Connection Failures between ACE and MS ISA

Unanswered Question
Aug 7th, 2009
User Badges:


I'm using an ACE4710 to loadbalance client requests to a number of Microsoft ISA proxies. I seem to be getting connection failures when looking at the stats on the ACE4710, see example:

real weight state current total failures


rserver: Gllnwis001 8 OPERATIONAL 0 43382 7

rserver: Gllnwis002 8 OPERATIONAL 0 42937 5

rserver: Gllnwis003 8 OPERATIONAL 0 43001 6

The effect on the client is that it's showing a conenction refused in Internet Explorer.

What could cause these failed connections? The servers are new and not being used at all, the ports are all fixed to 1000M FDX...

Many Thanks,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Fri, 08/07/2009 - 05:52
User Badges:
  • Cisco Employee,

The failure is counted when the server does not respond to a SYN or sends a RST.

You have more or less 20 failures out of 130k connections.

That's 1 failure for 6500 connections.

I'm not sure your customers can really be impacted by this.

But if you want to be sure, you will need to capture sniffer traces on the servers and verify that every SYN is answered.

Capture a 'show serverfarm' and start the trace to catch SYN, SYN/ACK and RST.

As soon as you see the failure counter increments, stop the trace and check all SYN and RST.


g.raymakers Fri, 08/07/2009 - 10:06
User Badges:

Thanks Gilles, i'll start with the captures.

Clients connecting to the ISA proxies are sometimes getting a connection refused error. This doesn't happen when the clients connect direct to the ISA proxy, it only happens when the ACE is in between. I was therefore linking the connection failures to the connection refused messages that the clients are getting. Could you think of any reason why the ACE would deny a connection for a client?

Gilles Dufour Sat, 08/08/2009 - 14:58
User Badges:
  • Cisco Employee,

There could be many reasons.

You should probably capture 1 show tech now and another one when the problem is reported.

I can then have a look to both and check all the DROP counters.

I can also proactively look at show tech now if you want and see if there is anything suspicious.



This Discussion