Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Re: 0xc0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED

32 views

Skip to first unread message

Alex65

unread,

May 9, 2006, 4:39:37 AM5/9/06

Hola Carlos,
Creo que lo siguiente te puede dar una pista de lo que te está ocurriendo, y
cómo solucionarlo:

Stateful Inspection When using stateful inspection, all outgoing traffic is
logged in a state table. When the connection traffic returns to the
interface, the state table is checked to ensure that the traffic originated
from this interface. Stateful inspection ensures that traffic is only
allowed to pass if it matches the outgoing traffic requests. The state table
contains items such as destination IP address, source IP address, port being
called, and originating host. The easiest way to determine if traffic is
being dropped as a result of Stateful Inspection is to start a query on the
ISA servers logging tab under monitoring and viewing the result code. The
result code field is not present by default but can be added by right
clicking on monitoring, choosing view and then Add/Remote Columns. Here you
can add result code to the displayed columns. The result code that indicates
that stateful inspection is the cause of dropped packets is displayed as:
0xC0040017 FWX_E_TCP_NOT_SYN_PACKET_DROPPED The common configurations that
results in problems related to the way ISA 2004 handles stateful inspection
is when a router circumvents ISA on the path back to a client. If clients
point to ISA for their default gateway, then ISA sends traffic to a router
that forwards it to its destination on the internet, the traffic should come
back to the client following the same path. However, if the router attempts
to send the traffic directly to the client on the way back, the traffic will
be dropped. Similarly, if clients point to a router for their default
gateway, then the router forwards traffic to ISA which then forwards traffic
to it's destination on the internet, the traffic should come back to the
client following the same path. However, if ISA attempts to send traffic
directly to the client on the way back, the state table won't contain the
correct originating address to allow the traffic back to the client. You
should verify that the client is pointing to ISA as its default gateway, or
the clients' default gateway is routing all traffic through ISA. You also
have to make sure that another Firewall is not routing the traffic directly
back to the client because ISA will drop the packet. Espero que te
ayude.Saludos.Ale65

0 new messages