One or more published sites may stop being available if you create more than 300 Web site publishing rules in ISA Server 2006 Enterprise Edition

Article translations Article translations
Article ID: 925288 - View products that this article applies to.
Expand all | Collapse all

SYMPTOMS

You add many virtual IP addresses in Microsoft Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition and publish many Web sites behind ISA Server 2006. After you do this, you experience the following symptoms:
  • One or more published sites may randomly stop being available on the port or ports on which they have been published. For example, a particular Web site may no longer be available on port 80 or on port 443. Or, the Web site may no longer be available on either port.
  • One or more events that resemble the following are logged in the Application log:

    Event Type: Warning
    Event ID: 14149
    Event Source: Microsoft ISA Server Web Proxy
    User: N/A
    Computer: ServerName
    Description: Web Proxy filter failed to listen to IP address port 443. The network adapter might not be functional. The error code specified in the Data area of the event properties indicates the cause of the failure.

  • If you configure tracing in ISA Server, the following information is displayed in the trace file:
    18169 [1]688.55c <date time> [ ] [SRV_GENERAL server CFwxListener::StartListenAndAccept FwxListener.cpp@635] Warning:No new accept allowed (may happen when there are many IP addresses and many web listeners), sm_InitListenerParams.MaxPendingAccepts < m_nDesiredPendingAccpets, hr = E_OUTOFMEMORY
You may experience this problem when you create more than 150 virtual IP addresses together with more than 300 Web site publishing rules in ISA Server 2006.

CAUSE

This problem occurs because of a limitation in the number of Web site publishing rules that ISA Server 2006 supports. By default, you cannot configure more than 300 Web site publishing rules in ISA Server 2006.

This problem occurs because 15,000 sockets are available for use with Web listeners. By default, each Web listener allocates 50 sockets from this pool to accept client requests. By default, this gives you a maximum number of 300 Web listeners.

RESOLUTION

To resolve this problem, install the hotfix that is mentioned in the following Microsoft Knowledge Base article:
925289 Description of the ISA Server 2006 hotfix package: October 02, 2006

After you install this hotfix, follow these steps to enable the functionality that this hotfix provides.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.
  1. Install the following lowLevelSettings.vbs script. To do this, save the lowLevelSettings.vbs script to a location on the ISA Server 2006 computer, type cscript lowLevelSettings.vbs at a command prompt, and then press ENTER.

    lowLevelSettings.vbs
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    Sub ShowLowLevelSettings()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim arrayPolicy ' An FPCArrayPolicy object
        Dim lowLevel    ' An FPClowLevelSetting object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
    
        Set arrayPolicy = array.ArrayPolicy
        CheckError
    
        Set LowLevel = ArrayPolicy.LowLevelSettings
        CheckError
    
        WScript.Echo "FwxListenerMaxPendingAccepts...- " & LowLevel.FwxListenerMaxPendingAccepts
        LowLevel.FwxListenerMaxPendingAccepts = 30000
        array.Save
        WScript.Echo "done saving..."
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    ShowLowLevelSettings
    
  2. Install the following setWebListenerAcceptingSockets.vbs script. To do this, save the setWebListenerAcceptingSockets.vbs script to a location on the ISA Server 2006 computer, type cscript setWebListenerAcceptingSockets.vbs at a command prompt, and then press ENTER.

    setWebListenerAcceptingSockets.vbs
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    '
    ' Copyright (c) Microsoft Corporation. All rights reserved.
    ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE
    ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE
    ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS
    ' HEREBY PERMITTED.
    ''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
    
    Const SE_VPS_GUID = "{143F5698-103B-12D4-FF34-1F34767DEabc}"
    Const SE_VPS_NAME = "NumberOfWebListenerAcceptingSockets"
    Const SE_VPS_VALUE = 10
    
    Sub SetValue()
    
        ' Create the root object.
        Dim root  ' The FPCLib.FPC root object
        Set root = CreateObject("FPC.Root")
    
        'Declare the other objects needed.
        Dim array       ' An FPCArray object
        Dim VendorSets  ' An FPCVendorParametersSets collection
        Dim VendorSet   ' An FPCVendorParametersSet object
    
        ' Get references to the array object
        ' and the network rules collection.
        Set array = root.GetContainingArray
        Set VendorSets = array.VendorParametersSets
    
        On Error Resume Next
        Set VendorSet = VendorSets.Item( SE_VPS_GUID )
    
        If Err.Number <> 0 Then
            Err.Clear
    
            ' Add the item
            Set VendorSet = VendorSets.Add( SE_VPS_GUID )
            CheckError
            WScript.Echo "New VendorSet added... " & VendorSet.Name
    
        Else
            WScript.Echo "Existing VendorSet found... value- " &  VendorSet.Value(SE_VPS_NAME)
        End If
    
        if VendorSet.Value(SE_VPS_NAME) <> SE_VPS_VALUE Then
    
            Err.Clear
            VendorSet.Value(SE_VPS_NAME) = SE_VPS_VALUE
    
            If Err.Number <> 0 Then
                CheckError
            Else
                VendorSets.Save false, true
                CheckError
    
                If Err.Number = 0 Then
                    WScript.Echo "Done with " & SE_VPS_NAME & ", saved!"
                End If
            End If
        Else
            WScript.Echo "Done with " & SE_VPS_NAME & ", no change!"
        End If
    
    End Sub
    
    Sub CheckError()
    
        If Err.Number <> 0 Then
            WScript.Echo "An error occurred: 0x" & Hex(Err.Number) & " " & Err.Description
            Err.Clear
        End If
    
    End Sub
    
    SetValue
    
  3. Use the ISA Server Management Microsoft Management Console (MMC) snap-in to make sure that all the servers in the array are synchronized. Stop and then restart the Microsoft Firewall service on each array member.

STATUS

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

MORE INFORMATION

The lowLevelSettings.vbs script sets the FwxListenerMaxPendingAccepts value to 30,000 sockets. The setWebListenerAcceptingSockets.vbs script sets a new VendorParameterSets property. This property controls how many sockets each Web listener uses to accept connections. This value affects each IP address and port combination. By default, ISA Server allows for 50 sockets for each Web listener. The setWebListenerAcceptingSockets.vbs script sets this value to 10 sockets for each Web listener.

This new VendorParametersSets setting lets you create many additional Web site publishing rules in ISA Server 2006 Enterprise Edition. Consider the following scenario:
  • You have 600 virtual IP addresses
  • Each IP address has two Web listeners, an HTTP listener and an HTTPS listener.
In this scenario, ISA Server uses the new VendorParametersSets setting to create 12,000 sockets. This is much less than the new limit of 30,000 sockets that is set by the lowLevelSettings.vbs script.

Important In this kind of configuration, the limiting factor is the non-paged pool memory that is available. For example, the sample scenario in which you create 600 virtual IP addresses together with two listeners for each IP address uses approximately 160 megabytes (MB) of non-paged pool memory. During a period of high network activity, this use of non-paged pool memory may cause the server to stop responding. If you have added the /3GB option to the Boot.ini file on the server, 160 MB exceeds the amount of non-paged pool memory that can be allocated. Because of this problem, we do not recommend this kind of deployment.

Properties

Article ID: 925288 - Last Review: November 14, 2006 - Revision: 1.1
APPLIES TO
  • Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition
Keywords: 
kberrmsg kbfirewall kbtshoot kbfix kbbug kbprb KB925288

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com