Microsoft KB Archive/919620

= Internal firewall client computers and SecureNAT client computers cannot connect to external servers =

Article ID: 919620

Article Last Modified on 12/4/2007

-

APPLIES TO


 * Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition
 * Microsoft Internet Security and Acceleration Server 2004 Standard Edition

-



Notice


SYMPTOMS
Internal firewall client computers and secure network address translation (SecureNAT) client computers cannot connect to external servers through a computer that is running Microsoft Internet Security and Acceleration (ISA) Server 2004.

This behavior occurs when the Maximum Transmission Unit (MTU) size for the Internet connection is less than 1500 bytes on the computer that is running ISA Server 2004. For example, you experience this problem when the computer that is running ISA Server 2004 computer uses a DSL connection instead of an Ethernet connection.

A network trace on the external interface of the computer that is running ISA Server 2004 may show that this computer is not using the correct TCP maximum segment size (MSS) value for the TCP connection. You may find that this computer always uses an MSS value of 1460 and not the correct MSS value for the TCP connection. When this occurs, the TCP packets are dropped by external routers.



CAUSE
This behavior occurs because of a problem with the MTU checking process in ISA Server 2004.



How to obtain the hotfix
This issue is fixed in the ISA Server 2004 Hotfix Package dated May 31, 2006. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

919621 Description of the ISA Server 2004 hotfix package: May 31, 2006

After you apply the hotfix that is mentioned in Microsoft Knowledge Base article 919621, run the Microsoft Visual Basic script that is described in this section. To do this, follow these steps.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements.  Click Start, point to Programs, point to Accessories, and then click Notepad. Paste the following code into a new Notepad document, and then save by using a file name that has a .vbs file name extension. An example of a file name that has a .vbs file name extension is AddReadMTUregistry.vbs.

 ' ' Copyright (c) Microsoft Corporation. All rights reserved. ' THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE ' RISK OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE ' USER. USE AND REDISTRIBUTION OF THIS CODE, WITH OR WITHOUT MODIFICATION, IS ' HEREBY PERMITTED. 

 ' This script adds a new VendorParametersSets under the array root. ' Used to added new parameters that are needed for hotfixes or service packs. 

Sub AddReadMTUregistry

' Create the root obect. Dim root ' The FPCLib.FPC root object Set root = CreateObject(&quot;FPC.Root&quot;)

'Declare the other objects needed. Dim array      ' An FPCArray object Dim VendorSets ' An FPCVendorParametersSets collection Dim VendorSet  ' An FPCVendorParametersSet object

' Get references to the array object ' and the network rules collection. Set array = root.GetContainingArray Set VendorSets = array.VendorParametersSets

On Error Resume Next Set VendorSet = VendorSets.Item( &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; )

If Err.Number <> 0 Then Err.Clear

' Add the item Set VendorSet = VendorSets.Add( &quot;{143F5698-103B-12D4-FF34-1F34767DEabc}&quot; ) CheckError WScript.Echo &quot;New VendorSet added... &quot; & VendorSet.Name

Else WScript.Echo &quot;Existing VendorSet found... value- &quot; & VendorSet.Value(&quot;AllowVLANandNLB&quot;) End If

if VendorSet.Value(&quot;ReadInterfaceMTU&quot;) <> true Then

Err.Clear VendorSet.Value(&quot;ReadInterfaceMTU&quot;) = true

If Err.Number <> 0 Then CheckError Else VendorSets.Save false, true CheckError

If Err.Number = 0 Then WScript.Echo &quot;Done with ReadInterfaceMTU, saved!&quot; End If       End If    Else WScript.Echo &quot;Done with ReadInterfaceMTU, no change!&quot; End If

End Sub

Sub CheckError

If Err.Number <> 0 Then WScript.Echo &quot;An error occurred: 0x&quot; & Hex(Err.Number) & &quot; &quot; & Err.Description Err.Clear End If

End Sub

AddReadMTUregistry

 Run the script. To do this, double-click the .vbs file that you created.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.

Keywords: kbqfe kbprb KB919620

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.