If a Web server is Web published by Internet Security and Acceleration Server, and the internal Web server accepts or requires client certificate authentication, you may receive the following error message when Internet Security and Acceleration Server 2000 receives a request for a Web Published site:
500: ( Operation Would Block. For more information about this event, see ISA Server Help. )
The Web Proxy log file on ISA Server computer may show that the request failed with a sc-status code of 10035 (WSAEWOULDBLOCK).
Depending on timing, the back-end Web server may log one of the following error codes. These error codes are from an IIS Web server, but the problem is not specific to IIS. It may occur with any Web server, and the error codes may vary.
If the error occurs before all data has been sent from ISA to the internal Web server, ISA will reset the connection because it treats the Winsock error as a fatal error. The Web server sees the connection being closed before all data has been received and returns a HTTP 400 response to ISA. The following event is logged in the IIS log file:
sc-status 400 (HTTP 400 - Bad Request) sc-win32-status 64 (The specified network name is no longer available.)
If the error occurs immediately after all data has been sent and during ordinary SSL tunnel maintenance, ISA will again reset the connection.
In this case the Web server has received all the expected request data and then immediately received the reset from ISA. As the connection has been reset by the client the Web server cannot return the response to the client and therefore logs the fact that connection was reset by the client. The following event is logged in the IIS log file:
In both of these scenarios, the messages that are seen by the client and the events that are logged in the ISA log are the same.
The problem is specific to the communication between ISA and the internal Web server. ISA uses non-blocking sockets for performance reasons and non-blocking sockets may sometimes under load return an error code saying the operation would block. This is a non-fatal error and may occur when the internal server, for bandwidth or load reasons, cannot process the request fast enough. This fills up the buffers in TCP/IP and causes Winsock to return the error.
In this scenario ISA will fail the request and reset the connection when the Winsock call returns an error because the socket is configured as non-blocking. This condition only occurs when Client Certificate authentication is being used between ISA and the published Web server, and would generally occur for requests that include an Entity Body (that is, a POST request).
This situation may occur if the network connection between the ISA Server computer and the published Web server is slower than the connection between the client and the ISA Server computer, or if there is a similar performance bottleneck on the back-end network or on the published Web server itself.
To resolve this problem, obtain latest service pack for ISA Server 2000. For additional information about the latest service pack, click the following article number to view the article in the Microsoft Knowledge Base:
313139 How to obtain the latest Internet Security and Acceleration Server 2000 service pack
Microsoft has confirmed that this is a problem in Microsoft Internet Security and Acceleration Server 2000. This problem was corrected in ISA 2000 Service Pack 2.When you install this service pack, ISA Server handles this Winsock error condition and will retry the operation when the socket becomes available, or it will time out the request when the socket timeout is reached.