TMG 2010 connenctivity lost when number of denied TCP exceeds limi
Chris Proud
Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers don't appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.
It appears to happen sporadically. Some times it can occur every 5 minutes
for half an hour, sometimes longer. It cleared itself this morning but the
other day a restart seemed to do the trick. Maybe it is linked to
something/one scanning our server.
Thanks
Jens Baier
> Whenever I get the alert "The number of denied TCP and non-TCP packets per
> second exceeded the system limit. As a result, Forefront TMG reduced the
> number of records of denied packets that are written in the log." all the
> TCP
> port connectivity verifiers fail and any other new outgoing tcp
> connections,
> like the SMTP alert. PING verifiers don't appear to be affected neither
> current connections (I think). I think it is also affecting new
> connections
> from workstations.
create an execption for these IP Addresses in the Flood Mitigation settings
--
Gruss Jens
www.it-training-grote.de
www.forefront-tmg.de
https://mvp.support.microsoft.com/profile/Marc.Grote
http://blog.it-training-grote.de
Chris Proud
Thanks for you suggestion. I have already disabled flood mitigation because
it was causing all kinds of other problems! (I unticked "Mitigate flood
attached and work propagation", should I disable it anywhere else?)
What seems to be happening in my case is that ALL new connections are denied
when the global denied packets event occurs. I can't see how adding an
exception would help - the event indicates a global deny limit, not specific
to any IP. Where would I add the exception too?
Also, the event description does not indicate any kind of blocking should
occur, just that its going to stop logging the packets.
Thanks
Chris
Chris Proud
Chris Proud
Does anyon have any ideas what might be causing the problem?
Phillip Windell
They should be in the logs,..it still logs them,...it only says that it is
reducing the records, not eliminating them.
Does the alert give the source IP#?
It could be an infection on the LAN or a DoS attack from outside,...that's
why you have to find the source. The problem is not ISA,..the problem is
what is bombing the ISA.
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
"Chris Proud" <Chris...@discussions.microsoft.com> wrote in message
news:E317C5DD-3CC9-4D53...@microsoft.com...
Luis Marques
did u find something? i have exactly the same problems since a few days
> On Monday, February 01, 2010 7:08 AM Chris Proud wrote:
> TMG 2010 on Windows 2008 R2 x64
>
> Whenever I get the alert "The number of denied TCP and non-TCP packets per
> second exceeded the system limit. As a result, Forefront TMG reduced the
> number of records of denied packets that are written in the log." all the TCP
> port connectivity verifiers fail and any other new outgoing tcp connections,
> from workstations.
>
> It appears to happen sporadically. Some times it can occur every 5 minutes
> for half an hour, sometimes longer. It cleared itself this morning but the
> other day a restart seemed to do the trick. Maybe it is linked to
> something/one scanning our server.
>
> Thanks
>> Hi,
>>
>> create an execption for these IP Addresses in the Flood Mitigation settings
>>
>> --
>> Gruss Jens
>> www.it-training-grote.de
>> www.forefront-tmg.de
>> https://mvp.support.microsoft.com/profile/Marc.Grote
>> http://blog.it-training-grote.de
>>> Hi Gruss,
>>>
>>> Thanks for you suggestion. I have already disabled flood mitigation because
>>> it was causing all kinds of other problems! (I unticked "Mitigate flood
>>> attached and work propagation", should I disable it anywhere else?)
>>>
>>> What seems to be happening in my case is that ALL new connections are denied
>>> to any IP. Where would I add the exception too?
>>>
>>> Also, the event description does not indicate any kind of blocking should
>>> occur, just that its going to stop logging the packets.
>>>
>>> Thanks
>>>
>>> Chris
>>>> Bump!
>>>>> On Wednesday, April 21, 2010 9:05 AM Chris Proud wrote:
>>>>> This has started to happen again. Its being quite persitent at the moment.
>>>>>
>>>>> Does anyon have any ideas what might be causing the problem?
>>>>>
>>>>> "Chris Proud" wrote:
>>>>>> You're gonna have to find the source.
>>>>>>
>>>>>> They should be in the logs,..it still logs them,...it only says that it is
>>>>>> reducing the records, not eliminating them.
>>>>>>
>>>>>> Does the alert give the source IP#?
>>>>>>