Troubleshooting Alert Action Failures

  • Article

The alert service of Microsoft® Internet Security and Acceleration (ISA) Server 2004 notifies you when specified events occur. Alerts are displayed in the Alerts tab of the Dashboard view of ISA Server Management. When configuring alerts, you can set one or more of the following actions to be performed when an alert condition is met:

  • Send an e-mail message.
  • Run a specific command.
  • Log the event in the Windows® event log.
  • Stop or start the Microsoft Firewall service or Scheduled Content Download service.

ISA Server provides an alert called Alert Action Failure, which informs you if any action that is supposed to be performed by an alert fails to happen.

Causes

Tips

Causes

There are a number of reasons why configured alert actions fail, including:

  • Action: Send an e-mail message:
    • Mail server settings were not specified correctly. This could be an incorrect server setting or incorrect mail details (to/from).
    • A mail server rejected the message.
    • The mail server was not available.
  • Action: Run a program:
    • A program name or path was not correctly specified.
    • A program failed to start due to a missing dependency dynamic link library (DLL).
    • There were incorrect command-line parameters.
    • The user account configured to run the program does not exist.
    • The user account configured to run the program does not have the required permissions.
  • Alert: Start a service:
    • A service that is specified to start is already started.
  • Alert: Stop a service:
    • A service that is specified to stop is already stopped.
    • There are configuration or permission issues that prevent a service from starting.
  • Event log full (this is not common, but can happen).

Tips

To avoid these types of errors, ensure the following:

  • If you configure an alert to send an e-mail message using an SMTP server located on the Internal network, you must enable the system policy rule that allows the Local Host network to access the Internal network using the SMTP protocol. In the System Policy Editor of ISA Server Management, in the Remote Monitoring configuration group, select SMTP and then click Enable. The Allow SMTP protocol from firewall to trusted servers rule is enabled.
  • If you configure an alert to send an e-mail message using an external SMTP server, you must create an access rule that allows the Local Host network to access the External network (or the network on which the SMTP server is located), using the SMTP protocol.
  • If you specify an alert to run a program, the program path specified must exist on the ISA Server computer, and we recommend that you use an environment variable (such as %SystemDrive%) within the path name.
  • If you configure an alert to run a program, the user account configured to run the program should have Logon As Batch privileges. By default, programs run under the LocalSystem account, and this account has these privileges. Use the Windows local security policy to configure user permissions.
  • You can configure the Alert Action Failure alert with the same action settings as other alerts. We recommend that you do not edit properties for this alert. If the action for this alert fails, the failure is not registered anywhere, and troubleshooting will be difficult.
  • If you encounter an Alert Action Failure event, we recommend that you check the event log for action failures. In the event log, check the event message associated with the failure, and check the previous events issued before the action failure event. They may provide additional information about which action failed.