ISA is not always at fault when FTP is not working


 


1.       Introduction


 


We experience a lot of issues in accessing Outbound FTP from the Web Proxy clients behind ISA server. Enlisting one of the reasons here which is not actually an ISA issue but internal client side issue.


 


2.       Scenario


Unable to access an Anonymous FTP web site from Web Proxy clients behind a Single NIC ISA 2006 server who use WPAD file to connect to the ISA server.  WPAD is configured through DHCP.


When we have the ‘Automatically Detect Settings’ configured in the IE Proxy settings and if try to access any FTP site like in this scenario ftp://ftp.fabrikam.com. We get a generic IE error ‘Page cannot be displayed’. It is not an ISA error. So here all the fun starts. So far it looks like the traffic is not even hitting the ISA server and we need to investigate that.


 


3.       Troubleshooting:


When we disable ‘Automatically Detect Settings’ in the IE Proxy settings and manually put in the ISA servers IP address there we can access the FTP web site. So it clearly shows now that the issue is with WPAD file.


When we take a Network Trace on the client while trying to access ftp://ftp.fabrikam.com. In the Network trace we cannot see the WPAD file getting downloaded. We delete all the cookies and the temporary Internet files on that client and then start the Network trace again and try to access the FTP web site again and we still cannot see any WPAD file getting downloaded on the client and that’s why there was no traffic being sent to the ISA servers. As you can see in the traffic below the client is sending the traffic out to the Public FTP server directly on Port 21 from its Default Gateway and that’s why not working:


 


 


11:28:10.058 0.000000       879     TCP     172.16.74.104          ftp. fabrikam.akadns.net          TCP:Flags=......S., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062869, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:10.380 0.322401       887     TCP     ftp. fabrikam.akadns.net     172.16.74.104          TCP:Flags=...A..S., SrcPort=FTP control(21), DstPort=49717, PayloadLen=0, Seq=3482203085, Ack=977062870, Win=8192 ( Scale factor not supported ) = 8192        0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:10.380 0.000000       888     TCP     172.16.74.104          ftp. fabrikam.akadns.net          TCP:Flags=...A...., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062870, Ack=3482203086, Win=65280 (scale factor 0x0) = 65280         0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:10.700 0.319601       895     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '220  Microsoft FTP Service'    0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:10.700 0.000000       896     FTP     172.16.74.104          ftp. fabrikam.akadns.net     FTP:Request from Port 49717,'USER anonymous'        0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.012 0.312000       902     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '331  Anonymous access allowed, send identity (e-mail name) as password.'       0.000000          iexplore.exe   {TCP:77, IPv4:76}


11:28:11.012 0.000000       903     FTP     172.16.74.104          ftp. fabrikam.akadns.net     FTP:Request from Port 49717,'PASS User@'     0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.324 0.312001       910     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '230 -Welcome to FTP. fabrikam.COM. Also visit http://www. fabrikam.com/downloads.' 0.000000          iexplore.exe   {TCP:77, IPv4:76}


11:28:11.324 0.000000       911     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '230  User logged in.'   0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.324 0.000000       912     TCP     172.16.74.104          ftp. fabrikam.akadns.net          TCP:Flags=...A...., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062898, Ack=3482203288, Win=65078 (scale factor 0x0) = 65078         0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.324 0.000000       913     FTP     172.16.74.104          ftp. fabrikam.akadns.net     FTP:Request from Port 49717,'CWD /'   0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.636 0.312001       916     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '250  CWD command successful.'      0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.636 0.000000       917     FTP     172.16.74.104          ftp. fabrikam.akadns.net     FTP:Request from Port 49717,'TYPE A'   0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.948 0.312000       922     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '200  Type set to A.'    0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:11.948 0.000000       923     FTP     172.16.74.104          ftp. fabrikam.akadns.net     FTP:Request from Port 49717,'PORT 172,16,74,104,194,54'    0.000000       iexplore.exe   {TCP:77, IPv4:76}


11:28:12.276 0.327601       931     FTP     ftp. fabrikam.akadns.net     172.16.74.104          FTP:Response to Port 49717, '501  Server cannot accept argument.'         0.000000       iexplore.exe   {TCP:77, IPv4:76}


 


It clearly shows that it is a client side issue which shows that IE is not downloading the WPAD file.


Went into the registry and made the following changes:


1) Go to   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.


2) Delete DefaultConnectionSettings and SavedLegacySettings.


3) Delete temp files.


4) Release and renew IP address and try re discover WPAD information.


