Error 64 “ The specified network name is no longer available” while accessing a HTTPS site through ISA 2006

 

Here’s some info on an interesting support issue I worked the other day. If you happen to
run into this one day, maybe this will help you get it resolved.

Issue:

We have a website published through ISA 2006. The site is configured for both HTTP and HTTPS access from the ISA server. When a user connects to the site over HTTP, the site comes up fine.

But when he tries over HTTPS, he gets a ‘page cannot be displayed’.

Troubleshooting and Resolution:

We started with live logging on the ISA console while doing a repro of the issue. We were seeing ‘Failed Connection Attempts’ for the traffic coming from the test machine used for the repro, with the error message: Error 64 “The specified network name is no longer available”

This error is very generic and there can be multiple reasons which would translate to this error code.The most common one is when the backend server is performing a dirty TCP connection reset.

So, to check this further, we collected a network monitor trace on the internal NIC of ISA server.

We filtered down to the traffic that is of interest to us.

clip_image001

clip_image001[5]

 

 

So this clearly indicates that the backend server is Resetting the TCP connection prematurely and this is triggering the ‘64 Error’.

Investigating further, we identified that the backend device is a 3rd party load balancer. And for some unknown reasons, the ISA server was failing at the SSL handshake stage.

So, we had the 3rd party support team collect a dump of the SSL settings on the Load Balancer and identified the following:

clip_image004

Then, we went back to the Network Monitor trace (the earlier screenshot) and compared this with the ciphers advertised by ISA server in the client hello. RSA_WITH_RC4_128_MD5 is not part of the Cipher list sent by the ISA server.

Due to this, the 2 peers are not able to successfully choose a common encryption scheme and the SSL handshake fails.

After identifying this, we had the 3rd party vendor enable additional Ciphers which are accepted by ISA server.

Once we did this, the published site was accessible from the internet.

The issue was resolved!!

Hope this would be helpful when you are troubleshooting website accessibility issues through ISA server…especially with 3rd party load balancers in the infrastructure.

Author:

Karthik Divakaran

Security Support Engineer - Microsoft Forefront Edge Team

Reviewers:

Suraj Singh

Security Support Escalation Engineer - Microsoft Forefront Edge Team

Richard Barker

Security Sr. Support Escalation Engineer – Microsoft Forefront Edge Team

Comments

  • Anonymous
    January 01, 2003
    HI,
    I just published the ADFS 3.0 Server and got this error when test rule and externally

    Technical Information (for support personnel)
    •Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)


    As

  • Anonymous
    January 01, 2003
    thanks for the tip.

  • Anonymous
    May 30, 2013
    Job well done mate. Nicely written.

  • Anonymous
    August 11, 2014
    Thanks a lot !! .

    I have the same issue but with TMG 2010 and NLB as the load balancer. I can't get it solved.

    Again: Thanks for sharing the tip !

  • Anonymous
    November 12, 2015
    Great post from your hands again. I loved the complete article.
    By the way nice writing style you have. I never felt like boring while reading this article.
    I will come back & read all your posts soon. Regards, Lucy.