TMG keeps stopping all inbound traffic

Every few days, the TMG server will stop accepting most inbound traffic but
especially SMTP. Once I restart it, it lets it flow again. Any idea why?

Shown below are two very small section of the logs. I cut out three places
where th SMTP transactions are gettign blocked before I restart it and two
where they get through after I restart it.

Does anyone have any good ideas?

Thanks!

Arch


Bad section

Client Agent Authenticated Client Service Referring Server Destination Host
Name Transport HTTP Method Filter Information MIME Type Object Source Cache
Information Error Information Source Port Bidirectional Network Interface
Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original
Client IP GMT Log Time Authentication Server Log Time Client IP Destination
IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client
Username Source Network Destination Network URL Server Name Log Record Type
Malware Inspection Action Malware Inspection Result Threat Name Threat Level
Content Delivery Method Malware Inspection Duration (msec)

- TCP - - - 0x0 0x0 53011 0 0 0 64.86.201.104 01/09/2009 4:43:21
PM - 01/09/2009 11:43:21 AM 64.86.201.104 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 53011 0 0 0 64.86.201.104 01/09/2009 4:43:23
PM - 01/09/2009 11:43:23 AM 64.86.201.104 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 55259 0 0 0 98.172.30.113 01/09/2009 4:43:27
PM - 01/09/2009 11:43:27 AM 98.172.30.113 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0


Good section

Client Agent Authenticated Client Service Referring Server Destination Host
Name Transport HTTP Method Filter Information MIME Type Object Source Cache
Information Error Information Source Port Bidirectional Network Interface
Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original
Client IP GMT Log Time Authentication Server Log Time Client IP Destination
IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client
Username Source Network Destination Network URL Server Name Log Record Type
Malware Inspection Action Malware Inspection Result Threat Name Threat Level
Content Delivery Method Malware Inspection Duration (msec)
- TCP - - - 0x0 0x0 14380 15 0 0 189.105.209.111 01/09/2009 4:46:09
PM - 01/09/2009 11:46:09 AM 189.105.209.111 192.168.1.1 25 SMTP Server
Initiated Connection SMTP Mail Server SMTP Server SMTP Server(1) 0x0
ERROR_SUCCESS External Internal - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 20934 827 8091 456 66.18.49.218 01/09/2009
4:46:13 PM - 01/09/2009 11:46:13 AM 66.18.49.218 192.168.1.1 25 SMTP Server
Closed Connection SMTP Mail Server SMTP Server SMTP Server(1) 0x80074e24
FWX_E_CONNECTION_KILLED External Internal - TMGSRVR Firewall - 0

Hi,

> Every few days, the TMG server will stop accepting most inbound traffic
> but especially SMTP. Once I restart it, it lets it flow again. Any idea
> why?

it seems to be that TMD doesn't recognized the SMTP conenction as an SMTP
connection so that the default policy rule applies.
Is there another SMTP Service running on ISA server which collide with the
SMTP Server publishing?
Because TMG is a beta version my only recommodation at this time is to try
to reinstall the SMTP Server Publishing rule. If this doesn't work try it
with a TMG reinstallation.

--
Gruss Jens
www.it-training-grote.de/blog
www.it-training-grote.de
www.nt-faq.de

[rannam]

the TMG server will stop accepting most inbound traffic but

Quote:

Originally Posted by Arch Willingham

Every few days, the TMG server will stop accepting most inbound traffic but
especially SMTP. Once I restart it, it lets it flow again. Any idea why?

Shown below are two very small section of the logs. I cut out three places
where th SMTP transactions are gettign blocked before I restart it and two
where they get through after I restart it.

Does anyone have any good ideas?

Thanks!

Arch


Bad section

Client Agent Authenticated Client Service Referring Server Destination Host
Name Transport HTTP Method Filter Information MIME Type Object Source Cache
Information Error Information Source Port Bidirectional Network Interface
Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original
Client IP GMT Log Time Authentication Server Log Time Client IP Destination
IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client
Username Source Network Destination Network URL Server Name Log Record Type
Malware Inspection Action Malware Inspection Result Threat Name Threat Level
Content Delivery Method Malware Inspection Duration (msec)

- TCP - - - 0x0 0x0 53011 0 0 0 64.86.201.104 01/09/2009 4:43:21
PM - 01/09/2009 11:43:21 AM 64.86.201.104 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 53011 0 0 0 64.86.201.104 01/09/2009 4:43:23
PM - 01/09/2009 11:43:23 AM 64.86.201.104 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 55259 0 0 0 98.172.30.113 01/09/2009 4:43:27
PM - 01/09/2009 11:43:27 AM 98.172.30.113 66.129.4.206 25 SMTP Denied
Connection Default rule 0xc004000d FWX_E_POLICY_RULES_DENIED External
Local Host - TMGSRVR Firewall - 0


Good section

Client Agent Authenticated Client Service Referring Server Destination Host
Name Transport HTTP Method Filter Information MIME Type Object Source Cache
Information Error Information Source Port Bidirectional Network Interface
Raw IP Header Raw Payload Processing Time Bytes Sent Bytes Received Original
Client IP GMT Log Time Authentication Server Log Time Client IP Destination
IP Destination Port Protocol Action Rule Result Code HTTP Status Code Client
Username Source Network Destination Network URL Server Name Log Record Type
Malware Inspection Action Malware Inspection Result Threat Name Threat Level
Content Delivery Method Malware Inspection Duration (msec)
- TCP - - - 0x0 0x0 14380 15 0 0 189.105.209.111 01/09/2009 4:46:09
PM - 01/09/2009 11:46:09 AM 189.105.209.111 192.168.1.1 25 SMTP Server
Initiated Connection SMTP Mail Server SMTP Server SMTP Server(1) 0x0
ERROR_SUCCESS External Internal - TMGSRVR Firewall - 0
- TCP - - - 0x0 0x0 20934 827 8091 456 66.18.49.218 01/09/2009
4:46:13 PM - 01/09/2009 11:46:13 AM 66.18.49.218 192.168.1.1 25 SMTP Server
Closed Connection SMTP Mail Server SMTP Server SMTP Server(1) 0x80074e24
FWX_E_CONNECTION_KILLED External Internal - TMGSRVR Firewall - 0

OK guys....I took all y'all said and did this.

1. I exported my rules from TMG.
2. I did a brand new installation of the operating system and made sure no
antivirus stuff got installed.
3. I installed the new Beta 2
4. I imported my old rules

About 24 hrs later, it did it again. It turns out that I don't think its
just SMTP its blocking...its all DNS requests too. I can teminal server in
(using the sever's IP address), restart the TMG service and WHAM...it starts
resolving DNS and letting SMTP stuff on in.

A few errors come up but nothign that seems related.

Any ideas?

Thanks!

Arch



"Jens Baier" <jensbaier@passport.com> wrote in message
news:enDn8WIdJHA.1328@TK2MSFTNGP02.phx.gbl...
> Hi,
>
>> Every few days, the TMG server will stop accepting most inbound traffic
>> but especially SMTP. Once I restart it, it lets it flow again. Any idea
>> why?
>
> it seems to be that TMD doesn't recognized the SMTP conenction as an SMTP
> connection so that the default policy rule applies.
> Is there another SMTP Service running on ISA server which collide with the
> SMTP Server publishing?
> Because TMG is a beta version my only recommodation at this time is to try
> to reinstall the SMTP Server Publishing rule. If this doesn't work try it
> with a TMG reinstallation.
>
> --
> Gruss Jens
> www.it-training-grote.de/blog
> www.it-training-grote.de
> www.nt-faq.de
>