Spotty Internet and TCP_NOT_SYN_PACKET_DROPPED

I'm receiving a number of errors in the TMG log as:

None - see Result Code0xc0040017FWX_E_TCP_NOT_SYN_PACKET_DROPPED

This comes along with very spotty internet browsing from internal clients. I have a split-dns infrastructure, the DNS server in the DMz is my public DNS. Prior to this error and noticing spotty internet, I made changes to my DNS as I though that was the culprit, but the above issue remains the same. If I reboot the TMG server, the internet browsing is excellent for about 5 - 10 minutes, then falls on it's face. Stopping, refreshing, and multiple clicking on web links eventually gets there, but it's quite annoying.

A post I came across seemed to relate to the VLAN routing. The TMG INT LAN IP address is on the same VLAN as all my internal clients, connected to a cisco 3750G switch. I remember having this same setup years ago when I used ISA 2006. I do not have any ip default-gateway IP set on the switch. Any ideas on if I should make a change or how to resolve this error and internet surfing?

My Configuration:

I have 2 Cisco 3750G core switches in 2 separate rooms. They are connected by trunk port. I have a number of VLAN's as follows:

VLAN10 (Internal LAN) int ip 10.0.10.2

VLAN9 (DMz) int ip 192.168.0.2

VLAN20 (iSCSI) int ip 10.0.20.2

VLAN30 (vMotion) int ip 10.0.30.2

Inter VLAN routing is ok, systems from 1 VLAN can ping systems in another VLAN no problem. The TMG has a 3 NIC setup. DMz IP 192.168.0.9 INT_LAN IP 10.0.10.1 Ext IP x.x.x.x

All of the internal LAN servers and workstaions use the TMG IP as it's gateway. As suggested in a post I read, should I modify the cisco switch to include a default gateway of the TMG IP (10.0.10.1) and configure all of the clients connected to the switch to the VLAN's interface IP of 10.0.10.2? Should I add a static route? Should I add a default-gateway on the configuration of the switch? Any assistance or suggestions would be appreciated. Thanks.

-SK

August 29th, 2014 2:33pm

Hi SK,

I think the issue may be due to your internet router or other L3 devices after TM EXT interface.

Its seems your connection is dropped because no Sync packet.

Try connecting any PC direct to Internet and see.

-------------

Please get this checked and if all works okay, we shall proceed with other configurations on switch level

Free Windows Admin Tool Kit Click here and download it now
August 29th, 2014 5:40pm

Hi,

Anything updates now?

According to the error message, the non-SYN packet was dropped because it was sent by a source that did not have an established connection with the TMG Server computer.

Personally, it seems that the network configuration is not correct. In general, it is not recommend to point the default gateways of all the LAN users to the TMG server. I would appreciate it if you can post the result of running"ipconfig/all" on the TMG server and a server in each VLAN.  I also recommend you to use network monitor to capture packets on TMG server, LAN servers and workstations to see the reason for this issue.

Best regards,

Susie

September 1st, 2014 4:46am

Hi,

Anything updates now?

According to the error message, the non-SYN packet was dropped because it was sent by a source that did not have an established connection with the TMG Server computer.

Personally, it seems that the network configuration is not correct. In general, it is not recommend to point the default gateways of all the LAN users to the TMG server. I would appreciate it if you can post the result of running"ipconfig/all" on the TMG server and a server in each VLAN.  I also recommend you to use network monitor to capture packets on TMG server, LAN servers and workstations to see the reason for this issue.

Best regards,

Susie

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2014 4:46am

I don't have anything, L3 devices after the TMG External NIC. It is directly connected to my ISP to the internet. The only L3 devices are the core switches, with a few vlan's created segregating the subnets.

-SK

September 2nd, 2014 7:11pm

Hi Susie,

I agree with you, there could be some improvement in the network configuration. Since it is a small network with only a few vlan's to separate the few subnets for their specific purposes, and the TMG as the router / firewall, I think there should be some type of default route, or route from vlan 10 as the internal vlan using the interface ip as it's gateway for devices and the TMG Internal LAN NIC with an ip address on a different subnet.

i.e. all internal LAN clients use vlan10 int ip 10.0.10.1 as their gateway and the TMG setup with IP 10.0.1.1 on it's internal NIC.

I'm assuming I could add a static route for 10.0.10.0 to 10.0.1.1 on the config of the cisco 3750

What do you think? I can post ipconfigs etc. if you think it would help in any suggestions.

-SK

Free Windows Admin Tool Kit Click here and download it now
September 2nd, 2014 9:22pm

Hi,

Thanks for your reply. Would you please post the results of running"ipconfig/all" on the TMG server and a server in each VLAN?

Best regards,

Susie

September 4th, 2014 5:37am

Hi,

Thanks for your reply. Would you please post the results of running"ipconfig/all" on the TMG server and a server in each VLAN?

Best regards,

Susie

Hi Susie,

Apologize for the delay. The ipconfig info is below. I think I still need to configure / think of the TMG as a router so to speak. The INT_LAN NIC should probably be assigned a private IP address like 200.1.1.1. It should be connected to the 3750 on a routed port with an IP of something like 200.1.1.2, not a switch port, and some type of static route configured so it can act as a true router / firewall. I just need to wrap my brain around configuring this setup.

TMG Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : skincdc.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : skincdc.com
                                       hsd1.dc.comcast.net.

Ethernet adapter INT_LAN:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-B1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.10.1(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 10.0.10.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter DMz:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-BB
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.1(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.0.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter XFINITY_INet:

   Connection-specific DNS Suffix  . : hsd1.dc.comcast.net.
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 69.(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Monday, September 15, 2014 3:31:05 AM
   Lease Expires . . . . . . . . . . : Friday, September 19, 2014 3:31:05 AM
   Default Gateway . . . . . . . . . : 69.
   DHCP Server . . . . . . . . . . . : 69.
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Internal VLAN 10 F&P Server:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : skincdc.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : skincdc.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-04-A3-CE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::dc4:97e5:5f7a:d074%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.10.12(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.10.1
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-5D-18-09-00-0C-29-04-A3-CE
   DNS Servers . . . . . . . . . . . : 10.0.10.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{27CD176D-0080-4CCD-920B-D03C5A09EB25}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

VLAN 5 DMz DNS Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-B5-67-1E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.9(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{91E3F742-20C5-4DBA-A792-9D842D999267}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

-SK

Free Windows Admin Tool Kit Click here and download it now
September 15th, 2014 7:01pm

Hi,

Thanks for your reply. Would you please post the results of running"ipconfig/all" on the TMG server and a server in each VLAN?

Best regards,

Susie

Hi Susie,

Apologize for the delay. The ipconfig info is below. I think I still need to configure / think of the TMG as a router so to speak. The INT_LAN NIC should probably be assigned a private IP address like 200.1.1.1. It should be connected to the 3750 on a routed port with an IP of something like 200.1.1.2, not a switch port, and some type of static route configured so it can act as a true router / firewall. I just need to wrap my brain around configuring this setup.

TMG Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : skincdc.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : skincdc.com
                                       hsd1.dc.comcast.net.

Ethernet adapter INT_LAN:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #3
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-B1
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.0.10.1(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 10.0.10.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter DMz:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-BB
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.1(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 
   DNS Servers . . . . . . . . . . . : 192.168.0.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter XFINITY_INet:

   Connection-specific DNS Suffix  . : hsd1.dc.comcast.net.
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-0C-29-C1-DF-C5
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 69.(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Lease Obtained. . . . . . . . . . : Monday, September 15, 2014 3:31:05 AM
   Lease Expires . . . . . . . . . . : Friday, September 19, 2014 3:31:05 AM
   Default Gateway . . . . . . . . . : 69.
   DHCP Server . . . . . . . . . . . : 69.
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Internal VLAN 10 F&P Server:


Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : skincdc.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : skincdc.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-04-A3-CE
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::dc4:97e5:5f7a:d074%12(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.10.12(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.10.1
   DHCPv6 IAID . . . . . . . . . . . : 301993001
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-5D-18-09-00-0C-29-04-A3-CE
   DNS Servers . . . . . . . . . . . : 10.0.10.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{27CD176D-0080-4CCD-920B-D03C5A09EB25}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

VLAN 5 DMz DNS Server:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : 
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-0C-29-B5-67-1E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.0.9(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.0.1
   DNS Servers . . . . . . . . . . . : 192.168.0.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{91E3F742-20C5-4DBA-A792-9D842D999267}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

-SK

September 15th, 2014 7:01pm

Hi

Thanks for your reply.

In general, we don't configure the DNS server and default gateway for the DMZ interface. If you want to establish connections between the DMZ and the internal network, you can add router between them and create access rule to allow the traffic for internal clients.

In addition, what are the source IP addresses of the error messages?

Best regards,

Susie



Free Windows Admin Tool Kit Click here and download it now
September 17th, 2014 11:05pm

Hi

Thanks for your reply.

In general, we don't configure the DNS server and default gateway for the DMZ interface. If you want to establish connections between the DMZ and the internal network, you can add router between them and create access rule to allow the traffic for internal clients.

In addition, what are the source IP addresses of the error messages?

Best regards,

Susie



September 18th, 2014 5:59am

Hi

Thanks for your reply.

In general, we don't configure the DNS server and default gateway for the DMZ interface. If you want to establish connections between the DMZ and the internal network, you can add router between them and create access rule to allow the traffic for internal clients.

In addition, what are the source IP addresses of the error messages?

Best regards,

Susie



Hi Susie,

I have a split-DNS infrastructure. The only traffic at this point between any internal clients and DMz DNS server is name resolution. I have a route rule setup between the DMz and Internal network. I could remove the DNS server entry, it is it's own DNS server, but why would I leave the gateway address blank on the DNS server in the DMz?

I'm seeing the error from many clients on the internal network. Servers, workstations ,etc. The only clients needing internet access are internal clients on vlan10. All are configured with same GW IP 10.0.10.1 (TMG INT_LAN NIC) and same DNS 10.0.10.9 (Int. AD DNS Server). The internal DNS server forwards unresolved sources to the DMz DNS which in turn forwards to external DNS (google DNS) for name resolution.

I referenced this article and am investigating configuring my infrastructure as noted. Changing the identified Cisco 7200VXR router as my TMG 2010 firewall.

http://www.cisco.com/c/en/us/support/docs/lan-switching/inter-vlan-routing/41260-189.html

-SK

Free Windows Admin Tool Kit Click here and download it now
September 18th, 2014 4:03pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics