Error 64 “ The specified network name is no longer available” while accessing a HTTPS site through ISA 2006
Here’s some info on an interesting support issue I worked the other day. If you happen to
run into this one day, maybe this will help you get it resolved.
Issue:
We have a website published through ISA 2006. The site is configured for both HTTP and HTTPS access from the ISA server. When a user connects to the site over HTTP, the site comes up fine.
But when he tries over HTTPS, he gets a ‘page cannot be displayed’.
Troubleshooting and Resolution:
We started with live logging on the ISA console while doing a repro of the issue. We were seeing ‘Failed Connection Attempts’ for the traffic coming from the test machine used for the repro, with the error message: Error 64 “The specified network name is no longer available”
This error is very generic and there can be multiple reasons which would translate to this error code.The most common one is when the backend server is performing a dirty TCP connection reset.
So, to check this further, we collected a network monitor trace on the internal NIC of ISA server.
We filtered down to the traffic that is of interest to us.
![clip_image001[5]](https://msdntnarchive.blob.core.windows.net/media/TNBlogsFS/prod.evol.blogs.technet.com/CommunityServer.Blogs.Components.WeblogFiles/00/00/00/48/31/metablogapi/7776.clip_image0015_5493048B.jpg "clip_image001[5]")
So this clearly indicates that the backend server is Resetting the TCP connection prematurely and this is triggering the ‘64 Error’.
Investigating further, we identified that the backend device is a 3rd party load balancer. And for some unknown reasons, the ISA server was failing at the SSL handshake stage.
So, we had the 3rd party support team collect a dump of the SSL settings on the Load Balancer and identified the following:
Then, we went back to the Network Monitor trace (the earlier screenshot) and compared this with the ciphers advertised by ISA server in the client hello. RSA_WITH_RC4_128_MD5 is not part of the Cipher list sent by the ISA server.
Due to this, the 2 peers are not able to successfully choose a common encryption scheme and the SSL handshake fails.
After identifying this, we had the 3rd party vendor enable additional Ciphers which are accepted by ISA server.
Once we did this, the published site was accessible from the internet.
The issue was resolved!!
Hope this would be helpful when you are troubleshooting website accessibility issues through ISA server…especially with 3rd party load balancers in the infrastructure.
Author:
Karthik Divakaran
Security Support Engineer - Microsoft Forefront Edge Team
Reviewers:
Suraj Singh
Security Support Escalation Engineer - Microsoft Forefront Edge Team
Richard Barker
Security Sr. Support Escalation Engineer – Microsoft Forefront Edge Team
Comments
Anonymous
January 01, 2003
HI,
I just published the ADFS 3.0 Server and got this error when test rule and externally
Technical Information (for support personnel)
•Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
AsAnonymous
January 01, 2003
thanks for the tip.Anonymous
May 30, 2013
Job well done mate. Nicely written.Anonymous
August 11, 2014
Thanks a lot !! .
I have the same issue but with TMG 2010 and NLB as the load balancer. I can't get it solved.
Again: Thanks for sharing the tip !Anonymous
November 12, 2015
Great post from your hands again. I loved the complete article.
By the way nice writing style you have. I never felt like boring while reading this article.
I will come back & read all your posts soon. Regards, Lucy.