 


Now when we try to access the FTP web site and take the network trace we can see the WPAD file getting downloaded. And the FTP site also works. Now we can see the WPAD file getting downloaded as well in the trace:


 


09:07:41.808 0.000000       4267   172.16.74.104          172.17.31.23  TCP     TCP:Flags=......S., SrcPort=54036, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1853634203, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192        0.000000                 {TCP:139, IPv4:138}


09:07:41.809 0.001000       4268   172.17.31.23  172.16.74.104          TCP     TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54036, PayloadLen=0, Seq=1018293065, Ack=1853634204, Win=16384 ( Negotiated scale factor 0x0 ) = 16384        0.000000                 {TCP:139, IPv4:138}


09:07:41.809 0.000000       4269   172.16.74.104          172.17.31.23  TCP     TCP:Flags=...A...., SrcPort=54036, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1853634204, Ack=1018293066, Win=16660 (scale factor 0x2) = 66640      0.000000                 {TCP:139, IPv4:138}


09:07:41.809 0.000000       4270   172.16.74.104          172.17.31.23  HTTP   HTTP:Request, GET /wpad.dat           0.000000                 {HTTP:140, TCP:139, IPv4:138}


09:07:41.812 0.003000       4271   172.17.31.23  172.16.74.104          HTTP   HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wpad.dat          0.000000                 {HTTP:140, TCP:139, IPv4:138}


 


And then the FTP traffic was also going through the ISA server:


 


09:06:46.682 0.000000       288     172.16.74.104          172.17.31.12  TCP     TCP:Flags=......S., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493103, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192        0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:46.684 0.002000       289     172.17.31.12  172.16.74.104          TCP     TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848901565, Ack=2393493104, Win=16384 ( Negotiated scale factor 0x0 ) = 16384        0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:46.684 0.000000       290     172.16.74.104          172.17.31.12  TCP     TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493104, Ack=1848901566, Win=16660 (scale factor 0x2) = 66640      0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:46.684 0.000000       291     172.16.74.104          172.17.31.12  HTTP   HTTP:Request, GET ftp://ftp. fabrikam.com/         0.000000       iexplore.exe   {HTTP:15, TCP:14, IPv4:13}


09:06:46.910 0.226013       302     172.17.31.12  172.16.74.104          TCP     TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848901566, Ack=2393493393, Win=65246 (scale factor 0x0) = 65246      0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:49.635 2.725156       679     172.17.31.12  172.16.74.104          HTTP   HTTP:Response, HTTP/1.1, Status Code = 200, URL: ftp://ftp. fabrikam.com/          0.000000       iexplore.exe   {HTTP:15, TCP:14, IPv4:13}


09:06:49.636 0.001000       680     172.17.31.12  172.16.74.104          HTTP   HTTP:HTTP Payload, URL: ftp://ftp. fabrikam.com/     0.000000       iexplore.exe   {HTTP:15, TCP:14, IPv4:13}


09:06:49.636 0.000000       681     172.16.74.104          172.17.31.12  TCP     TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902887, Win=16329 (scale factor 0x2) = 65316      0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:49.909 0.273016       694     172.17.31.12  172.16.74.104          TCP     TCP:Flags=...A...F, SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848902887, Ack=2393493393, Win=65246 (scale factor 0x0) = 65246      0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:49.909 0.000000       695     172.16.74.104          172.17.31.12  TCP     TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902888, Win=16329 (scale factor 0x2) = 65316      0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:49.909 0.000000       696     172.16.74.104          172.17.31.12  TCP     TCP:Flags=...A.R.., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902888, Win=0 (scale factor 0x2) = 0         0.000000       iexplore.exe   {TCP:14, IPv4:13}


09:06:52.565 2.656152       769     172.16.74.104          172.17.31.12  TCP     TCP:Flags=......S., SrcPort=54019, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1037727098, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192        0.000000       iexplore.exe   {TCP:27, IPv4:13}


09:06:52.567 0.002000       770     172.17.31.12  172.16.74.104          TCP     TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54019, PayloadLen=0, Seq=2075932759, Ack=1037727099, Win=16384 ( Negotiated scale factor 0x0 ) = 16384        0.000000       iexplore.exe   {TCP:27, IPv4:13}


09:06:52.567 0.000000       771     172.16.74.104          172.17.31.12  TCP     TCP:Flags=...A...., SrcPort=54019, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1037727099, Ack=2075932760, Win=16660 (scale factor 0x2) = 66640      0.000000       iexplore.exe   {TCP:27, IPv4:13}


09:06:52.567 0.000000       772     172.16.74.104          172.17.31.12  HTTP   HTTP:Request, GET ftp://ftp. fabrikam.com/bussys/        0.000000       iexplore.exe   {HTTP:28, TCP:27, IPv4:13}


09:06:52.800 0.233013       789     172.17.31.12  172.16.74.104          TCP     TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=54019, PayloadLen=0, Seq=2075932760, Ack=1037727395, Win=65239 (scale factor 0x0) = 65239      0.000000       iexplore.exe   {TCP:27, IPv4:13}


09:06:55.037 2.237128       919     172.17.31.12  172.16.74.104          HTTP   HTTP:Response, HTTP/1.1, Status Code = 200, URL: ftp://ftp. fabrikam.com/bussys/         0.000000       iexplore.exe   {HTTP:28, TCP:27, IPv4:13}


 


So, the conclusion is 'ISA is not always at fault when FTP is not working'.


 

Skip to main content