Forefront TMG 2010 Firewall Service-based member of a Forefront TMG array stops responding when another Forefront TMG Firewall Service-based member is stopped

Consider the following scenario:

• Two members of a Microsoft Forefront Threat Management Gateway (TMG) array host Forefront TMG 2010 Firewall Service.
• You stop one member of the Forefront TMG array.

In this scenario, the other member stops responding to requests. Additionally, the FWX_E_IS_BUSY error is logged in the Firewall log.

This issue occurs because a continuous loop that creates new connections is formed between the Forefront TMG Firewall Service (fweng) driver and an instance of Forefront TMG Firewall Service. Therefore, the FWX_E_IS_BUSY error is logged in the Firewall log after a while, and the instance of Forefront TMG Firewall Service stops responding.

This loop occurs when a connection for a data pump is routed to the same local address that initiated the data pump.

Notes

• When this issue occurs, Web publishing fails, and then an instance of the 500 internal server error occurs. Also, flood mitigation quotas are reached, and then some alerts are raised.
• The communication between the two instances of Forefront TMG Firewall Service uses remote procedure calls (RPC). This RPC traffic is the traffic that initiates the continuous loop that creates new connections.
• The Windows dead gateway detection mechanism of Forefront TMG Firewall Service routes the data pump traffic to the same local address.

Update information

To resolve this issue, install the software update that is described in the following Microsoft Knowledge Base (KB) article:

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base: