Troubleshooting tools for ISA Server
10.1.1.6 Network Monitor
A Network Monitor or Netmon is a tool used to capture and display the contents of frames received Windows2000 from the LAN. In order to simplify the analysis of network communication, Network Monitor differentiation combines 40 common network protocols. This means that for most network traffic, Network Monitor actually shows all the information associated with a network session, including source and destination ports and addresses, server responses, effective communications, and so on.
The following is an example of a frame content from a Network Monitor trace file or capture:
Network Monitor trace Wed 03/07/2001 08:55:17 AM Capture1.TXT
Frame:base Frame Properties
Ethernet:etype=ox0800:protoco:ip:dod Internet Protoco
IP:IP=0XAD6; PROTO=TCP; len:327
tcp:ap...,len:287.seq:3184161250.3184161537,ack:4040781620,win:17520,src:1225 dst:80
Http:get Request (from client using port 1225).
For each frame displayed, the encapsulated protocols it contains are arranged in the order of the lowest level, from the outside of the frame to the inside, or from the point of view of the network. Click the number of each row to display more information about the given protocol. Line 1th, called frame, is the frame that is captured by the description that is added by Network Monitor. Line 2nd shows the Data Link layer protocol that puts the frame on the network (in this case, Ethernet). This type of protocol represents the lowest layer protocol in this frame and corresponds to the 2nd layer of the OSI model. Next is the Network Layer protocol or layer 3rd, in this case the IP protocol. Next is the Transport layer protocol, or the 4th layer, which is the TCP protocol in the given frame. Finally, in this example, HTTP is the highest level protocol in the frame.
Each protocol layer contains information related to the current connection or transmission. For example, in a TCP row, the SRC and DST parameters represent the source and destination ports of a TCP connection that is associated with a frame or packet. In this packet, the source port is TCP port 1225 for the client and TCP port 80 for the destination port. You will find the source and destination of network traffic by looking at the TCP or UDP rows in the frames captured in Network Monitor. This is an essential tool for firewall configuration.
In addition, by creating a network activity trace, you can analyze network traffic and determine the source of network problems, for example, assuming users are complaining about the latency of logon through a VPN connection. After you run Network Monitor capture, the trace can show the traffic for L2TP and PPTP during logon. L2TP is used by default when the Locaisa VPN Wizard is configured to connect to a remote network. L2TP is not available, PPTP is used. If L2TP is not available on a remote VPN server, your users will experience logon latency issues when they connect through these two protocols. Use Network Monitor to find out when L2TP is unavailable. This allows the ISA Server to be configured to connect to the remote VPN server through the PPTP protocol, which improves the logon latency issue.
Even if you do not use VPN in a network environment, Network Monitor capture can display protocols that do not require network traffic and cause slow internet speeds. For example, a private LAN connection does not require a tunneling protocol PPTP.
10.1.2 Routing Table
Each computer that uses TCP/IP as a network protocol has a routing table, and the route of an IP packet from one computer to another depends on the routing table of the computer that sent the packet.
The Route command-line tool can be used to view and modify the routing table. When you enter route print on the command line, the local routing table is displayed. As shown in Figure 10.2.
10.1.2.1 Routing decision process
To decide to forward an IP packet using a single route, the IP protocol uses the routing table to handle the following:
1. For each route in the routing table, the IP protocol makes a bitwise logical AND operation between the subnet mask and the destination IP address to determine whether the network is local or remote. The IP protocol compares the results of the operation with those of the network to see if they match. If a match is made, the IP protocol marks this route as a route that matches the destination IP address.
2. In the list of matching routes, the IP protocol determines the route with the most subnet mask digits. The route and destination IP address match the largest number of digits. Therefore, it is the most accurate route for this IP packet. This process also seeks the longest or closest matching route.
3. If several of the closest matching routes are found, the IP protocol uses the route with the lowest measure.
4. If a few of the closest matching routes are found and the measures are the lowest, the IP protocol chooses a route to use randomly.
The final result of the routing decision process is to select a single route in the routing table. If the procedure fails to find an appropriate route, the IP protocol reports a routing error.
Troubleshooting 10.1.2.2 Routing Table
Using IP utilities such as Ping, tracert, and so on, you can decide when certain network segments are inaccessible to the rest of the network. When you install ISA Server in a complex network, you can use the route command to modify the routing table and configure a viable route for all network segments. For example, if ISA Server does not have an interface on a given (remote) subnet, it needs to add a static route to allow network traffic to be forwarded to the subnet. (Static routing is a route item that cannot automatically appear in the routing table).
To add a static route, you can use the route utility in the following ways.
Route add 172.16.41.0 Mask 255.255.255.0 172.16.40.1 metric 2
In this example, the Route Add command indicates that you must use the gateway 172.16.40.1 to reach the subnet 172.16.41.0 using the Mask 255.255.255.0. Note that the measure is set to 2 in this example because the subnet is 2 hops away. (The metric is usually the number of hops to the network destination, or the number of routers passed). In this case, you also need to add a static route to the downstream router to tell how the packets from that place are returned to the 172.16.40.0/24 subnet.
Because the routing table in your computer is automatically reset every time you reboot, you need to add a persistent route entry in the routing table so that static route items remain in the routing table. Each time the routing table is rebuilt, the persistent entry is automatically inserted into the routing table. Use the route add–p command to add persistent items.
Static routes can also be added through the Routing and Remote Access console in Windows2000. When added with this method, all static routes are treated as persistent items.
Ø to add a static route in Routing and Remote Access, follow these steps:
1. Click Start, point to Programs | Administrative Tools, click Routing and Remote Access.
2. Double-click IP Routing and expand the object.
3. Right-click the static routes and select New static Route.
The Static Route dialog box appears.
4. Complete the static routing field, if necessary.