrison
    Program Manager, Forefront Edge CS
    Jim Harrison Forefront Edge CS


    yes, without "Core Multi-Processing" enabled. I can post here results with "Core Multi-Processing" enabled.

    ...I wait details anxiously

    Thanks,
    Artem

    Friday, April 17, 2009 3:39 AM
    • Marked as answer by ArtemNN Monday, April 20, 2009 4:05 AM
    Saturday, April 18, 2009 11:20 PM
  • Jim:

    Your (1.) does not apply to us, but (2.) is the default and apparently relevant for VPN. I presume that the Update is not supposed to change functionality. Correct?

    Here are our problems with ISA 2006 SP1 Standard on WS 2003 R2 SP2 Enterprise that are, unfortunately, still not resolved

    i) if I bind TS to all interfaces (default) and install 968078, I loose RDP connectivity. In addition, VPN users can no longer connect via PPTP ports.
    ii) if I bind TS only to the external interface (which is what I need for some ISAs), I loose RDP connectivity as well.
    iii) if I bind TS only to the internal interface before installing the patch, external users can no longer connect via VPN (L2TP/IPSec). This does not affect PPTP ports (unless I install the patch, see (i))
    iv) if I uninstall 968078 plus bind TS to all interfaces as it was before and default, everything works.

    I appreciate your help,

    Peter Vogl
    Techn Univ Munich


    Sunday, April 19, 2009 7:04 PM
  • Peter,

    Please contact CSS; there's something else happening on your ISA that's not clear.
    There is no association between RDP to the ISA and incoming VPN connections, regardless of the VPN protocol.
    Jim Harrison Forefront Edge CS
    Sunday, April 19, 2009 7:29 PM
  • Please see:
    http://blogs.technet.com/isablog/archive/2009/04/18/ms09-012-and-isa-server-standard-edition-14109-failures.aspx
    for a workaround.

    Jim Harrison Forefront Edge CS


    ...and after deleting Security Update for Windows Server 2003 (KB952004)(MS09-012) problem remains

    ...we have executed all steps and after reboot ISA Server blocked all connections (clients can't connect to ISA and ISA can't connect to any networks), but all services started without errors (in "Device manager" we see 8 processors, in "Task Manager - 4)...
    after second reboot all working fine :)

    PS Can we hope on patch for this problems?

    Monday, April 20, 2009 4:25 AM
  • The problem you describe now is very different than was described initially.
    You should not remove the -012 update; the workaround makes it possible for your ISA to start.
    Please contact CSS; the problems you describe now are not likely to be related to any of the security updates.
    Jim Harrison Forefront Edge CS
    Monday, April 20, 2009 5:11 AM
  • The problem you describe now is very different than was described initially.
    You should not remove the -012 update; the workaround makes it possible for your ISA to start.
    Please contact CSS; the problems you describe now are not likely to be related to any of the security updates.
    Jim Harrison Forefront Edge CS


    we havn't problems now. I only described abnormal behavior after use the offered method.
    we removed MS09-012 update only for test and have installed it again.
    I asked about patch for problem from patch that was described initially (will appear complete resolution?).

    Thanks,
    Artem

     

     

    Monday, April 20, 2009 6:11 AM
  • How did you get this hotfix?
    Jim: can you make this hotfix available by attachment to the KB article?
    Friday, June 19, 2009 8:21 PM
  • http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=970443

    Any time you want to download a HF, use this URL: http://support.microsoft.com/hotfix/KBHotfix.aspx?kbnum=##### (change the '#####' value to match the KB you're interested in).
    They may not always be there, but for those that aren't it's as simple as a call to your local CSS folks.
    Friday, June 19, 2009 8:31 PM
  • How did you get this hotfix?
    call to your local CSS
    Saturday, June 20, 2009 5:35 AM
  • Jim, thanks a lot. Worked great.

    Saturday, June 20, 2009 7:19 AM
  • Dear Sirs,

    I've got the same problem using ForeFront TMG with Windows EBS2008. Since applying update KB956572 and KB952004, we weren't able to connect VPN using PPTP.
    Somewhere a couple of months ago we removed these updates and it worked. Later on I had noted for this network that I still needed to have a look at it, since they weren't using VPN for the moment. Last week I wanted to have a look at it and tried VPN -> didn't work. I thought, ok I need to delete these 2 updates again and it will work again since windows update probably installed them again the week after I removed them. But I couldn't find those updates in the list anymore (strange since I removed them, but WU normally would have installed them again afterwards). When I downloaded these updates, to try to install them (to check whether I could remove them afterwards) it said these were already applied, although I cannot find them in the list anymore.

    So now I cannot get VPN to work. Also when I read this blog, I had the same problem half a year ago concerning RDP when it was bound to both NIC's (this is the way it was orginally). So I have been searching a lot about this and couldn't get it to work unless I only bind it the internal NIC. But when I read this

    Jim:

    Your (1.) does not apply to us, but (2.) is the default and apparently relevant for VPN. I presume that the Update is not supposed to change functionality. Correct?

    Here are our problems with ISA 2006 SP1 Standard on WS 2003 R2 SP2 Enterprise that are, unfortunately, still not resolved

    i) if I bind TS to all interfaces (default) and install 968078, I loose RDP connectivity. In addition, VPN users can no longer connect via PPTP ports.
    ii) if I bind TS only to the external interface (which is what I need for some ISAs), I loose RDP connectivity as well.
    iii) if I bind TS only to the internal interface before installing the patch, external users can no longer connect via VPN (L2TP/IPSec). This does not affect PPTP ports (unless I install the patch, see (i))
    iv) if I uninstall 968078 plus bind TS to all interfaces as it was before and default, everything works.

    I appreciate your help,

    Peter Vogl

    Techn Univ Munich

    I remembered I had this problem too. So for now I cannot install those two updates cause they return "already installed", and cannot remove them because they aren't listed. I know this is the cause for the VPN since when I removed them half a year ago when we were testing, this was the solution.

    So my question is, is there a way to uninstall them, OR a solution for the problems cause by these updates.

    In this link (comments) you see people having the same issues regarding PPTP.
    http://blogs.technet.com/b/isablog/archive/2009/04/18/ms09-012-and-isa-server-standard-edition-14109-failures.aspx

    Thanks,

    Tom


    Tuesday, September 14, 2010 3:09 PM