TMG 2010 Site 2 Site IPSEC Tunnel and HTTP Traffic Fails to flow

Have come across this several times now so thought it warranted a post. In an environment where a site tunnel is established between a TMG to Cisco ASA (IPSec) websites that are on other side of the tunnel cannot be displayed and give the following:

Technical Information (for support personnel)
Error Code 10060: Connection timeout
Background: The gateway could not receive a timely response from the website you are trying to access. This might indicate that the network is congested, or that the website is experiencing technical difficulties. 

The TMG log view the outgoing connection attempt in the log then shows the follow error:

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
Rule: Allow access between Site A and Site B

The easiest fix was to open the HTTP protocol and disable the application filter. See eg:

This obviously disables some useful features; the better option is to create a custom HTTP protocol that is not associated to the web proxy filter. Then create a rule that applies to traffic between sites using this HTTP protocol.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s