FIX: New connections are not accepted on a specific web proxy or web listener in Threat Management Gateway 2010

View products that this article applies to.

Symptoms

A server that is running Microsoft Forefront Threat Management Gateway (TMG) 2010 may stop accepting new connections on a specific web proxy or web listener. This problem may occur after several hours to several days of server uptime.

↑ Back to the top

Cause

This problem occurs when TMG stops accepting new connections on the web listener. This soon fills the backlog queue for the ancillary function driver (AFD) socket. After the backlog queue is full, the server starts to reset new incoming connections. If you monitor the server by using Network Monitor in this situation, you may notice a SYN, ACK/RST pattern for each new connection attempt.

↑ Back to the top

Resolution

To resolve this problem, install Rollup 5 for Forefront Threat Management Gateway (TMG) 2010 Service Pack 2.

↑ Back to the top

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top

More Information

After you install Rollup 5, you must enable the functionality to time out idle accept calls. To do this, follow these steps:

Copy the following script into Notepad, and then save the file as SetAcceptIdleTimeout.vbs:

'Define the constants needed.
Const strVpsGUID = "{143F5698-103B-12D4-FF34-1F34767DEABC}"
Const strVpsPropertyName = "AcceptIdleTimeout"
Const Error_FileNotFound = &H80070002
Set objArgs = wscript.Arguments
if objArgs.Count > 0 then
    uAcceptIdleTimeout = objArgs(0)
end if
if objArgs.Count <> 1 then
    wscript.echo "Usage: SetAcceptIdleTimeout.vbs <timeout>"
    wscript.echo
    wscript.echo "Set async accept timeout to <timeout> value (in sec)"
    wscript.echo "To disable async accept timeout set it to 0"
    wscript.Quit 2
end if
set objArray = CreateObject("FPC.Root").GetContainingArray()
Set objVPSet = OpenVPSet(objArray, strVpsGUID)
objVPSet.Value(strVpsPropertyName) = uAcceptIdleTimeout
objArray.Save()
objArray.RestartServices(1)
function OpenVPSet(objParent, strVpsGUID)
    Set objVPSets = objParent.VendorParametersSets
    On Error Resume Next
    Set OpenVPSet = objVPSets.Item(strVpsGUID)
    ' Save the Err properties in case it needs to be re-raised
    errNumber      = Err.Number
    errSource      = Err.Source
    errDescription = Err.Description
    errHelpFile    = Err.HelpFile
    errHelpContext = Err.HelpContext
    
    On Error GoTo 0
    
    if errNumber = Error_FileNotFound Then
        Set OpenVPSet = objVPSets.Add(strVpsGUID)
    Elseif errNumber < 0 Then
        ' An error other than "file not found" occurred -- re-raise the error,
        ' this time not under "On Error Resume Next"
        Err.Raise errNumber, errSource, errDescription, errHelpFile, errHelpContext
    End If
end function

Run the script on one of the TMG servers. For example to set the time-out period to 5 minutes, run the following from an administrative command prompt:
```
cscript.exe SetAcceptIdleTimeout.vbs 300
```
To make this change take effect, restart the firewall service on all array members.