Remove From My Forums

Server cannot establish connection with the Configuration Storage server

Question

0

Sign in to vote

Hi,

Issue : One of my ISA Server array members has the error which indicates that the "Server cannot establish connection with the Configuration Storage server" error in the Configuration Status tab in ISA erver 2006. Once ISA Node is not syncing with CSS Storage server.

ISA Configuration :

- 2 x Windows 2003 R2 enterprise edition

-ISA 2006 Enterprise Edition with SP1

- xxx.Com (Domain) / DMZ

Thanks for in Advance....

Deva

Deva Self-trust is the first secret of success.

Thursday, December 09, 2010 9:20 AM

Reply

|

Quote

Answers

0

Sign in to vote
Hi jj,

1. I have followed your blog article. As of now able to view all the folder after binding in Ldp connections..

2. do a test :)--create a rule on the CSS server and then synch the configuration and then check if that test rule shows up on the array node .if yes then synchronization is happening but you are seeing cosmetic error on the MMC as RPC calls might be failing due to intermediate firewalls blocking random RPC ports , then you will follow above ports link in details

Yes... i did above mentioend test rule.. it is replicate with another Isa node.. successfully... and ISA2 node i manually add the CSS Server host entry for the same and restart the both node

As of now Configuration sync as a Green and both sync is working fine.. ISA1 and ISA2 with sync each other...

Thanks for your great help..... but Now i am  confronting the NLB Core switch CPU utilization is high

issue: When an user request for internet it passes through NLB then ISA and the core switch on which it has been terminated the utlisation of the Core switch goes high but when one of the ISA server is shut the utilisation is normal.

Switch Configuration : Cisco 4500 E

server Configureation :

Base Server 1: Teaming -> two Virual(Hyper v) -> 1. ISA1 --> 10.20.33.64      ISA   NLB : 10.20.33.61

                                                                                      2. IWSS1

Base Server 2 : Teaming -> two Virual(Hyper v) -> 1. ISA2 -- 10.20.33.67

                                                                                      2. IWSS2

Thanks

Deva Self-trust is the first secret of success.
- Marked as answer by Devaraju K Tuesday, December 21, 2010 12:15 PM
Tuesday, December 14, 2010 6:39 AM

Reply

|

Quote

0

Sign in to vote
hey deva,

Thats a great news, however my suggestion for NLB issue is create another query in this forum for dedicated answers to that question/issue as it will mix up the context on this thread.

although answer to your question is windows NLB technology implemenation uses flooding for NLB to work that is why its recommended to use a Hub with NLB NICs so that all the flooding happens in the Hub not on the switch just have a look at following diagram for example

isa01-ExternalNIC-NLB-----

                                     |

                                      Hub-------------SWitch---

                                       |

Isa02--EXTenalNIC-NLB----

if you put a hub like that your switch cpu utilization would get normal as all flooding would happen in the hub connected to NLB NICs of the ISA server.

BTW shall we close the current question about CSS and node synchronization?

Note: if you still have query about NLB create separate question thread for clarity of objective and discussion.

Thanks and Regards Suraj Singh My blog: http://blogs.technet.com/b/sooraj-sec/
- Proposed as answer by Suraj Singh MSFT Tuesday, December 14, 2010 10:00 AM
- Marked as answer by Devaraju K Tuesday, December 21, 2010 12:15 PM
Tuesday, December 14, 2010 7:19 AM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

HTH: http://technet.microsoft.com/en-us/library/cc302686.aspx
regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de

Thursday, December 09, 2010 8:55 PM

Reply

|

Quote

0

Sign in to vote

marc's link is a very good one.

just few tests that you can do

as per your description it appears you have

2 isa server machines

let us say (for example)

1. isa1.contoso.com: 192.168.0.1(internal NIC)(is CSS (configuration storage server)as well firewall node)----correct me if your scenario is different.

2. isa2.contoso.com 192.168.0.2(internal NIC)(just a firewall node)---once again please correct if i m wrong.

and problem is that isa2 is not able to establish connection with configuration storage server.

first thing that you would check from ISA02 machine is

->ping isa01.contoso.com and see to what ip address its getting resolved(you may not get ping replies but purpose is to check name resolution and the ip address to which ISA01.contoso.com resolves.)--so name resolution test.

->you will now compare the ip address that it resolved to the ipconfig/all details on the ISA01 machine and see if the ip address to which isa02 machine resolved was infact the ip address of the ISA01 machine. once its confiremed that name resolution is working and name of ISA01.contoso.com resolves to correct IP address. Move to next step

->run this command on command prompt on ISA02 machine, telnet isa01.contoso.com 2171

(you will do this if ISA server machines are part of the domain) if ISA server machines are part of work group then you will run following command

telnet isa01.contoso.com 2172

now in both cases we want to know if telnet is a success(black window with blinking cursor) or it fails to connect.

if success then you will go route1(approach 1) if failure route2(approach2-will discuss in next reply)

Route1(approach1)

success means CSS server is listening on 2171(domain scenario) or 2172(workgroup scenario)

Then we will use a tool called ldp(available with support tools) on the ISA02 machine

Domain scenario

we will try to connect using ldp using fqdn of the CSS server and port 2171- success or failure(if failure you will have to start focusing on the CSS server machine about many things which can cause the issues-will discuss in my next reply)

if success then you will try to bind with the username,domain,password credentials --success or failure(failure case i would discuss in my next reply)

if success ,you would try to browse the tree and see if all the storage folders show up fine. i.e. success

then you might like to run a repair(ISA server repair from add remove programs) on the ISA02 machine

workgroup Scenario

test ldp with FQDN of CSS server and port 2172 and check the box for SSL--success or failure(failure next reply)

if success then test if you can bind with the username and password credentials--success or failure(failure next reply)

if success the try to browse the tree --sucess or failure(failure next reply)

if success then you might like to run a repair(ISA server repair from add remove programs) on the ISA02 machine

Do above tests and let me know where you fail and we can go that route

Thanks and Regards Suraj Singh My blog: http://blogs.technet.com/b/sooraj-sec/

Saturday, December 11, 2010 6:00 AM

Reply

|

Quote

0

Sign in to vote

Hi suraj singh

In My case all the Both iSA servers is in Domain and Virtual (hyper -v) Base maching i did teaming..

1. isa1(hoproxy2).contoso.com: 10.20.33.67(internal NIC)(is CSS (configuration storage server)as well firewall node)----correct me if your scenario is different.

2. isa2(hoproxy1).contoso.com 10.20.33.64(internal NIC)(just a firewall node)---once again please correct if i m wrong.

and problem is that isa2 is not able to establish connection with configuration storage server.

first thing that you would check from ISA02 machine is

->ping isa01.contoso.com and see to what ip address its getting resolved(you may not get ping replies but purpose is to check name resolution and the ip address to which ISA01.contoso.com resolves.)--so name resolution test.

Ans : name resolutions Working fine

->you will now compare the ip address that it resolved to the ipconfig/all details on the ISA01 machine and see if the ip address to which isa02 machine resolved was infact the ip address of the ISA01 machine. once its confiremed that name resolution is working and name of ISA01.contoso.com resolves to correct IP address. Move to next step

Yes

->run this command on command prompt on ISA02 machine, telnet isa01.contoso.com 2171

Telnet success

(you will do this if ISA server machines are part of the domain) if ISA server machines are part of work group then you will run following command

telnet isa01.contoso.com 2172

now in both cases we want to know if telnet is a success(black window with blinking cursor) or it fails to connect.

if success then you will go route1(approach 1) if failure route2(approach2-will discuss in next reply)

Route1(approach1)

success means CSS server is listening on 2171(domain scenario) or 2172(workgroup scenario)

Then we will use a tool called ldp(available with support tools) on the ISA02 machine

Domain scenario

we will try to connect using ldp using fqdn of the CSS server and port 2171- success or failure(if failure you will have to start focusing on the CSS server machine about many things which can cause the issues-will discuss in my next reply)

ldap Connection success

if success then you will try to bind with the username,domain,password credentials --success or failure(failure case i would discuss in my next reply)

Bind connection success(Authenticated as dn:'administrator'.)

if success ,you would try to browse the tree and see if all the storage folders show up fine. i.e. success

let me know how do i see the Storeage folders ?

then you might like to run a repair(ISA server repair from add remove programs) on the ISA02 machine

i did the above tests and please find the results..

Please let me know where i m wrong...

Thanks

Deva

Deva Self-trust is the first secret of success.

Monday, December 13, 2010 6:24 AM

Reply

|

Quote

0

Sign in to vote
I created a walk through on my blog, just have a look at it

http://blogs.technet.com/b/sooraj-sec/archive/2010/12/13/ldp-connection-to-css-server-domain-scenario-a-quick-walk-through.aspx

so if you are able to view all the folders after binding

Then you should try to run ISA repair on the problem node as i said earlier on the array node.(Note:always take backups of your ISA config before making any changes)

another note/question before repair: do you have any firewall between CSS and the array node if yes then please also refer to

http://blogs.technet.com/b/sooraj-sec/archive/2010/06/26/ports-required-between-ems-and-nodes-tmg-2010-ee.aspx

do a test :)--create a rule on the CSS server and then synch the configuration and then check if that test rule shows up on the array node .if yes then synchronization is happening but you are seeing cosmetic error on the MMC as RPC calls might be failing due to intermediate firewalls blocking random RPC ports , then you will follow above ports link in details

if test result is no and ldp test was successfull run ISA repair and test.

