Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

ISA Firewall failed to start

Status
Not open for further replies.
Dazza2003

Dazza2003

IS-IT--Management
Sep 11, 2003
1
AU
I have installed ISA 2000 on a Windows Server 2003, I have installed the sp1 hot fixes and Feature Pack 1. I am getting the following errors in events

System Error:
The Microsoft Firewall service terminated with service-specific error 213005 (0x3400D).

Application Error:
Microsoft Firewall failed. The failure occurred during Initialization of Network Address Translation (NAT) because the system call PNATInit failed. Use the source location 308.1151.3.0.1200.166 to report the failure. The error code in the Data area of the event properties indicates the cause of the failure. This failure may be due to the Internet Connection Firewall (ICF) service being enabled. If it is enabled, please disable the service named "Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)" (SharedAccess). Then, restart the computer. For more information about this event, see ISA Server Help. The error description is: Access is denied.


Can anyone point me to where the problem may be?

Regards
Darren
 
Sort by date Sort by votes
Sorry, I can't help at this stage, but I am having exactly the same problem, and have a similar configuration, Server 2003, SP1, Feature Pack 1 and hotfixes. Out of interest, are you running anything else on the box (e.g. I have SQL Server, IIS 6) and how much RAM do you have? Apparently the firewall service sometimes refuses to start if there isn't enough RAM, although I've allocated a 1024-2048 pagefile so this doesn't seem to be the problem here.
 
Upvote 0 Downvote
Did anybody ever resolve this issue - we have had ISA and Win2003 running for about two weeks, we rebooted one day and the services wouldn't start.....
Trawled through the forums and started the services as domain admin - all OK, except for the Firewall service !!

Have tried uninstalling, etc - no joy - lots of posts regarding this issue, but can't find a resolution as yet - does anybody know what causes this ??

RRAS and ICS - disabled....
 
Upvote 0 Downvote
Do You have Event IDs and Source for this error message?

Cheers
Knutern
 
Upvote 0 Downvote
Hello friends:

I had found a one thing that cause this problem:

It's a hotfix applied after install Isa Server Service Patch 1 .

So, first try to locate this hotfix. To do that, go to the control panel and click on add and remove programs. The find the Microsoft Isa Server Service Patch 1 and Hotfixes and click in the change button.
Finaly remove hotfixes 235 or 255. "this actions require to restart de server."
Good luck

 
Upvote 0 Downvote
Removing ISA Hotfix 255 is not such a good idea. After all, this is a required patch for ISA Server when running on Windows 2003 Server.

I had ISA Server installed on Windows 2003 Server my self without this error message AND the following fixes installed (installed in this order):
ISA SP1, ISA Hotfixes 255, 177, 174, Feature Pack, ISA Hotfixes 256, 257, Q816456 and lastly 182.

ISA Hotfix 182 is not required. If you are using your server with a system local <> US English, then your are most likely to experience that reports are either incomplete or spanning unexpected date ranges. To solve this behavior either install the fix or change system local to US English. More info over here <
To solve the problem this thread is all about, more information is needed. As requested before, Event ID and Source would be most useful.

Cheers
Knutern
 
Upvote 0 Downvote
Hello All...

Thanks for the help....

Event ID - 11011
Event info:
Microsoft Firewall failed. The failure occurred during Initialization of Network Address Translation (NAT) because the system call PNATInit failed. Use the source location 308.1151.3.0.1200.166 to report the failure. The error code in the Data area of the event properties indicates the cause of the failure. This failure may be due to the Internet Connection Firewall (ICF) service being enabled. If it is enabled, please disable the service named &quot;Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)&quot; (SharedAccess). Then, restart the computer. For more information about this event, see ISA Server Help. The error description is: Access is denied.

Tried running service with local computer account - no joy, now trying to run with a Domain Admin account, this worked OK for the web service and the ISA control service, but not the firewall service...

Have since ran rmisa.exe, rebooted and reinstalled ISA Server, rebooted, installed SP1, rebooted and then a Hotfix (255) - rebooted and then we get the above message...

Considering reinstalling Server 2003 or installing as a standalone ISA server but I feel this is too drastic - we really want this on server 2003 and as part of an array

Any additional info would be appreciated...

Thanks in advance

Kenny
 
Upvote 0 Downvote
Hi,
I have the same problem.
I use a w2k3 server as ad controller and isa2000 as firewall on the same machine. For easier administration I change the locale to german. Thats when I got the error message.

I changed all back to english, except the keyboard layout, rebootet the server and now it works again :).
I hope I could help you a little bit.

Kind regards,
Dominik
 
Upvote 0 Downvote
It is IMPORTANT to have system locale set to English US if you are planning to use SMTP Message Filtering!

Do I understand you correctly, your ISA Server is also Domain Controller? If so, why?

It is strongly recommended that ISA Server ist not DC. Simple reason: If someone manages to bypass ISA then the person would be able to hack AD right away.

Cheers
Knutern
 
Upvote 0 Downvote
Hi,

yes your right, the isa server is also the dc. I know that you shouldn´t do this.
There is an additional firewall outside the isa server, that blocks nealry everything.
I can only use two server, cause my boss can´t afford more :(, that´s why I installed it like that. And you can´t install a SPPS 2003 on a dc, that´s why the ISA server is a dc as well.
As soon as I get an extra server, I will install the dc on another machine.

