ISA is not always at fault when FTP is not working
1. Introduction
We experience a lot of issues in accessing Outbound FTP from the Web Proxy clients behind ISA server. Enlisting one of the reasons here which is not actually an ISA issue but internal client side issue.
2. Scenario
Unable to access an Anonymous FTP web site from Web Proxy clients behind a Single NIC ISA 2006 server who use WPAD file to connect to the ISA server. WPAD is configured through DHCP.
When we have the ‘Automatically Detect Settings’ configured in the IE Proxy settings and if try to access any FTP site like in this scenario ftp://ftp.fabrikam.com. We get a generic IE error ‘Page cannot be displayed’. It is not an ISA error. So here all the fun starts. So far it looks like the traffic is not even hitting the ISA server and we need to investigate that.
3. Troubleshooting:
When we disable ‘Automatically Detect Settings’ in the IE Proxy settings and manually put in the ISA servers IP address there we can access the FTP web site. So it clearly shows now that the issue is with WPAD file.
When we take a Network Trace on the client while trying to access ftp://ftp.fabrikam.com. In the Network trace we cannot see the WPAD file getting downloaded. We delete all the cookies and the temporary Internet files on that client and then start the Network trace again and try to access the FTP web site again and we still cannot see any WPAD file getting downloaded on the client and that’s why there was no traffic being sent to the ISA servers. As you can see in the traffic below the client is sending the traffic out to the Public FTP server directly on Port 21 from its Default Gateway and that’s why not working:
11:28:10.058 0.000000 879 TCP 172.16.74.104 ftp. fabrikam.akadns.net TCP:Flags=......S., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062869, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:10.380 0.322401 887 TCP ftp. fabrikam.akadns.net 172.16.74.104 TCP:Flags=...A..S., SrcPort=FTP control(21), DstPort=49717, PayloadLen=0, Seq=3482203085, Ack=977062870, Win=8192 ( Scale factor not supported ) = 8192 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:10.380 0.000000 888 TCP 172.16.74.104 ftp. fabrikam.akadns.net TCP:Flags=...A...., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062870, Ack=3482203086, Win=65280 (scale factor 0x0) = 65280 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:10.700 0.319601 895 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '220 Microsoft FTP Service' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:10.700 0.000000 896 FTP 172.16.74.104 ftp. fabrikam.akadns.net FTP:Request from Port 49717,'USER anonymous' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.012 0.312000 902 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '331 Anonymous access allowed, send identity (e-mail name) as password.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.012 0.000000 903 FTP 172.16.74.104 ftp. fabrikam.akadns.net FTP:Request from Port 49717,'PASS User@' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.324 0.312001 910 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '230 -Welcome to FTP. fabrikam.COM. Also visit https://www. fabrikam.com/downloads.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.324 0.000000 911 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '230 User logged in.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.324 0.000000 912 TCP 172.16.74.104 ftp. fabrikam.akadns.net TCP:Flags=...A...., SrcPort=49717, DstPort=FTP control(21), PayloadLen=0, Seq=977062898, Ack=3482203288, Win=65078 (scale factor 0x0) = 65078 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.324 0.000000 913 FTP 172.16.74.104 ftp. fabrikam.akadns.net FTP:Request from Port 49717,'CWD /' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.636 0.312001 916 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '250 CWD command successful.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.636 0.000000 917 FTP 172.16.74.104 ftp. fabrikam.akadns.net FTP:Request from Port 49717,'TYPE A' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.948 0.312000 922 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '200 Type set to A.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:11.948 0.000000 923 FTP 172.16.74.104 ftp. fabrikam.akadns.net FTP:Request from Port 49717,'PORT 172,16,74,104,194,54' 0.000000 iexplore.exe {TCP:77, IPv4:76}
11:28:12.276 0.327601 931 FTP ftp. fabrikam.akadns.net 172.16.74.104 FTP:Response to Port 49717, '501 Server cannot accept argument.' 0.000000 iexplore.exe {TCP:77, IPv4:76}
It clearly shows that it is a client side issue which shows that IE is not downloading the WPAD file.
Went into the registry and made the following changes:
1) Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections.
2) Delete DefaultConnectionSettings and SavedLegacySettings.
3) Delete temp files.
4) Release and renew IP address and try re discover WPAD information.
