Using diagnostic logging

  • Article

Diagnostic logging is a component that tracks and logs the behavior of the following Microsoft Internet Security and Acceleration (ISA) Server policy components:

  • Firewall policy rules
  • Network rules
  • Web chaining rules
  • Cache rules
  • Rule authentication

Diagnostic logging enhances basic log information by tracing the flow of specific packets. It reports on packet progress and provides information about handling and rule matching. It can also be used to analyze traffic scenarios that traverse ISA Server policy rules. For example, if virtual private network (VPN) clients are not able to access an organization's Office SharePoint portal, then running diagnostic logging while a VPN client is attempting to access Office SharePoint provides information about both traffic handling from a VPN client to SharePoint and ISA Server policy rules that match the attributes of the request.

This document provides an overview of the diagnostic logging feature provided by ISA Server 2006 Service Pack 1. The document includes instructions for configuring diagnostic logging and deleting, filtering, and analyzing diagnostic logs. In addition, the document includes a list of all events generated by diagnostic logging and suggested actions for the events.

To use diagnostic logging, install ISA Server 2006 Service Pack 1, and then, in the Troubleshooting node of the ISA Server Management console, click the Diagnostic logging tab. Logging is output to a new Diagnostic Logging Viewer in the tab.

Configuring and enabling diagnostic logging

Notes

  • Because running diagnostic logging incurs a significant performance penalty, it should not be enabled for prolonged periods.
  • Diagnostic logging should be disabled when event logs are being viewed.
  • Diagnostic logging runs on the server that is selected from the server option in the Diagnostic Logging tab.
  • Diagnostic logging settings are not persistent. If the computer is restarted, diagnostic logging is disabled.
  • There is a maximum timeout of 30 seconds for each query execution. If the query does not complete before the timeout, an error is displayed. Before you rerun the query, modify the filter. For more information, see "To configure diagnostic logging limits" in this document.
  • The log has a default size limit of 10,000 entries and overwrites existing events once the limit is exceeded. It is recommended that you run diagnostic logging for as short a period as possible. For more information, see "To configure diagnostic logging limits" in this document.

To enable and disable diagnostic logging

  1. On the ISA Server Management console, click the Troubleshooting node.

  2. Click the Diagnostic Logging tab.

  3. To turn logging on, on the Tasks tab, click Enable Diagnostic Logging. To turn logging off again, on the Tasks tab, click Disable Diagnostic Logging.

You can manage diagnostic logging from the ISA Server computer, or you can manage it remotely. Before you run diagnostic logging from a remote computer, you must add the remote computer to the array-level system policy rule “Allow remote management from selected computers using MMC”. Errors may occur if this is not done.

To add a remote management computer to the remote management system policy rule

  1. On the ISA Server Management console, in the Firewall Policy node, double-click the following system policy rule: Allow remote management from selected computers using MMC.

  2. On the From tab, select Remote Managers Computers, and then click Edit.

  3. Verify that the name of the remote management computer is included in the computer set. If it's not included, add the remote management computer.

  4. Click OK.

Both query and size limits can be modified by configuring diagnostic logging limits.

To configure diagnostic logging limits

  1. Click Start, and then, in the Run dialog box, type Regedit.

  2. Navigate to the following location: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

  3. Right-click Microsoft, and then if the following key does not already exist, create it: RAT\Stingray\Debug\UI

  4. Right-click UI, click New, and then click DWORD (32-bit). Create the following value, and then specify a maximum value for the number of entries that can be handled by the query:DIALOG_QUERY_MAX_RECORDSCreate the following value, and then specify the query timeout value: DIAGLOG_DLVIEWER_TIMEOUT

Important

This article contains information about how to modify the registry. Make sure to back up the registry before you modify it. Also, ensure that you can restore the registry if a problem occurs. For more information about how to back up, restore, and modify the registry, see the following article in the Microsoft Knowledge Base: Windows registry information for advanced users (https://support.microsoft.com/kb/256986/).

Filtering and viewing the diagnostic log

Filtering for events

Diagnostic logging events can be filtered and searched for specific information. You can filter for a specific request by using a string from the log message or context ID.

A context is a semi-random, 8-digit hexadecimal number that identifies an ISA Server operation. A context can represent the following:

  • The act of handling a packet in the ISA Server driver
  • A TCP connection or a User Datagram Protocol (UDP) "connection"
  • An HTTP session
  • An HTTP request
  • A Web Publishing Load Balancing (WPLB) routing action
  • The act of a VPN client connecting through ISA Server

Contexts can be nested. For example, one HTTP session may contain several HTTP requests, one after the other. This is reflected in the context. For example, suppose there is one HTTP session (context=00000001) that has two HTTP requests on it (context=00000002, 00000003). The context is reflected in diagnostic logging as follows:

00000001(message relating to the connection)

00000001 00000002 (message relating to request 2)

(...)

00000001 00000002 (message relating to request 2)

00000001 00000003 (message relating to request 3)

(...)

00000001 00000003 (message relating to request 3)

You can also search the diagnostic logging output for some identifying information, such as client IP address or port, and infer the context from the entries that you find.

To identify a context ID

  1. On the ISA Server Management console, click the Monitoring node.

  2. In the Logging tab, click To Start Query to start logging without filtering on specific criteria.

  3. Click Edit Filter to specify that the query should run with specific parameters, such as Rule or Destination IP.

  4. Click Start Query to start logging based on filter criteria.

  5. The unique ID of a request is not displayed by default on the ISA Server Management console. To display it, right-click one of the column headings for the log entries, and then click Add/Remove Columns.

