Cannot connect to a service from a particular client computer in ISA Server 2004 (838706)
The information in this article applies to:
- Microsoft Internet Security and Acceleration Server 2004, Standard Edition
- Microsoft Internet Security and Acceleration Server 2004, Enterprise Edition
SYMPTOMSA program that is running on a client computer may not be
able to connect to a service through Microsoft Internet Security and
Acceleration (ISA) Server 2004. In this scenario, the client program may crash
or may stop responding (hang). Additionally, the following event may be logged
in the Application log in Event Viewer on the ISA Server computer:
Event Source: Microsoft Firewall
Event Category: Packet filter
Event ID: 15113
Date:
date
Time: time
Type: Warning
User: N/A
Computer:
computername
Description: ISA Server
disconnected the following client: IP address
because its connection limit was exceeded.CAUSEThis behavior may occur if the computer that the client
program is running on has exceeded the number of concurrent connections that
ISA Server 2004 allows. ISA Server 2004 implements a connection limit (also
known as a quota) mechanism. By default, the number of concurrent connections
is limited to 160 for each client computer. If a client computer reaches this
connection limit, ISA Server 2004 implements one of the following connection
limit mechanisms:
- For User Datagram Protocol (UDP) connections, if a client
program reaches this connection limit, any additional UDP connections cause a
previous UDP connection to be dropped.
- For Transmission Control Protocol (TCP) connections, if a
client program reaches this connection limit, no additional connections are
permitted.
This functionality is included in ISA Server 2004 to help
prevent one particular computer from overloading the ISA Server computer with
connections. RESOLUTIONFor information about setting connection limits and about
how to troubleshoot this issue, visit the following Microsoft Web site: MORE INFORMATIONThis
behavior occurs on SecureNAT clients and on Microsoft Firewall clients (Web
proxy clients appear as SecureNAT client TCP connections to ISA in this
respect). This behavior is particularly noticeable if
you use a perimeter network (also known as a DMZ, a demilitarized zone, and a
screened subnet) with back-to-back ISA Server computers.
If you run
your ISA Server computers back-to-back to create a perimeter network, you are
more likely to experience this behavior. The internal ISA Server computer
translates all the internal clients by using the NAT protocol. The frames are
sent to the external ISA Server computer, and this computer uses the NAT
protocol to translate all the internal clients again. To the external ISA
Server computer, all the connections look similar to one client. The
connections use the perimeter network IP address of the internal ISA Server
computer. Therefore, to the external ISA Server computer, 40 internal clients
look similar to 1 client that has 40 different connections.
| Modification Type: | Major | Last Reviewed: | 5/2/2006 |
|---|
| Keywords: | kbEventLog kbNAT kbFirewall kbenv kbprb KB838706 kbAudITPRO |
|---|
|