Discussion:
TMG 2010 connenctivity lost when number of denied TCP exceeds limi
(too old to reply)
Chris Proud
2010-02-01 12:08:02 UTC
Permalink
TMG 2010 on Windows 2008 R2 x64

Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers don't appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.

It appears to happen sporadically. Some times it can occur every 5 minutes
for half an hour, sometimes longer. It cleared itself this morning but the
other day a restart seemed to do the trick. Maybe it is linked to
something/one scanning our server.

Thanks
Jens Baier
2010-02-01 19:52:55 UTC
Permalink
Hi,
Post by Chris Proud
Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers don't appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.
create an execption for these IP Addresses in the Flood Mitigation settings
--
Gruss Jens
www.it-training-grote.de
www.forefront-tmg.de
https://mvp.support.microsoft.com/profile/Marc.Grote
http://blog.it-training-grote.de
Chris Proud
2010-02-04 10:57:01 UTC
Permalink
Hi Gruss,

Thanks for you suggestion. I have already disabled flood mitigation because
it was causing all kinds of other problems! (I unticked "Mitigate flood
attached and work propagation", should I disable it anywhere else?)

What seems to be happening in my case is that ALL new connections are denied
when the global denied packets event occurs. I can't see how adding an
exception would help - the event indicates a global deny limit, not specific
to any IP. Where would I add the exception too?

Also, the event description does not indicate any kind of blocking should
occur, just that its going to stop logging the packets.

Thanks

Chris
Chris Proud
2010-02-11 16:00:01 UTC
Permalink
Bump!
Luis Marques
2012-03-08 14:35:24 UTC
Permalink
Hi Chris,

did u find something? i have exactly the same problems since a few days
Post by Chris Proud
TMG 2010 on Windows 2008 R2 x64
Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers do not appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.
It appears to happen sporadically. Some times it can occur every 5 minutes
for half an hour, sometimes longer. It cleared itself this morning but the
other day a restart seemed to do the trick. Maybe it is linked to
something/one scanning our server.
Thanks
Post by Jens Baier
Hi,
create an execption for these IP Addresses in the Flood Mitigation settings
--
Gruss Jens
www.it-training-grote.de
www.forefront-tmg.de
https://mvp.support.microsoft.com/profile/Marc.Grote
http://blog.it-training-grote.de
Post by Chris Proud
Hi Gruss,
Thanks for you suggestion. I have already disabled flood mitigation because
it was causing all kinds of other problems! (I unticked "Mitigate flood
attached and work propagation", should I disable it anywhere else?)
What seems to be happening in my case is that ALL new connections are denied
when the global denied packets event occurs. I cannot see how adding an
exception would help - the event indicates a global deny limit, not specific
to any IP. Where would I add the exception too?
Also, the event description does not indicate any kind of blocking should
occur, just that its going to stop logging the packets.
Thanks
Chris
Bump!
Post by Chris Proud
This has started to happen again. Its being quite persitent at the moment.
Does anyon have any ideas what might be causing the problem?
Post by Phillip Windell
You're gonna have to find the source.
They should be in the logs,..it still logs them,...it only says that it is
reducing the records, not eliminating them.
Does the alert give the source IP#?
It could be an infection on the LAN or a DoS attack from outside,...that is
why you have to find the source. The problem is not ISA,..the problem is
what is bombing the ISA.
--
Phillip Windell
The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Chris Proud
2010-04-21 13:05:01 UTC
Permalink
This has started to happen again. Its being quite persitent at the moment.

Does anyon have any ideas what might be causing the problem?
Post by Chris Proud
TMG 2010 on Windows 2008 R2 x64
Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers don't appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.
It appears to happen sporadically. Some times it can occur every 5 minutes
for half an hour, sometimes longer. It cleared itself this morning but the
other day a restart seemed to do the trick. Maybe it is linked to
something/one scanning our server.
Thanks
Phillip Windell
2010-04-22 18:37:23 UTC
Permalink
You're gonna have to find the source.

They should be in the logs,..it still logs them,...it only says that it is
reducing the records, not eliminating them.

Does the alert give the source IP#?

It could be an infection on the LAN or a DoS attack from outside,...that's
why you have to find the source. The problem is not ISA,..the problem is
what is bombing the ISA.
--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Post by Chris Proud
This has started to happen again. Its being quite persitent at the moment.
Does anyon have any ideas what might be causing the problem?
Post by Chris Proud
TMG 2010 on Windows 2008 R2 x64
Whenever I get the alert "The number of denied TCP and non-TCP packets per
second exceeded the system limit. As a result, Forefront TMG reduced the
number of records of denied packets that are written in the log." all the TCP
port connectivity verifiers fail and any other new outgoing tcp connections,
like the SMTP alert. PING verifiers don't appear to be affected neither
current connections (I think). I think it is also affecting new connections
from workstations.
It appears to happen sporadically. Some times it can occur every 5 minutes
for half an hour, sometimes longer. It cleared itself this morning but the
other day a restart seemed to do the trick. Maybe it is linked to
something/one scanning our server.
Thanks
Loading...