SBS 2003 Premium Edition

[stimpyman77]

Hi all,

Just wondering if someone could shed some light on this situation. I have a SBS 2003 machine running on a Dell Poweredge 830 with 2GB Ram all updates applied. The only other software on the system is Trend Micro Client Server SMB Suite Version 3.0 and Dell Server Administrator. They are both at the most recent patch levels. Today, I get a call that the network is down, no internet, no fileshares, printing, nada. RDP was not answering for me to remotely tshoot the issue. So I had them reboot the server and everything comes back up fine. I see the following in the logs:

Event ID: 14057

Faulting application wspsrv.exe, version 4.0.2165.594, stamp 43cd50a5, faulting module w3filter.dll, version 4.0.2165.594, stamp 43cd5092, debug? 0, fault address 0x0008dcc5.

Followed by:

The Firewall service stopped because an application filter module C:\Program Files\Microsoft ISA Server\w3filter.dll generated an exception code C0000005 in address 6477DCC5 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.

No extra filters are installed. So I wonder what would have caused this? When I google w3filter.dll I come up with a cert advisory about a potential overflow in beta 2 of ISA 2004. This is an updated install at service pack 2. Nothing nonstandard as far as configuration goes. 5 Clients are configured using the Firewall client and the SBS box has a router in front of it forwarding the necessary ports. Machine has been running flawless for 2 months and out of nowhere this! Any thoughts?

 

[spyordie007]

Sorry no suggestions specific to your problem; I would try contacting Microsoft PSS about this issue.

 

[stash]

Are you running backupexec?

This can happen if you are using the caching features of ISA and not excluding that directory. Backup software can keep open handles on files in the cache directory and cause corruption. This may also happen with other backup software besides backup exec. So if you are using caching, try excluding the cache directory from your backups.

 

[smashp]

aaahhh the not so joys of ISA server. Ill stick to real routers and firewalls.

 

[stash]

ISA is a firewall. A very good one.

 

[Bluestealth]

I think he means hardware based firewalls and routers stash.... the kind that don't crash.

 

[smashp]

Originally posted by: Bluestealth
I think he means hardware based firewalls and routers stash.... the kind that don't crash.

correct

 

[stash]

:disgust:
That's funny. Every ISA firewall I've ever seen runs on a physical box. Is that not a hardware firewall?

Or put another way, does a 'hardware firewall' not have software on it?

And your stability comment is crap. Microsoft uses ISA globally, so if it's good enough for them, it can handle pretty much anything. And they have been using ISA 2004 in production since the betas.

 

[RebateMonger]

I see UseNet posts referring to this identical error as far back as a year ago. The only proposed solutions I've seen are:

1) Reinstall ISA 2004 (this came from an MS employee)
2) Call PSS

I'd likely be a lot faster to backup the settings and re-install ISA than to call PSS.

As you probably know, there've also been a few recent anti-virus-caused Server issues. I just had one with CA's AV on one of my SBS Servers, where the AV caused some critical services to be non-reponsive. Trend has also caused a couple recent similar problems on other's Servers.

 

[stash]

I would try the backup exception thing before a full reinstall.

 

[Bluestealth]

Originally posted by: stash
:disgust:
That's funny. Every ISA firewall I've ever seen runs on a physical box. Is that not a hardware firewall?

Or put another way, does a 'hardware firewall' not have software on it?

And your stability comment is crap. Microsoft uses ISA globally, so if it's good enough for them, it can handle pretty much anything. And they have been using ISA 2004 in production since the betas.

All firewalls run software at some level, hardware firewalls are more applicance based and do packet filtering. They are a good front line defense but should be followed up with a software firewall on your server... I am very against the idea of having your main firewall, router, etc... all on one computer... btw routers run software too, but when is the last time you have seen IOS crash?

 

[RebateMonger]

Originally posted by: Bluestealth
... btw routers run software too, but when is the last time you have seen IOS crash?

Well, the HOME-type routers seem to have a lot of crashes for people. So, hardware routers CAN crash. I've seen Linksys and DLink routers that had apparent software problems (that were fixed by firmware updates or simple reflashes).

Admittedly I don't recall any crashes on the few big Ciscos that I use, and few on the Cisco 678/675 routers that I've used. Of course, the Code Red worm pretty much made for Cisco 678/675 crashes. And the 678/675 had horrible bugs in their web interfaces.

ISA 2004 is a VERY complex piece of software. I haven't had any hard crashes with any of my ISA boxes, but there CAN be some complicated interactions with it and other software. MS CRM 3.0, for instance, is having some issues with people trying to do remote access. And the ISA product does NOT have a lot of experts, even at Microsoft, so troubleshooting of interaction problems can be frustrating.

 

[smashp]

Originally posted by: stash
:disgust:
That's funny. Every ISA firewall I've ever seen runs on a physical box. Is that not a hardware firewall?