  6. In the Available Columns list, click Filter Information, and then click Add.

  7. In the Filter Information properties displayed for the rule, note the Req ID property for the required rule. This is the context ID.

To help define the results of your search, you can filter either by message string or context ID.

To filter the diagnostic logging events

  1. On the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

  2. To filter by message string, in the Message contains box, enter the message string that is contained in the message of the event log.

    Note

    The query run on the message string is on the whole phrase, even if there are spaces between words. For example, if the string in the Message contains box is "Hello World", the query searches for the whole string "Hello World" and not "Hello" and "World".

  3. To filter by context, in the Context contains box, enter the context ID of the event log for which you are searching.

    Note

    You can filter by one or both options.

  4. Select the server from which the events originated and click Apply Filter.

Viewing logged events

You can view all logged events by clicking the Show all button in the Filter pane, or you can view filtered logged events by defining the filter and then clicking the Apply filter button.

When viewing diagnostic log events, the top section of the logging results pane displays a status line that includes the following:

  • Server
  • Context ID
  • Message contains

The status line specifies the filter properties of the events that are shown.

The following details are provided in the results pane of the Diagnostic logging tab.

Label Description

Record

Displays the number of the record in the sequence of the logs

Time

Displays the actual date and time that the event occurred

Context

For information about context, see "Filtering for events" in this document

Log Source

Displays the origin from where the event occurred, for instance, Firewall service or Web proxy

Message

Displays a detailed description of the event that occurred

Deleting an event log

When diagnostic logging is running, the log tends to fill quickly. You can delete events from the diagnostic log as follows.

To delete diagnostic logging events

  1. On the ISA Server Management console, in the Troubleshooting node, click the Diagnostic Logging tab.

  2. On the Tasks tab, click Delete Diagnostic Log. Events are deleted from the diagnostic log and no longer appear in the event viewer or the output pane.

Analyzing diagnostic log events

The following table summarizes the events produced by diagnostic logging and recommends actions for each event, where appropriate.

Event ID Message Scenario Action/Details

30000

The access rule <name> allows all traffic. The packet is allowed. No further rule evaluation is needed.

Outbound access rules

If the message is in accordance with the desired policy, then no action is required. If not, check the properties of the rule that is allowing all traffic.

30001

ISA Server will check only rules that are associated with the protocol <name>.

Outbound access rules

If the message is in accordance with the protocols you have defined on access rules, then no action is required. Otherwise, check the protocol properties of existing access rules, and create new rules if required.

30002

ISA Server is evaluating the rule <name>.

Outbound access and publishing rules

This message is status only, so no action is required.

30004

No matching rule was found.

Outbound access and publishing rules

No rule in the firewall policy matches the relevant request. Check the properties of existing rules and create a new rule, if required.

30006

Displays rule properties.

Outbound access and publishing rules

This message is status only, so no action is required.

30007

The Firewall Engine is performing rule evaluation.

Outbound access and publishing rules

This message is status only, so no action is required.

30008

The rule <name> matches the packet. The packet is allowed.

Outbound access and publishing rules

If the message is in accordance with the desired policy, then no action is required. If not, check the properties of the rule that is allowing all traffic.

30009

The rule <name> matches the packet and may deny it. However, a rule that precedes this rule in the list of policy rules and matches the packet will take precedence and may allow the packet.

Outbound access and publishing rules

Check the rule base and ordering for conflicts. The following order is recommended from highest priority to lowest:

  1. Global deny rules that deny specific access to all users.
  2. Global allow rules that allow specific access to all users.
  3. Rules that allow or deny access to specific computers.
  4. Rules that allow or deny access to specific URLs and Multipurpose Internet Mail Extension (MIME) types.
  5. Rules that handle traffic that does not match rules that occur previously in the list of rules.

Server publishing rules and Web publishing rules can be placed anywhere in the rule order, after the global allow or deny rules.

30010

ISA Server is looking for an applicable network rule.

Network rules

This message is status only, so no action is required.

30011

The packet was sent to or from the Local Host network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

Network rules

This message is status only, so no action is required. Following installation, ISA Server defines a default network rule allowing access between the Local Host network (the ISA Server computer) and all networks included in the default All Networks network set. The rule is defined with a route relationship. This default rule cannot be modified.

30012

The source and destination are on the same network. Therefore, an implicit network rule with a route relationship between the source and destination is applied.

Network rules

This message is status only, so no action is required. Traffic that passes through ISA Server between sources and destinations on the same network is routed.

30013

No network rule was found.

Network rules

Create a network rule that allows traffic between networks that include the source and destination specified in the Web publishing rule.

For information about creating and configuring network rules, see Network Concepts in ISA Server 2006.

30015

The network rule <name> matches the source and destination. A NAT relationship is specified.

Network rules

This message is status only, so no action is required.

30016

The network rule <name> matches the source and destination. A route relationship is specified.

Network rules

This message is status only, so no action is required.

30017

The packet was blocked because no matching network rule was found.

Outbound access rules

Create a network rule, or check the configuration of existing network rules.

For information about creating and configuring network rules, see Network Concepts in ISA Server 2006.

30018

ISA Server is looking for a deny access rule that matches traffic from the source to the destination.

Outbound access rules

This message is status only, so no action is required.

30019

ISA Server is looking for a rule that is associated with the protocol <name>.

Outbound Access rules

This message is status only, so no action is required.

30020

The deny access rule <name> precedes the publishing rule <name> in the list of policy rules. The packet is blocked.

Outbound access and publishing rules

Check that the properties of the deny access rule are in accordance with requirements. In addition, check rule ordering. The following order is recommended from highest priority to lowest:

  1. Global deny rules that deny specific access to all users.
  2. Global allow rules that allow specific access to all users.
  3. Rules that allow or deny access to specific computers.
  4. Rules that allow or deny access to specific URLs and MIME types.
  5. Rules that handle traffic that does not match rules that occur previously in the list of rules.
  6. Server publishing rules and Web publishing rules can be placed anywhere in the rule order, after the global allow or deny rules.

30022

The rule <name> allowed the packet.

Outbound access and publishing rules

If the message is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request. In addition, check rule ordering.

30023

The request was denied because the connection limit for the rule <name> was exceeded

Outbound access and publishing rules

Check connection limits and modify them in accordance with requirements and best practices. If required, you can exempt specific IP addresses from limits.

For Web publishing rules, connection limits are set for the specific Web listener defined for the rule.

For outbound Web requests, a connection limit is set on the Web proxy properties of a specific network.

Globally, you can set a limit for all types of traffic.

For more information, see Deployment Recommendations for Co n ne c tion Limits in ISA Server 2004, and ISA Server Network Protection: Pro t ecting Against Floods and Attacks.

30024

The rule <name> blocked the packet.

Outbound access and publishing rules

If the message is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30025

The rule <name> requires a MIME content type.

Outbound access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server makes a request to the Web server in order to get the response content-type before evaluating the rule.

30026

The rule <name> requires DNS name resolution.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires name resolution in order to determine whether traffic is allowed.

30027

The rule <name> requires user authentication.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires client authentication in order to determine whether traffic is allowed.

30028

ISA Server is loading the non-Windows user account for the user <name> and the authentication scheme <name> from the stored configuration.

Outbound access using RADIUS authentication and Publishing rules using RADIUS or SecurID authentication.

This message is status only, so no action is required.

30029

The Web chaining rule <name> matches the packet.

Web chaining rules

This message is status only, so no action is required. Web chaining rules specify whether requests should be routed to the Internet or to an upstream proxy server. For more information, see Chaining Concepts in ISA Server 2006.

30030

The Web chaining rule <name> requires a dial-up connection for name resolution.

Web chaining rules

This message is status only, so no action is required.

30031

The cache rule <name> matches the Web request.

Cache rules

This message is status only, so no action is required.

30032

The rule cannot be evaluated by the Firewall Engine because the rule applies to a specific user.

Outbound access and publishing rules

This message is status only, so no action is required. Evaluation of the rule is done in user mode. The Windows operating system divides the use of virtual address space into the user virtual address space (user space) that maps the current user process and the kernel virtual address pace (kernel space) that maps the operating system code and structures. ISA Server user both modes. The Firewall Engine and Windows networking components run in the kernel mode. Other components run in user mode. For more information, see ISA Server 2006 Firewall Core.

30033

The user does not match the rule.

Outbound access and publishing rules

This message is status only, so no action is required. The rule being evaluated does not match the user making the request.

30034

ISA Server failed to determine whether the Windows user is allowed or denied by the rule. Error code: <code number> The rule is ignored.

Outbound access and publishing rules

This error occurs when there are problems in trying to determine the identity of the user. Check the error code.

30035

The rule <name> has parameters that cannot be evaluated by the Firewall Engine. The packet is passed to the Firewall service to complete rule evaluation.

Outbound access and publishing rules

This message is status only, so no action is required. Evaluation of the rule is done in user mode.

30036

The protocol indicated by the destination port does not match the rule

Outbound access and publishing rules

This message is status only, so no action is required. The rule being evaluated is not relevant for the traffic because the traffic port and protocol specified in the rule do not match.

30037

ISA Server cannot determine the protocol of the packet. Therefore, the deny access rule <name> is ignored.

Outbound access rules

This message is status only, so no action is required. This is generated mainly by traffic on the Firewall client control channel.

30038

The source port does not match the rule.

Outbound access and publishing rules

In an access rule, you can limit the source port range from which client traffic is accepted. This message indicates that the source port of the packet does not match the range indicated in the rule properties.

30039

The rule <name> specifies a MIME content type. If the MIME content type in the response does not match the request, the request is blocked.

Outbound access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server makes a request to the Web server in order to get the response content-type before evaluating the rule. If the MIME content matches, the traffic is allowed or denied in accordance with the action specified in the rule properties.

30040

The time when the packet was sent does not match a time when the rule is applied according to its schedule.

Outbound access and publishing rules

On the Schedule tab of the rule properties, check when the rule is active and modify it if necessary.

30041

The %4 requires name resolution

Outbound access and publishing rules

This message is status only, so no action is required. It indicates that name resolution is required to complete rule evaluation.

30042

%4 does not match the packet

Outbound access and publishing rules

This message is status only, so no action is required. This may indicate the source or destination of the rule.

30043

%4 does not match the rule.

Outbound access rules and publishing rules

This message is status only, so no action is required. This may indicate the source or destination of the rule.

30044

The rule <name> requires name resolution for evaluation

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires name resolution to determine whether traffic is allowed.

30045

The access rule is ignored because ISA Server looks only for Web publishing rules for an incoming Web request.

Web publishing rules

This message is status only, so no action is required. It informs you that access rules are not evaluated for Web publishing requests.

