When clients connect to a Web site that you published by using ISA Server 2006, the Microsoft Firewall service may use 100 percent of the CPU resources

This article has been archived. It is offered "as is" and will no longer be updated.
Symptoms
When clients connect to a Web site that you published by using Microsoft Internet Security and Acceleration (ISA) Server 2006, the Microsoft Firewall service (fwsrv) may use 100 percent of the CPU resources.

You may experience this problem if the following conditions are both true:
  • The clients connect to the Web site by using the HTTPS protocol.
  • The Web listener for the Web site publishing rule requires client Secure Sockets Layer (SSL) certificates for authentication.
Note To determine whether the Web listener requires client SSL certificates, follow the steps in the "More Information" section.
Cause
This problem occurs if ISA Server 2006 cannot renegotiate the encryption keys with the client.

On the Authentication Preferences tab of the Advanced Authentication Options dialog box for the Web listener, you can use the SSL client certificate timeout (seconds) check box together with a value to configure when the client certificate times out. By default, this value is set to 300 seconds. When the client certificate times out, ISA Server 2006 tries to renegotiate encryption keys with the client.
Resolution
A hotfix is available for computers that are running ISA Server 2006. To resolve this problem, install the hotfix that is described in the following Microsoft Knowledge Base article:

937186 Description of the ISA Server 2006 hotfix package that is dated May 14, 2007
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
More information

How to determine whether the Web listener requires client SSL certificates

  1. Start the ISA Server Management tool, and then locate the appropriate Web site publishing rule.
  2. Right-click the Web site publishing rule, and then click Properties.
  3. Click the Listener tab, verify that the correct listener is displayed, and then click Properties.
  4. Click the Authentication tab, and then click Advanced.
  5. On the Authentication Preferences tab of the Advanced Authentication Options dialog box, determine whether the Require SSL client certificate check box is selected.
Properties

Article ID: 937434 - Last Review: 01/16/2015 16:00:47 - Revision: 2.0

Microsoft Internet Security and Acceleration Server 2006 Standard Edition, Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition

  • kbnosurvey kbarchive kbfirewall kbtshoot kbfix kbbug kbprb KB937434
Feedback