Now when we try to access the FTP web site and take the network trace we can see the WPAD file getting downloaded. And the FTP site also works. Now we can see the WPAD file getting downloaded as well in the trace:
09:07:41.808 0.000000 4267 172.16.74.104 172.17.31.23 TCP TCP:Flags=......S., SrcPort=54036, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1853634203, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 0.000000 {TCP:139, IPv4:138}
09:07:41.809 0.001000 4268 172.17.31.23 172.16.74.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54036, PayloadLen=0, Seq=1018293065, Ack=1853634204, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 0.000000 {TCP:139, IPv4:138}
09:07:41.809 0.000000 4269 172.16.74.104 172.17.31.23 TCP TCP:Flags=...A...., SrcPort=54036, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1853634204, Ack=1018293066, Win=16660 (scale factor 0x2) = 66640 0.000000 {TCP:139, IPv4:138}
09:07:41.809 0.000000 4270 172.16.74.104 172.17.31.23 HTTP HTTP:Request, GET /wpad.dat 0.000000 {HTTP:140, TCP:139, IPv4:138}
09:07:41.812 0.003000 4271 172.17.31.23 172.16.74.104 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: /wpad.dat 0.000000 {HTTP:140, TCP:139, IPv4:138}
And then the FTP traffic was also going through the ISA server:
09:06:46.682 0.000000 288 172.16.74.104 172.17.31.12 TCP TCP:Flags=......S., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493103, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:46.684 0.002000 289 172.17.31.12 172.16.74.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848901565, Ack=2393493104, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:46.684 0.000000 290 172.16.74.104 172.17.31.12 TCP TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493104, Ack=1848901566, Win=16660 (scale factor 0x2) = 66640 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:46.684 0.000000 291 172.16.74.104 172.17.31.12 HTTP HTTP:Request, GET ftp://ftp. fabrikam.com/ 0.000000 iexplore.exe {HTTP:15, TCP:14, IPv4:13}
09:06:46.910 0.226013 302 172.17.31.12 172.16.74.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848901566, Ack=2393493393, Win=65246 (scale factor 0x0) = 65246 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:49.635 2.725156 679 172.17.31.12 172.16.74.104 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: ftp://ftp. fabrikam.com/ 0.000000 iexplore.exe {HTTP:15, TCP:14, IPv4:13}
09:06:49.636 0.001000 680 172.17.31.12 172.16.74.104 HTTP HTTP:HTTP Payload, URL: ftp://ftp. fabrikam.com/ 0.000000 iexplore.exe {HTTP:15, TCP:14, IPv4:13}
09:06:49.636 0.000000 681 172.16.74.104 172.17.31.12 TCP TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902887, Win=16329 (scale factor 0x2) = 65316 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:49.909 0.273016 694 172.17.31.12 172.16.74.104 TCP TCP:Flags=...A...F, SrcPort=HTTP Alternate(8080), DstPort=54018, PayloadLen=0, Seq=1848902887, Ack=2393493393, Win=65246 (scale factor 0x0) = 65246 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:49.909 0.000000 695 172.16.74.104 172.17.31.12 TCP TCP:Flags=...A...., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902888, Win=16329 (scale factor 0x2) = 65316 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:49.909 0.000000 696 172.16.74.104 172.17.31.12 TCP TCP:Flags=...A.R.., SrcPort=54018, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=2393493393, Ack=1848902888, Win=0 (scale factor 0x2) = 0 0.000000 iexplore.exe {TCP:14, IPv4:13}
09:06:52.565 2.656152 769 172.16.74.104 172.17.31.12 TCP TCP:Flags=......S., SrcPort=54019, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1037727098, Ack=0, Win=8192 ( Negotiating scale factor 0x2 ) = 8192 0.000000 iexplore.exe {TCP:27, IPv4:13}
09:06:52.567 0.002000 770 172.17.31.12 172.16.74.104 TCP TCP:Flags=...A..S., SrcPort=HTTP Alternate(8080), DstPort=54019, PayloadLen=0, Seq=2075932759, Ack=1037727099, Win=16384 ( Negotiated scale factor 0x0 ) = 16384 0.000000 iexplore.exe {TCP:27, IPv4:13}
09:06:52.567 0.000000 771 172.16.74.104 172.17.31.12 TCP TCP:Flags=...A...., SrcPort=54019, DstPort=HTTP Alternate(8080), PayloadLen=0, Seq=1037727099, Ack=2075932760, Win=16660 (scale factor 0x2) = 66640 0.000000 iexplore.exe {TCP:27, IPv4:13}
09:06:52.567 0.000000 772 172.16.74.104 172.17.31.12 HTTP HTTP:Request, GET ftp://ftp. fabrikam.com/bussys/ 0.000000 iexplore.exe {HTTP:28, TCP:27, IPv4:13}
09:06:52.800 0.233013 789 172.17.31.12 172.16.74.104 TCP TCP:Flags=...A...., SrcPort=HTTP Alternate(8080), DstPort=54019, PayloadLen=0, Seq=2075932760, Ack=1037727395, Win=65239 (scale factor 0x0) = 65239 0.000000 iexplore.exe {TCP:27, IPv4:13}
09:06:55.037 2.237128 919 172.17.31.12 172.16.74.104 HTTP HTTP:Response, HTTP/1.1, Status Code = 200, URL: ftp://ftp. fabrikam.com/bussys/ 0.000000 iexplore.exe {HTTP:28, TCP:27, IPv4:13}
So, the conclusion is 'ISA is not always at fault when FTP is not working'.