30046

The access rule is ignored for this packet because inbound protocols can be used only by adding them explicitly to the rule.

Access rules

This message is status only, so no action is required. It is generated during rule processing.

30047

ISA Server assumes that the allow access rule or redirecting deny access rule is the best match for HTTP.

Access rules

This message is status only, so no action is required. It is generated during rule processing.

30048

The content type specified in the packet does not match the rule.

Access rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule in order to ensure that the MIME types configured in the rule are correct.

30049

A content type is needed for rule matching.

Access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server makes a request to the Web server in order to get the response content-type before evaluating the rule.

30050

The rule does not match because the rule requires authentication and no user is specified in the packet.

Outbound access rules and publishing rules

If the rule is not intended to match the user request, then no action is required. If the rule should match the request, check the properties of the rule in order to ensure that the user authentication requirements are configured correctly.

30051

The rule <name>requires user authentication for evaluation.

Outbound access and publishing rules

This message is status only, so no action is required. The rule requires client authentication in order to determine whether traffic is allowed.

30052

The destination does not match an IP address on which the listener of the server publishing rule listens.

Server publishing rules

Each server publishing rule is associated with an IP address and port on which requests for the published server are received. The destination requested by the client must resolve to an IP address associated with the rule.

30053

The destination in the request does not match an IP address on which the Web listener specified in the Web publishing rule listens.

Web publishing rules

Each Web publishing rule is associated with a Web listener that specifies the network and port on which requests for the Web server published by the rule can be received. The destination specified in the URL request must resolve to an IP address in one of the networks associated with the listener. On the Listener tab of the rule properties, click the Properties tab. Then, on the Network tab of the listener properties, check the networks associated with the listener.

30054

This server publishing rule was skipped for this packet.

Server publishing rules

This message is status only, so no action is required.

30055

This Web publishing rule was skipped for this packet.

Web publishing rules

This message is status only, so no action is required.

30056

The rule does not apply to traffic from the source IP address.

Server publishing

This message is status only, so no action is required. It is issued during evaluation of server publishing rules.

30057

The deny access rule does not match a wildcard source.

Access rules

This message is status only, so no action is required. It is usually issued during processing of application filters that open secondary protocols.

30058

The web publishing rule <name> is ignored because the destination <name> in the Web request does not match any of the public names specified in the Web publishing rule

Web publishing rules

On the Public Name tab of the rule properties, check that the entries specified match the string that the external user types to reach the Microsoft Office Outlook Web Access site.

30059

The Web listener that accepted the packet does not match the Web listener specified in the Web publishing rule.

Web publishing rules

This message is status only, so no action is required. This message is logged as each Web published rule is evaluated to verify whether it uses the Web listener on which the packet was received.

30060

The reverse direction of the network rule <name>, which defines a NAT relationship, matches the source and destination IP addresses specified in the packet. The traffic is denied.

Network rules

This message indicates that a packet with the reverse direction cannot be forwarded because the network relationship defined for the rule is Network Address Translation (NAT), and a NAT relationship allows traffic in only one direction.

30061

The Web publishing rule <name> is ignored because the path <name> in the destination URL in the Web request does not match the path specified in the rule.

Web publishing rules

On the Paths tab of the rule properties, check that the paths specified match those that the external user types to reach the Outlook Web Access site.

30062

ISA Server is evaluating the network rule %4.

Network rules

This message is status only, so no action is required.

30063

The source IP address in the packet does not match the destination specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the desired source and destination of the packet. For more information about network rules, see Net w ork Concepts in ISA Server 2006.

30064

The source IP address in the packet does not match the source specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the desired source and destination of the packet.

30065

The destination IP address in the packet does not match the source specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the desired source and destination of the packet.

30066

The destination IP address in the packet does not match the destination specified in the network rule.

Network rules

The network rule is not applicable for the packet. Ensure that another network rule exists to allow traffic between the desired source and destination of the packet.

30067

The source and destination in the packet match the source and destination specified in the network rule, which specifies a NAT relationship.

Network rules

This message is status only, so no action is required. A network rule exists that allows traffic between the source and destination specified in the packet. A NAT relationship will be applied.

30068

ISA Server is checking the reverse direction of the network rule <name>.

Network rules

This message is status only, so no action is required.

30069

The source and destination in the packet match the source and destination specified in the network rule <name> in the reverse direction.

Network rules

If the network relationship is NAT (unidirectional), then check that there is a network rule to allow the packet. If the network relationship is route, no action is required.

30070

The source IP address in the packet does not match the source specified in the network rule.

Network rules

The source IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet.

30072

The destination IP address in the packet does not match the source specified in the network rule.

Network rules

The destination IP address of the packet does not match any network specified as a source in the network rule. Ensure that there is a network rule to allow the traffic between the source and destination specified in the packet.

30073

TCP sessions per minute was exceeded for the rule

Outbound access rules and publishing rules

ISA Server imposes a limit on the maximum number of TCP connect requests per minute. The default is 600 per minute. To specify an exception for a specific IP address, click the General node on the ISA Server Management console. In the Details pane, click Configure Flood Mitigation Settings, and then, on the IP Exceptions tab, click Add to add network elements you want to exempt from the default settings. For exempt IP addresses, a default of 6,000 requests per minute is set. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30074

The source and destination in the packet match the source and destination specified in the network rule, which specifies a route relationship.

Network rules

This message is status only, so no action is required.

30075

ISA Server is looking for a Web chaining rule that matches the destination <name> in the packet.

Web chaining rules

This message is status only, so no action is required.

30076

ISA Server is looking for a cache rule that matches the destination <name> in the Web request.

Cache rules

This message is status only, so no action is required.

30077

Date and time: <time> Packet context: <context ID> Log source: <source> Packet properties <properties> Source IP address <address> Source array network <network> Destination IP address <address> Destination array network <network> Description <description>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30078

Date and time: <time> Packet context: <context ID> Log source: <source>. The packet was blocked because no matching network rule was found.

Network rules

Create a network rule, or check the configuration of existing network rules.

For information about creating and configuring network rules, see Network Concepts in ISA Server 2006.

30080

Date and time: <time> Packet context: <context ID> Log source: <source> Protocol: <name>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30081

Date and time: <time> Packet context: <context ID> Log source: <source> Application filter: <name>

Outbound access rules and publishing rules

This message is status only, so no action is required.

30082

The packet was blocked because the maximum number of new non-TCP sessions per minute was exceeded for the matching rule.

Outbound access rules and publishing rules

ISA Server blocks requests from specific IP addresses with more than the specific limit of new non-TCP requests per minute. The default is 1,000 per minute. To specify an exception for specific IP addresses, click the General node on the ISA Server Management console. In the Details pane, click Configure Flood Mitigation Settings, and then, on the IP Exceptions tab, click Add to add network elements you want to exempt from the default settings. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30083

The rule matches and allows the traffic.

Outbound access and publishing rules

This message is status only, so no action is required.

30084

The action of the rule cannot be determined without evaluation by the Firewall service.

Outbound access and publishing rules

This message is status only, so no action is required. The request is now processed in user mode and not kernel mode.

30085

The rule matches and blocks the traffic.

Outbound access and publishing rules

This message is status only, so no action is required.

30087

The packet was blocked because no matching access rule was found.

Access Rules

No rule in the firewall policy matches the relevant request, so it was blocked by the default deny rule. Check the properties of existing rules and create a new rule, if necessary.

30090

ISA Server cannot find a protocol definition that matches the destination port of the packet.

Access Rules

If there should be a rule matching the protocol specified in the packet, then check the protocol properties of existing rules, and create a new rule with the required protocol if necessary.

30091

Date and time: <time> Packet context: <context ID> Log source: <source> Web Proxy properties: <properties> Client IP address: <address> Client port: <port> Local IP address: <address> Local port: %<port> SecureNAT client: <name> Web proxy client: <name> Inbound traffic: <property>

Access rules

This message is status only, so no action is required.

30092

The SecureNAT client requested the destination IP address <name>.

Access rules

This message is status only, so no action is required.

30093

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP method: <name>

Access rules

This message is status only, so no action is required.

30094

Date and time: %1 %nPacket context: <context> Log source: <source> HTTP URL: <URL>

All rules

This message is status only, so no action is required.

30095

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP Host header: <header>

All rules

This message is status only, so no action is required.

30096

Date and time: <time> Packet context: <context ID> Log source: <source> HTTP User-Agent: <name>

All rules

This message is status only, so no action is required.

30097

Date and time: <time> Packet context: <context ID> Log source: <source> User name: <name>

All rules

This message is status only, so no action is required.

30098

Date and time: <time> Packet context: <context ID> Log source: <source> User namespace: <name>

All rules

This message is status only, so no action is required.

30099

ISA Server will authenticate the client using <type> authentication.

All rules

This message is status only, so no action is required.

30100

ISA Server will authenticate the client using Digest authentication.

All rules

This message is status only, so no action is required.

30101

ISA Server will authenticate the client using Basic authentication.

All rules

This message is status only, so no action is required.

30102

The policy rule <name> matches the inbound Web request and will deny it.

Publishing rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30103

ISA Server will connect to the Web server <name> on the IP address <address> and port <port>.

Publishing rules

If the request fails, verify that the name, IP address, and port number are correct.

30104

ISA Server failed to connect to the Web server <name>. Error code: <code number>

Publishing rules

Check the details provided in event 30103 in order to ensure that the connection was attempted on the correct server, IP address, and port. If necessary, modify settings on the To tab of the publishing rule properties.

30105

ISA Server is forwarding the request to the target host server for the path <name>.

Publishing rules

This message is status only, so no action is required.

30106

Date and time: <time> Packet context: <context> Log source: <name> Target Host header: <header>

This message is status only, so no action is required.

30107

Date and time: <time> Packet context: <context> Log source: <name> Web response properties:<properties> Response status: <status> Response MIME content type: <type> Response Via header: <header> HTTP Server header: <header>

This message is status only, so no action is required.

30108

Date and time: <time> Packet context: <context> Log source: <name> Request source: <source>

This message is status only, so no action is required.

30109

The Web publishing rule <name> requires client authentication.

This message is status only, so no action is required.

30111

The packet matches the Web chaining rule <name>.

Web chaining rules

This message is status only, so no action is required.

30112

The Web chaining rule <name> denied access.

Web chaining rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30113

The Web request matches the cache rule <name>.

Cache rules

This message is status only, so no action is required.

30114

The access rule <name> allows the Web request.

Access rules

This message is status only, so no action is required.

30115

The access rule <name> denies the Web request.

Access rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30116

The access rule <name> denied the Web request, and a custom Web page was returned to the client.

Access rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30117

A MIME content type is required. The access rule <name> should be rechecked after the response arrives.

Access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server makes a request to the Web server in order to get the response content-type before evaluating the rule.

