Server 2008 behind ISA 2006 -> no access to external websites
Ok, here is my problem.
In my test enviroment i'm running 4 Windows Server 2008 RTM as virtual machines in Hyper-V. There is also one VM running Server 2003 R2 with ISA 2006 with 2 NICs.
From a Vista Client machine i can acces the internet, i have tested that with a Vista x64 Ultimate and a Vista x86 Business.
From all the Server 2008 machine i get no access to external websites. DNS works fine, i tested nslookup to external websites -> no problem.
But if i try to access external websites i get no connection, tested this with IE an Firefox
I can access my internal OWA sites
In the livelog of the ISA 2006 i see the error:
0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED with the protocol HTTP-Proxy
And it is all the same with FTP, but no problems with DNS
March 2nd, 2008 1:17pm
In Windows Server 2008 thefollowing settings for the Transmission Control Protocol (TCP) part of TCP-IP are default:
Parameter
Default value
Receive-Side Scaling State
enabled
Chimney Offload State
enabled
Receive Window Auto-Tuning Level
normal
Add-On Congestion Control Provider
ctcp
ECN Capability
disabled
RFC1323 Timestamps
disabled
The Receive-Side Scaling, Chimney offloading and Receive Window Auto-Tuning features might cause problems with Microsoft ISA Server 2006. (read more here on problems with these features on Windows Server 2003)
In your environment I'd recommend turning off these features of the Scalable Networking Pack, using the commands below: (giving the first command the highest priority)
netsh interface tcp set global rss=disabled netsh interface tcp set global chimney=disabled netsh interface tcp set global autotuning=disabled
When these commands don't solve your problems you can easily revert to the old situation by substituting disabledwith enabled in the above commands.
Free Windows Admin Tool Kit Click here and download it now
March 2nd, 2008 3:33pm
So i tested all the commands on one of the server, but it did not help, still getting the same error message on the ISA server.
Do you got same other ideas?
March 3rd, 2008 1:33am
Hi I had the same problem and also tried using the different commands on my setup but that didn't work out for me. However I was able to use the suggestion from
http://support.microsoft.com/kb/911554
on my isa 2006 firewall to disable the checksum check altogether. Just tested this and everything works like a charm now no problems accesing website from the windows 2008 machine anymore.
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2008 5:58am
Run IsaBPA on ISA 2006. There are something to disable on there. When you disable RSS and TPCA on ISA host, it will work.
March 3rd, 2008 6:15am
Ran into this identical problem. Simple fix:The trick is to configure the hardware settings for the "Virtual NIC" on the Windows 2008 side:Virtual NIC -> Properties --> Configure --> AdvancedSet "IP Checksum Offload (IPv4)" and "TCP Checksum Offload (IPv4)" to "disabled"Worked perfectly for me.
Free Windows Admin Tool Kit Click here and download it now
March 5th, 2008 10:36pm