Hi all,
I have TMG 2010 SP1 (without update 1 installed-there's a problem with this I'll describe in a new thread), installed in the domain with Exchange 2007 SP3 (with latest rollups) Edge role. Everything's been running fine for nearly a year, until it came to renewing the Edge subscription (certificate was about to expire). That went well enough, but at the same time the Exchange server ran out of disk space, so I had to migrate the user mailboxes elsewhere. Since then, I've had this recurring problem where the Control service on TMG crashes (not sure if the subscription/mailbox move is relevant, but I'm providing as much info as possible).
In summary, I've managed to narrow the failure down to being caused by any firewall rules that use our External web listener (that is, services such as OWA, ActiveSync, and SharePoint). Internal access using an Internal web listener work fine (the only difference between the 2 listeners is Internal is configured to listen on the Internal network, External on the External network, both listeners use the same wildcard cert).
When a user accesses the services above, they can log in but once they try to do something the session stops because the Control service has crashed (I'm presented with a 'Send Report to Microsoft' box on the server), the Firewall service stops itself and nothing comes in or goes out. When I restart the Firewall service, the TMG Managed Control service crashes which I then have to restart too.
I've been running with these firewall rules disabled for a little while now, and haven't had the service crash (yet), but that's not a good solution as users can't check their emails from home. I have tried creating a new listener and new rules, but that still causes a crash. Here are some logs from the Event Viewer;
When the Control Service crashes;
Log Name: Application Source: Application Error Date: 25/02/2011 17:33:49 Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: server.domain.local Description: Faulting application mspadmin.exe, version 7.0.8108.200, time stamp 0x4c17aca0, faulting module ncrypt.dll, version 6.0.6002.18005, time stamp 0x49e0419b, exception code 0xc0000005, fault offset 0x000000000000310e, process id 0xb9c, application start time 0x01cbd50653ba6415. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-02-25T17:33:49.000Z" /> <EventRecordID>311227</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.local</Computer> <Security /> </System> <EventData> <Data>mspadmin.exe</Data> <Data>7.0.8108.200</Data> <Data>4c17aca0</Data> <Data>ncrypt.dll</Data> <Data>6.0.6002.18005</Data> <Data>49e0419b</Data> <Data>c0000005</Data> <Data>000000000000310e</Data> <Data>b9c</Data> <Data>01cbd50653ba6415</Data> </EventData> </Event>
This appears to be caused by 'ncrypt.dll', searching for this revealed that a 'fix' may be to copy a good version of this file, I have done this and it's made no difference.
Then, the TMG Firewall stops;
Log Name: Application Source: Microsoft Forefront TMG Firewall Date: 25/02/2011 17:34:01 Event ID: 14182 Task Category: None Level: Information Keywords: Classic User: N/A Computer: server.domain.local Description: The Firewall service was stopped gracefully. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft Forefront TMG Firewall" /> <EventID Qualifiers="16384">14182</EventID> <Level>4</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-02-25T17:34:01.000Z" /> <EventRecordID>311228</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.local</Computer> <Security /> </System> <EventData> </EventData> </Event>
And then, if I restart the Firewall while Managed Control is running;
Log Name: Application Source: Application Error Date: 28/02/2011 09:39:20 Event ID: 1000 Task Category: (100) Level: Error Keywords: Classic User: N/A Computer: server.domain.local Description: Faulting application IsaManagedCtrl.exe, version 7.0.8108.200, time stamp 0x4c17ac26, faulting module unknown, version 0.0.0.0, time stamp 0x00000000, exception code 0xc0000005, fault offset 0x000000006fe6f37c, process id 0x%9, application start time 0x%10. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Application Error" /> <EventID Qualifiers="0">1000</EventID> <Level>2</Level> <Task>100</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-02-28T09:39:20.000Z" /> <EventRecordID>313832</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.local</Computer> <Security /> </System> <EventData> <Data>IsaManagedCtrl.exe</Data> <Data>7.0.8108.200</Data> <Data>4c17ac26</Data> <Data>unknown</Data> <Data>0.0.0.0</Data> <Data>00000000</Data> <Data>c0000005</Data> <Data>000000006fe6f37c</Data> </EventData> </Event>
I have found that I can typically stop the Managed Control service first, then restart the Firewall with no problems. I also have an ongoing alert that is new;
Log Name: Application Source: Microsoft Forefront TMG Control Date: 28/02/2011 11:29:39 Event ID: 32572 Task Category: None Level: Error Keywords: Classic User: N/A Computer: server.domain.local Description: Cache log failure: Failed to write content to the cache log; this may interfere with cache utilization monitoring.
The failure is due to error: Category does not exist. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft Forefront TMG Control" /> <EventID Qualifiers="49152">32572</EventID> <Level>2</Level> <Task>0</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-02-28T11:29:39.000Z" /> <EventRecordID>314616</EventRecordID> <Channel>Application</Channel> <Computer>server.domain.local</Computer> <Security /> </System> <EventData> <Data>Category does not exist.</Data> </EventData> </Event>
I don't know if this is relevant, a topic for another thread, or nothing to worry about.
Thanks
- Edited by Matthew Peters_UK Monday, February 28, 2011 12:14 PM cleaned up code
Other recent topics