30118

User authentication is required. The access rule <name> should be rechecked after the user is authenticated.

Access rules

This message is status only, so no action is required. The rule requires user authentication in order to determine whether traffic is allowed. ISA Server authenticates the user before evaluating the rule.

30119

DNS name resolution is required. The access rule <name> should be rechecked after DNS name resolution is performed.

Access rules

This message is status only, so no action is required. The rule requires name resolution in order to determine whether traffic is allowed. ISA Server resolves the name before evaluating the rule.

30120

The Web request is denied because the limit configured for the maximum number of new requests per minute was exceeded.

Access rules

ISA Server blocks requests when an access rule exceeds the default limit of 1,000 non-TCP connections per minute.

ISA Server also blocks requests from a specific IP address if HTTP requests per minute exceed 600.

You can configure specific IP addresses as exemptions to the default limits. For exempt addresses, HTTP requests per minute are limited by default to 6,000. Default limits can be modified.

To configure flood mitigation settings, click the General node on the ISA Server Management console, and then, in the Details pane, click Configure Flood Mitigation Settings. For more information, see Deployment Recommendations for Connection Limits in ISA Server 2004, and ISA Server Network Protection: Protecting Against Floods and Attacks.

30121

The packet matches the network rule <name>, which specifies a NAT network relationship.

Network rules

This message is status only, so no action is required.

30122

The packet matches the network rule <name>, which specifies a route network relationship

Network rules

This message is status only, so no action is required.

30123

Authentication failed. Error = <errorcode>

Access rules and Web publishing rules

Check the error code.

30124

Authentication succeeded.

Access rules and Web publishing rules

This message is status only, so no action is required.

30125

Authentication is in progress. Authentication will fail for the current request, but the client should continue to attempt to authenticate on the same connection.

Access rules and Web publishing rules

This message is status only, so no action is required. This message provides information about the NTLM authentication process.

30126

The connected client is already authenticated.

Access rules and Web publishing rules

This message is status only, so no action is required.

30127

There was a change in the client authentication method while authentication was in progress. Authentication failed with error: <errorcode>.

Access rules

This usually indicates a problem with a Web client.

30128

ISA Server authentication Web filter is handling client authentication

All rules

This message is status only, so no action is required.

30129

ISA Server cannot authenticate the client because the client's request does not contain Proxy-Authorization or Authorization headers.

Access rules

This may happen when Basic authentication is used and the first request is anonymous. It may also occur if there are issues with the Web client or if there is a problem with the authentication method used by the client.

30130

ISA Server is trying to authenticate the connected client using an SSL client certificate.

Publishing rules and Web chaining rules

No action is required. This message is status only when the rule requires clients to authenticate by using a client certificate.

30131

Authentication failed because the client did not send an SSL certificate.

Publishing rules and Web chaining rules

The rule is configured to require a client certificate, which was not provided. If a client certificate is not required, clear this setting on the rule properties. If a client certificate is required, ensure that clients have a relevant certificate from a commercial certification authority (CA) or from an internal CA in your organization.

30132

ISA Server tries to authenticate a connected client.

All rules

This message is status only, so no action is required.

30133

RADIUS authentication failed because the RADIUS Web filter is disabled.

All rules

To enable the RADIUS Web filter, on the ISA Server Management console, click the Add-ins node, right-click RADIUS Authentication Filter, and then click Enable.

30134

Forms-based authentication for Outlook Web access failed because the OWA Forms-Based Web filter is disabled.

All rules

To enable the Forms-Based Web filter, on the ISA Server Management console, click the Add-ins node, right-click the Forms-Based Authentication filter, and then click Enable.

30135

SecurID authentication failed because the RSA SecurID Web filter is disabled.

All rules

To enable the SecurID Filter, on the ISA Server Management console, click the Add-ins node, right-click SecurID Filter, and then click Enable.

30136

ISA Server rejected the request with the HTTP status code <code number> and will return the following error message to the Web client <message>.

All rules

Check the status code and error message.

30137

ISA Server obtained the MIME content type of the response and will use it to recheck the policy rules.

Access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server made a request to the Web server in order to get the response content-type before evaluating the rule.

30138

ISA Server is redirecting the request to the alternate Web site.

Web chaining rule

This message is status only, so no action is required. The Web chaining rule is configured to redirect the request. For more information, see Chaining Concepts in ISA Server 2006.

30139

ISA Server is directing the request to an upstream proxy server.

Web chaining rules

This message is status only, so no action is required.

30140

The upstream proxy server is an array. Therefore, ISA Server performed client-side CARP and will send the request to the array member <name>.

Web chaining rules

This message is status only, so no action is required.

30141

ISA Server will send request to the upstream proxy server <name>, which is not an array.

Web chaining rules

This message is status only, so no action is required.

30142

ISA Server started checking the policy rules for a Web request.

Access rules

This message is status only, so no action is required.

30143

The connected client was not authenticated. Only policy rules that apply to all users, including anonymous users, can be evaluated for this request. If rule evaluation cannot be completed without user authentication, ISA Server will return a response with HTTP error 401 (Unauthorized) or 407 (Proxy Authentication Required), allowing the client to submit the request again with user credentials.

Access rules

This message is status only, so no action is required.

30144

The connected client %4 was authenticated.

All rules

This message is status only, so no action is required.

30145

ISA Server started checking Web publishing rules.

Publishing rules

This message is status only, so no action is required.

30146

ISA Server will renegotiate the SSL connection with the client and request an SSL client certificate.