Please let me know the results,

Thanks and Regards Suraj Singh My blog: http://blogs.technet.com/b/sooraj-sec/
- Proposed as answer by Suraj Singh MSFT Tuesday, December 14, 2010 9:59 AM
Monday, December 13, 2010 6:28 PM

Reply

|

Quote

0

Sign in to vote
Hi jj,

1. I have followed your blog article. As of now able to view all the folder after binding in Ldp connections..

2. do a test :)--create a rule on the CSS server and then synch the configuration and then check if that test rule shows up on the array node .if yes then synchronization is happening but you are seeing cosmetic error on the MMC as RPC calls might be failing due to intermediate firewalls blocking random RPC ports , then you will follow above ports link in details

Yes... i did above mentioend test rule.. it is replicate with another Isa node.. successfully... and ISA2 node i manually add the CSS Server host entry for the same and restart the both node

As of now Configuration sync as a Green and both sync is working fine.. ISA1 and ISA2 with sync each other...

Thanks for your great help..... but Now i am  confronting the NLB Core switch CPU utilization is high

issue: When an user request for internet it passes through NLB then ISA and the core switch on which it has been terminated the utlisation of the Core switch goes high but when one of the ISA server is shut the utilisation is normal.

Switch Configuration : Cisco 4500 E

server Configureation :

Base Server 1: Teaming -> two Virual(Hyper v) -> 1. ISA1 --> 10.20.33.64      ISA   NLB : 10.20.33.61

                                                                                      2. IWSS1

Base Server 2 : Teaming -> two Virual(Hyper v) -> 1. ISA2 -- 10.20.33.67

                                                                                      2. IWSS2

Thanks

Deva Self-trust is the first secret of success.
- Marked as answer by Devaraju K Tuesday, December 21, 2010 12:15 PM
Tuesday, December 14, 2010 6:39 AM

Reply

|

Quote

0

Sign in to vote
hey deva,

Thats a great news, however my suggestion for NLB issue is create another query in this forum for dedicated answers to that question/issue as it will mix up the context on this thread.

although answer to your question is windows NLB technology implemenation uses flooding for NLB to work that is why its recommended to use a Hub with NLB NICs so that all the flooding happens in the Hub not on the switch just have a look at following diagram for example

isa01-ExternalNIC-NLB-----

                                     |

                                      Hub-------------SWitch---

                                       |

Isa02--EXTenalNIC-NLB----

if you put a hub like that your switch cpu utilization would get normal as all flooding would happen in the hub connected to NLB NICs of the ISA server.

BTW shall we close the current question about CSS and node synchronization?

Note: if you still have query about NLB create separate question thread for clarity of objective and discussion.

Thanks and Regards Suraj Singh My blog: http://blogs.technet.com/b/sooraj-sec/
- Proposed as answer by Suraj Singh MSFT Tuesday, December 14, 2010 10:00 AM
- Marked as answer by Devaraju K Tuesday, December 21, 2010 12:15 PM
Tuesday, December 14, 2010 7:19 AM

Reply

|

Quote

0

Sign in to vote

Hi JJ,

Thanks for your reply......In my Case i have dedicated VLAN for all my servers approxmiatly 10 server's are there along with 2 ISA Server in that VLAN(10.20.33.x).

Users are connected to the differnnt VLAN..

As per my understatnd . i have to connect both ISA servers on Separte switch(Cisco 2960) in between Core switch(Cisco 4500 E)?

Or Alternate on the same Switch Can we create isolate VLAN only for ISA Server.. will it works?

Base Core server - Hyper v -> isa01-ExternalNIC-NLB-----

                                                                                     |

                                                                                  Switch(2960)-------------SWitch(4500E)---

                                                                                     |

Base Core server - Hyper v -> Isa02--EXTenalNIC-NLB----

Refer URL: http://social.technet.microsoft.com/Forums/en/Forefrontedgegeneral/thread/87d52d1c-2cd7-47c5-b1be-bd261f7cac29

Thanks ...

Deva Self-trust is the first secret of success.

Tuesday, December 14, 2010 12:54 PM

Reply

|

Quote

0

Sign in to vote

i ll answer your NLB queries in the mentioned link and lets close this current question thread :)

BTW deva i m suraj singh JJ is another friend on this forum answered first time

Thanks and Regards Suraj Singh My blog: http://blogs.technet.com/b/sooraj-sec/

Tuesday, December 14, 2010 6:06 PM

Reply

|

Quote

Answered by:

Server cannot establish connection with the Configuration Storage server

Question

Answers

All replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?