Home | Site Map | Cisco How To |  Net How To | Wireless | Search | Forums | Services | Donations | Careers | About Us | Contact Us|

How to repair Error Code 10061 in ISA: Connection refused

There are times when you might come across a ‘Connection Refused’ error while using Microsoft’s ISA 2006 or Forefront TMG 2010 server. Fixing this depends on what the root cause is – which isn’t always easy to determine. In this brief post, we shall assess how this can be done.

Let’s start by examining what Error 10061 is saying. The client may be presented with an error message in the browser that looks something like this:

Error Code 10061: Connection refused
Background: When the gateway or proxy server contacted the upstream (Web) server, the connection was refused. This usually results from trying to connect to a service that is inactive on the upstream server

While the server activity log will show this:

Failed Connection Attempt
Log type: Web Proxy (Forward)
Status: 10061 No connection could be made because the target machine actively refused it.

In both cases, let’s focus on the key word ‘refused’. Your ISA or TMG server was able to reach the destination server, but that server responded with a message that tells the ISA/TMG server that it cannot have the requested data. There are a few things that could cause this, and how to address them depends on the direction in which the proxying is happening.

If you are using ISA/TMG as a client proxy, then you may run into this problem when your clients try to access some external website. Remember how TCP works. The client sends a SYN packet to the server targeting the port (80 for HTTP). A server that is running a service on port 80 will respond with a SYN ACK, but if it is not, it will respond with a RST ACK. Your ISA/TMG reaches the server, but not the intended service. This is one way a server could “actively refuse” a connection attempt.

The other way is for a firewall to block the connection, rather than drop it. A dropped connection would eventually time out, with the error message 10060, which we may look at in another post. But if a firewall is configured to block a connection, it will usually respond with a RST ACK to TCP connections that it is configured to block, just as a server that would not be running a requested service. A RST ACK is the TCP response that equates to a “go away” . Your ISA/TMG is telling you that the name was resolved, but when it was asked to make a connection, something said “no.”

If you are publishing an internal resource and your external clients are encountering this error, the most likely cause is that your internal web server operating system is running, but the web service has stopped. Again, your ISA/TMG is communicating with your internal server, but with the IIS stopped, the server responds with a RST ACK since nothing is listening on TCP 80. If you are running a web service on an internal server on a non-standard port, ISA/TMG can bridge that connection, but you need to make sure you specified the correct port. Specifying the wrong port in the bridging will result in this same error.

The repair here is as simple as a quick restart of IIS, or specifying the correct port in the bridging configuration. You’ll be back in business in no time. While this covers the most common 10061 errors you may encounter, feel free to ask about any other situations in the comments, and I will get back to you promptly with some advice.
This guest post was provided by Ed Fischer on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI web filtering solution

All product and company names herein may be trademarks of their respective owners.

Post your questions, comments, feedbacks and suggestions

Contact a consultant

Related Topics

Bob Lin Photography services

Real Estate Photography services