Kind regards
Dominik
 
Upvote 0 Downvote
Have checked the input locales set to English US - ours is not on a DC - checking locales made no difference...
 
Upvote 0 Downvote
I've checked with my current configuration, and if set the startup type of &quot;Internet Connection Sharing Service&quot; to automatic, i experience problems with my ISA Server, more specificly the NAT portion. Setting it back to manual (and reboot) solved it.

But the error message we're talking about here does not pop up. In this case the error message suggests that the service be disabled.

Was ICS at ANY POINT activated before installing ISA?

How's the IP Configuration looking like? How many NICs are in being used?

Cheers
Knutern
 
Upvote 0 Downvote
These steps should be followed when installing ISA Server 2000 on a Windows 2003 Server:
[ul][li]Install Windows Server 2003
[li]Install ISA Server 2000
[li]Install ISA Server Service Pack 1
[li]Install isahf255.exe
[li]Install Feature Pack 1[/ul][/li]
Prior to install ISA Server make sure that the internal LAN interface is the first one in Advanced Settings, Adapters and Bindings. You do that by opening Network Connections, click Advanced menu and then Advanced Settings.

Then start installation. Some error messages will occur, but you can still continue the install process. After installation is completed, do not start the &quot;Getting started wizard&quot; but install ISA SP1 right away. If you would like to utilize the SMTP Message Screener component, you must install the SMTP component prior to installing ISA Server.

After ISA SP1 has been installed and server has been rebooted, install ISA Hotfix 255 and ISA Feature Pack (in this order).

Cheers
Knutern
 
Upvote 0 Downvote
ICS service is set to manual - never activated as this was a clean install as you mentioned above, but have not installed Feature Pack 1 - after the hotfix 255 is installed it restarts the services and eventually hangs at the ISA services - setting the services login to domain admin allows all but the firewall service to start.

Have tried installing and joining a different array - no joy. Tried hitting it with a hammer, no difference (except that it made me feel a wee bit better....)
Will uninstall and start again - this time as a standalone isa server, then once verified that everything is working (!!!) OK, will see if it will join an array.....

Cheers,

Kenny
 
Upvote 0 Downvote
If you are creating an array, the server needs to be a domain member and ISA Server schmea must be installed to the active directory. This was done already?

Cheers
Knutern
 
Upvote 0 Downvote
Yep - this was already done, the first time we installed it, everything was OK - was configured and running for about 2 weeks, then after a reboot, we're in this position, and subsequent installs have failed to resolve..

When you initialise the array at the start, to get it into AD - do you know of any issues running this again, will it reinitialise or fail ?? We're installing as a standalone at the moment, will see what happens when we try and add a working (!!!!) ISA into an existing array....

If the above fails, may try and reinitialise the array in AD....

Cheers,

Kenny
 
Upvote 0 Downvote
Running for two weeks and after a reboot you (klamb) experience this behaviour? Odd. Then something must have changed. Why did you reboot it at that time? Install anything that needed reboot or just like that? During the two weeks in which the ISA Server was running, did you have any strange error messages in either applicatioin log
or system log?

I have no experience on reinstalling an array member into a previously ISA-initialized Active Directory. Sorry I can not help on this issue.

Cheers
-Knutern
 
Upvote 0 Downvote
Was rebooted because we were physically moving the server.. I agree something must have changed, but it not was not with the ISA settings - must have been something in AD, as I believe the problem is that the firewall service cannot log into AD (!!)..

Everything worked OK as a standalone - promoted it into an array, it promoted successfully but the services failed again, changed services login to domain admin, everything but the firewall service worked OK....

Will now reinstall as a standalone and will reinitialise the ISA schema in AD later tonight....
 
Upvote 0 Downvote
I have the exact same problem with my ISA2k on 2k3 server. I powered it down because work being done in area and had to cover servers to prevent dust/debris entering systems. Powered back up and MS Firewall service refuses to start per same errors as reported in this thread. No changes to system, other than the Windows Update's that MS puts out, that have been applied over it's lifetime. (Approx 2 months runtime). Nothing seems to pull up in Technet, so apparently this is not fixed yet by MS. Hard to imagine that so many people could have screwed up their ISA's in exactly the same way. Sounds much more like a bug to me. If anyone gets a good fix, other than a complete reinstall, please post it here soon!

Thanks
Xanderphillips
 
Upvote 0 Downvote
Xanderphillips: Was your ISA server too an array member? It is crusial information.

And as you point out, there are no information in Technet covering this problem. Not even in Microsoft Premier databases.

I can only tell that my test lab environment did not suffer such sudden death. But then again, I did install it as stand alone and no array. As of this I have initiated contact with our Microsoft Premier representative to check whether this problem is known or not. As soon as I know more I'll let you all know of course.

Cheers
Knutern
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
798
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
658
Johnkite
Johnkite
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
233
hairlessupportmonkey
hairlessupportmonkey
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
585
nnaarrnn
nnaarrnn
Russtoleum
  • Locked
  • Question
Windows client can't connect to sonicwall l2tp server
Replies
0
Views
155
Russtoleum
Russtoleum

Part and Inventory Search

Sponsor

Back
Top