Publishing rules

This message is status only, so no action is required.

30148

ISA Server requested an SSL client certificate, but either the client did not supply a certificate or SSL client certificate authentication failed. The request will be denied.

Publishing rules

If a client certificate is required, ensure that clients have a relevant certificate from a commercial CA or from an internal CA in your organization.

If clients have a certificate, ensure that the client certificate is valid. The certificate must contain the private key for the account to which the certificate is mapped.

30149

ISA Server denied the request with the following error: %4

All rules

Check the error code.

30150

The Web publishing rule<name> will allow the Web request.

Publishing rules

No action is required.

30151

The request will be denied because the Web client failed authentication.

Access rules

Check the following:

  • For rules requiring authentication, check that the client is included in user groups configured for the rule.
  • If you do not want the client to authenticate, check that you have a rule allowing anonymous access.
  • Check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.
  • Client computers configured as SecureNAT clients only (with a default gateway point to ISA Server) are not able to present authentication credentials.

30152

ISA Server started checking the access rules.

Access rules

This message is status only, so no action is required.

30153

ISA Server requires the MIME content type of the response to complete policy rule evaluation.

Access rules

This message is status only, so no action is required. The rule requires a content type in order to determine whether traffic is allowed. ISA Server makes a request to the Web server in order to get the response content-type before evaluating the rule.

30154

ISA Server attempted to evaluate the policy rules without resolving the name of the requested destination. Name resolution will now commence.

Access rules

This message is status only, so no action is required.

30155

ISA Server started rechecking the access rules after resolving the name of the requested destination through a DNS query.

Access rules

This message is status only, so no action is required.

30156

ISA Server started to check the Web chaining rules.

Web chaining rules

This message is status only, so no action is required.

30157

ISA Server will assume that the destination is in the External network because the destination name cannot be resolved. ISA Server will recheck the access rules.

Access rules

Check that the destination name specified in the packet can be resolved by the ISA Server computer to an address inside an internal ISA Server network.

30158

The deny access rule <name>matches the Web request. The Web request is denied.

Access rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30159

ISA Server completed checking the policy rules for the Web request.

Access rules

This message is status only, so no action is required.

30160

Evaluation of the access rules requires user authentication, but the connected client is anonymous.

Access rules

Check the following:

  • For rules requiring authentication, check that the client is included in user groups configured for the rule. Client computers configured as SecureNAT clients only (with a default gateway pointing to ISA Server) are not able to present authentication credentials.
  • If you do not want the client to authenticate, check that you have a rule allowing anonymous access.
  • Also, check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.

30162

The request will be denied because the matching access rule denies access.

Access rules

If this action is in accordance with the desired policy, then no action is required. If not, check the properties of the rule blocking the request and check rule ordering.

30163

ISA Server recognizes the client as a SecureNAT client and will check all rules that apply to TCP port <port number>.

Access rules

This message is status only, so no action is required.

30165

ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTP protocol.

Access rules

This message is status only, so no action is required.

30166

ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the HTTPS protocol.

Access rules

This message is status only, so no action is required.

30167

ISA Server failed to perform a reverse DNS lookup and will attempt to continue with the available information. Error: <error code>.

Access rules

Check the error code for more information. In addition, check that rule elements containing IP addresses are resolvable.

30168

ISA Server succeeded to perform a reverse DNS lookup. The host name is <name>.

Access rules

This message is status only, so no action is required.

30169

ISA Server is performing DNS name resolution for the host name <name>.

All rules

This message is status only, so no action is required.

30170

ISA Server failed to perform DNS name resolution and will attempt to continue with the available information. Error: <code>.

All rules

Without successful name resolution, ISA Server may not be able to match the packet to the rule. Check that rule elements are resolvable.

30171

ISA Server succeeded to perform DNS name resolution for the host name <name>.

All rules

No action is required.

30172

ISA Server is forwarding the Web request directly to the specified destination.

All rules

This message is status only, so no action is required.

30173

ISA Server recognizes the client as a Web proxy client and will check all rules that apply to the FTP (FTP over HTTP) protocol.

Access rules

This message is status only, so no action is required.

30174

ISA Server denied a request because policy rule <name> requires authentication before allowing traffic.

All rules

This message is status only, so no action is required.

30500

ISA Server denied a request because policy rule <name> requires authentication before allowing traffic.

Access rules

Check that the client making the request is included in user groups configured for the rule. Client computers configured as SecureNAT clients only (with a default gateway pointing to ISA Server) are not able to present authentication credentials.

If you do not want to authenticate the client, check that you have a rule allowing anonymous access.

30501

ISA Server denied a Web request because policy rule <name> requires authentication before allowing traffic.

Access rules

Check that the network on which requests are received is not configured with the setting "Require all users to authenticate". If this setting is enabled, all users must be authenticated for Web access, and rules are not evaluated for a request until users are authenticated successfully.

30502

Traffic was denied by rule <name> after user <name>was authenticated. To configure ISA Server to request different credentials instead of denying a Web request, set the ReturnAuthRequiredIfAuthUserDenied COM property to True. For more information and a script for configuring this property, see https://go.microsoft.com/fwlink?LinkId=51097

Access rules

When the ReturnAuthRequiredIfAuthUserDenied property is set to True, clients denied access with an initial set of credentials are given the opportunity to input alternative credentials. When the property is set to False, clients are denied access and do not receive a prompt for new credentials.

In ISA Server 2004, the ReturnAuthRequiredIfAuthUserDenied property is set to True by default. In ISA Server 2006, the default setting is False. This setting cannot be specified on the ISA Server Management console. Instead, set the property by using the Software Development Kit (SDK).

30503

An authentication response from a domain controller took <time> seconds. A delay in the response may result in slow Web traffic. The problem may caused by an incorrect domain controller configuration, a high load on the domain controller, a current reboot of the domain controller, or a network problem.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. The following resources may be useful:

30504

User authentication failed. The request was denied because the password for user <name> expired. To resolve this problem, the user must request a new password in Active Directory.

All rules requiring authentication

Complete a reset for the user password.

30506

RADIUS authentication failed because RADIUS server settings have not been configured in ISA Server Management. To resolve this issue, define one or more RADIUS servers. To do this, in ISA Server Management, click the General node. On the Tasks pane, click Define RADIUS Servers, and follow the online instructions.

All rules requiring authentication

Configure a RADIUS server to be used by ISA Server for authentication. To do this, on the ISA Server Management console, click the General node, and then in the Tasks pane, click Define RADIUS Server. For more information, see the following Microsoft TechNet resources:

30507

RADIUS authentication failed because the RADIUS server <name> could not be contacted. This may happen because a deny rule blocks RADIUS traffic, the RADIUS server is unavailable, or there is a network problem. Verify that the system policy rule "Allow RADIUS authentication from ISA server to trusted RADIUS servers" is enabled, and that the RADIUS server is located in the network object specified in the rule destination.

All rules requiring authentication
  • Check network issues by pinging the RADIUS server from another computer.
  • Check that the same secret is specified on the RADIUS server and on the ISA Server computer.
  • Check that ISA Server is defined correctly as a RADIUS client.
  • Review event logs on the RADIUS server.
  • To verify the system policy rule, on the ISA Server Management console, right-click the Firewall Policy node, click Edit System Policy. In the Configuration Groups list, click RADIUS, and then do the following:
    • On the General tab, verify that the Enable this configuration group check box is selected.
    • On the From tab, verify that the specified network objects contain the RADIUS server. For example, if the default Internal network appears, then the RADIUS server should be located in the default Internal network.

30508

RADIUS authentication failed because user <name> could not be authenticated by the RADIUS server.

All rules requiring authentication

Ensure that the user belongs to the user accounts to which access is permitted. If you are controlling access by means of a remote access policy in RADIUS, ensure that the user account allowed permission has dial-in permissions.

30509

RADIUS authentication failed because user <name> could not respond to the challenge issued by the RADIUS.

All rules requiring authentication

ISA Server cannot respond to a challenge from the RADIUS server. Configure the RADIUS server so that it does not issue a challenge to the ISA Server RADIUS client.

30510

Active Directory authentication failed because a domain controller could not be contacted. This may happen because ISA Server blocks the authentication request, the domain controller is unavailable, or there is a name resolution problem or a connectivity issue. Verify that the system policy rule "Allow access to directory services for authentication purposes" is enabled and allows traffic to the domain controller.

All rules requiring authentication

Check network issues by pinging the Active Directory server from another computer.

Check the Windows Event viewer on the ISA Server computer for NetLogon problems or similar issues.

On the ISA Server Management console, right-click the Firewall Policy node, and then click Edit System Policy. In the Configuration Groups list, click Active Directory, and then do the following:

  • On the General tab, verify that the Enable this configuration group check box is selected.
  • On the From tab, verify that the specified network objects contain the Active Directory server. For example, if the default Internal network appears, then the Active Directory server should be located in the default Internal network.

30511

Active Directory authentication failed because the token passed is invalid. This may happen because the time of the client does not match the time of the domain controller.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. The following resources may be useful:

30512

Active Directory authentication failed because there was not enough memory available on the domain controller to complete the task.

All rules requiring authentication

Troubleshoot authentication issues with the domain controller. See the previous entry for resource links.

30513

The RSA SecurID server has rejected the passcode for user <name>.

All rules requiring authentication

Check settings on the SecurID server.

30514

The RSA SecurID server requested a new PIN for user <name>.

All rules requiring authentication

ISA Server will prompt the user for a new PIN.

30515

The authentication methods required by the ISA Server computer and a published Web server are incompatible. ISA Server requires <authenticationmethod> authentication, while the Web server requires <authenticationmethod> authentication. Internet Explorer does not support two different authentication methods on same connection. To resolve this problem, either disable authentication on the ISA Server computer or on the Web server. Alternatively, use Basic authentication on both, and select the delegate Basic authentication option on the ISA Server Web listener.

All rules requiring authentication

To disable authentication on the ISA Server computer, on the Listener tab of the publishing rule, click Properties, and then on the Authentication tab of the listener properties, select No authentication in Method clients use to authenticate to ISA Server.

To specify that Basic authentication should be used and credentials delegated to the published Web server, do the following:

  • On the Listener tab of the publishing rule, click Properties. On the Authentication tab of the listener properties, select HTTP Authentication in Method clients use to authenticate to ISA Server, and then select Basic. Click OK to close the listener properties.

Click the Authentication Delegation tab of the rule properties, and then select Basic authentication in Method used by ISA Server to authenticate to the published Web server.

Note that modifying the listener affects all publishing rules using the listener.

30516

ISA Server started checking the policy rules for a Web request with the target path <name>.

This message is status only, so no action is required.

30518

Checking for secondary inbound traffic. Packet properties: Original source IP address:<IP address> Original source array network:<name> Original destination array network: <name>

Inbound access

This message is status only, so no action is required.