ISA Firewall Service Stops Responding on DNS Resolution

This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
The Internet Security and Acceleration (ISA) Server Firewall service may slow down or stop responding to client requests. ISA clients may experience slow performance or receive Microsoft Internet Explorer error messages such as the following:
The page cannot be displayed.
This may occur when the following conditions are met:
  • The ISA Server computer has a Site and Content rule defined that restricts access based on a domain name (for example, "Deny access to *.microsoft.com").
  • ISA cannot perform DNS lookups for the IP address of a requested Web site or Pointer (PTR) record.
CAUSE
This occurs because of a code problem that causes ISA Server to temporarily run out of worker threads during some DNS name checking operations. When this occurs, the ISA Firewall service may appear to be slow or to stop responding (hang).

To detect this problem with System Monitor, monitor the Available Worker Threads counter in the ISA Firewall service object. If this value approaches zero, you may see a negative effect on ISA’s performance.
RESOLUTION
To resolve this problem, obtain the Update Rollup for ISA Server Services. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
810493 Update Rollup for ISA Server Services
WORKAROUND
You can temporarily work around this problem by changing the Deny Site and Content rule to specify the IP address of the restricted site instead of the domain name of the restricted site.
Properties

Article ID: 818821 - Last Review: 10/26/2013 18:37:18 - Revision: 2.2

Microsoft Internet Security and Acceleration Server 2000 Service Pack 1, Microsoft Internet Security and Acceleration Server 2000 Standard Edition

  • kbnosurvey kbarchive kbhotfixserver KB818821
Feedback