Or put another way, does a 'hardware firewall' not have software on it?

And your stability comment is crap. Microsoft uses ISA globally, so if it's good enough for them, it can handle pretty much anything. And they have been using ISA 2004 in production since the betas.

ISA is an application firewall primarily but other solutions should be used for general protection and seperation of the network.

 

[stimpyman77]

Hey everyone, thanks for the replys.. I appreciate it!

Stash, I am not using backup exec but the builtin Windows Backup. I would assume that the same applies. I had already excluded the cache directory from the backup job, but I reconfigured it and made sure that it was selected as excluded just in case something was amiss.. I did notice that TrendMicro was not excluding the cache folder from its scans, that change was made as well. Nothing on the box is touching any of the ISA directories as of right now. So I guess that the waiting game comes into play now to see if it happens again. I did find someone that experienced the same problem on the ISAServer.org forums but there was no solution, even the resident guru's there were a little baffled. I will wait and see how it goes and if this issue comes up again I will open a case with Microsoft PSS.

RebateMonger, do you have any linkage on those Trend issues you were referring to? I did have to apply a hotfix as soon as it was installed to get the automated server reports to be sendable to other domains besides the local one. I have not see too much else on it, but if you have any additional info, that would be great!

All in all, I think ISA is a pretty feature rich and capable firewall. I mean where else would you even come close to this functionality for the cost. The licensing fees alone for some products exceed the cost of the whole ISA product itself, being bundled in SBS only increases that value. All software has it's issues, it is made by humans after all, so it is not perfect. Like Stash said, if Microsoft can use it then it is definately good enough for my usage. I just hope this is not one of those little imperfections that grows to take a bite out of my a$$...

Thanks again! :beer:'s for all!

 

[RebateMonger]

Originally posted by: stimpyman77
RebateMonger, do you have any linkage on those Trend issues you were referring to? I did have to apply a hotfix as soon as it was installed to get the automated server reports to be sendable to other domains besides the local one. I have not see too much else on it, but if you have any additional info, that would be great!

Sorry, I don't have any specific links. I follow the several SBS newsgroups on Yahoo and recall some serious Trend-caused SBS problems a few months ago. I don't have Trend on any of my SBS domains, so I don't know the specifics. I also recall reading of similar occasional issues with most of the AV products. And I definitely had CA's Etrust do a number on one of my SBS servers (but not the rest of them).

There's also, apparently, a brand-new hotfix for ISA 2004 SP2 out, but it doesn't seem to apply to your symptoms.

"You can call PSS and ask for the fix for KB 915045.
The KB isn't published yet, but this is the number PSS needs to access the
public fix. You must either open a case with them or wait for it so appear on MU (ASAP).

This package fixes the following issues introduced in ISA 2004 Service Pack 2:
"502 Proxy Error. The HTTP Request includes a non-supported header."
(www.delta.com)
"500 Internal Server Error; Not implemented (-2147467263)" (OWA zip files)
"The server supplied a compressed response although ISA Server did not request
compression" (iTunes)."

 

[stimpyman77]

I saw that hotfix info as well. I have only experienced that error one time. According to other research, that error is more of a notification than a hard error. In cases that meet the critera, it is the sending server that causes ISA to give this response. ISA is functioning correctly and it is the sending webserver that is not sticking to one of the RFC's
in handling headers..

Thanks !

 

[spyordie007]

but when is the last time you have seen IOS crash?

I've seen IOS crash plenty of times, and it cant provide the same level of protection as ISA.

...and few on the Cisco 678/675 routers that I've used. Of course, the Code Red worm pretty much made for Cisco 678/675 crashes. And the 678/675 had horrible bugs in their web interfaces.

Those things were pretty bad, especially early on. I worked for USWest/Qwest when Code Red was released, they pulled everyone and stuck us all on the phones; I just loved walking customers through connecting up the console cable and disabling the web interface... :roll:

But anyway the 675/678s did not run IOS, they ran CBOS (Cisco Broadband Operating System - an "updated" version of NSOS which they bought from Netscreen). IOS is *much* better than CBOS

 

[Bluestealth]

Originally posted by: RebateMonger

Originally posted by: Bluestealth
... btw routers run software too, but when is the last time you have seen IOS crash?

Well, the HOME-type routers seem to have a lot of crashes for people. So, hardware routers CAN crash. I've seen Linksys and DLink routers that had apparent software problems (that were fixed by firmware updates or simple reflashes).

My little DI-604 has started to crash at home as of late(think its time is almost up), but it doesnt crash hard, just the webadmin and dhcp processes; the firewall, router, nat forwarding services, and dns services stay operational. Home routers seem to overheat easily, it is not neccessarly always bad code as to why they crash, but often times heat/high traffic that they were not designed to handle, or a failing cheap component hehehe.