Heute Nacht habe ich auf mehreren TMG 2010-Installationen das selbe Verhalten beobachtet und auch aus anderen Quellen Bestätigungen bekommen:
Gegen 03:17 hat sich an einem meiner TMGs der Firewall Service beendet, mehrfach neugestartet (Restart-Option in der Dienstesteuerung) und schließlich endgültig beendet. Hier Auszüge aus dem Eventlog:
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 28.06.2012 03:17:27
Event ID: 14057
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Belinda.DOMAINNAME.TLD
Description:
The Firewall service stopped because an application filter module C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll generated an exception code C0000005 in address 000000007008254F when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft Forefront TMG Firewall" />
<EventID Qualifiers="49152">14057</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T01:17:27.000000000Z" />
<EventRecordID>27819</EventRecordID>
<Channel>Application</Channel>
<Computer>Belinda.DOMAINNAME.TLD</Computer>
<Security />
</System>
<EventData>
<Data>C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll</Data>
<Data>000000007008254F</Data>
<Data>C0000005</Data>
<Data>CompleteAsyncIO</Data>
</EventData>
</Event>
Log Name: Application
Source: Application Error
Date: 28.06.2012 03:17:28
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic
User: N/A
Computer: Belinda.DOMAINNAME.TLD
Description:
Faulting application name: wspsrv.exe, version: 7.0.9193.500, time stamp:0x4e75ffd3 Faulting module name: w3filter.dll, version: 7.0.9193.500, time stamp: 0x4e7600fb Exception code: 0xc0000005 Fault offset:0x000000000005254f Faulting process id: 0xba8 Faulting application start time: 0x01cd2fb41f697ab4 Faulting application path: C:Program FilesMicrosoft Forefront Threat Management Gatewaywspsrv.exe Faulting module path: C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll Report Id: 06780d81-c0bf-11e1-841a-f4ce46b67fce
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Application Error" />
<EventID Qualifiers="0">1000</EventID>
<Level>2</Level>
<Task>100</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T01:17:28.000000000Z" />
<EventRecordID>27820</EventRecordID>
<Channel>Application</Channel>
<Computer>Belinda.DOMAINNAME.TLD</Computer>
<Security />
</System>
<EventData>
<Data>wspsrv.exe</Data>
<Data>7.0.9193.500</Data>
<Data>4e75ffd3</Data>
<Data>w3filter.dll</Data>
<Data>7.0.9193.500</Data>
<Data>4e7600fb</Data>
<Data>c0000005</Data>
<Data>000000000005254f</Data>
<Data>ba8</Data>
<Data>01cd2fb41f697ab4</Data>
<Data>C:Program FilesMicrosoft Forefront Threat Management Gatewaywspsrv.exe</Data>
<Data>C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll</Data>
<Data>06780d81-c0bf-11e1-841a-f4ce46b67fce</Data>
</EventData>
</Event>
Log Name: Application
Source: Windows Error Reporting
Date: 28.06.2012 03:17:30
Event ID: 1001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Belinda.DOMAINNAME.TLD
Description:
Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0
Problem signature:
P1: wspsrv.exe
P2: 7.0.9193.500
P3: 4e75ffd3
P4: w3filter.dll
P5: 7.0.9193.500
P6: 4e7600fb
P7: c0000005
P8: 000000000005254f
P9:
P10:
Attached files:
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempwspsrv.exe.ba8.etl
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER16F7.tmp.appcompat.txt
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1765.tmp.WERInternalMetadata.xml
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1766.tmp.hdmp
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1D40.tmp.mdmp
These files may be available here:
C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_wspsrv.exe_afb62e6d02eadf84e1242ad5c23ae6ba1f3a2a_cab_fc1a1dca
Analysis symbol:
Rechecking for solution: 0
Report Id: 06780d81-c0bf-11e1-841a-f4ce46b67fce
Report Status: 4
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Windows Error Reporting" />
<EventID Qualifiers="0">1001</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T01:17:30.000000000Z" />
<EventRecordID>27821</EventRecordID>
<Channel>Application</Channel>
<Computer>Belinda.DOMAINNAME.TLD</Computer>
<Security />
</System>
<EventData>
<Data>
</Data>
<Data>0</Data>
<Data>APPCRASH</Data>
<Data>Not available</Data>
<Data>0</Data>
<Data>wspsrv.exe</Data>
<Data>7.0.9193.500</Data>
<Data>4e75ffd3</Data>
<Data>w3filter.dll</Data>
<Data>7.0.9193.500</Data>
<Data>4e7600fb</Data>
<Data>c0000005</Data>
<Data>000000000005254f</Data>
<Data>
</Data>
<Data>
</Data>
<Data>
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempwspsrv.exe.ba8.etl
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER16F7.tmp.appcompat.txt
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1765.tmp.WERInternalMetadata.xml
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1766.tmp.hdmp
C:WindowsServiceProfilesNetworkServiceAppDataLocalTempWER1D40.tmp.mdmp</Data>
<Data>C:ProgramDataMicrosoftWindowsWERReportQueueAppCrash_wspsrv.exe_afb62e6d02eadf84e1242ad5c23ae6ba1f3a2a_cab_fc1a1dca</Data>
<Data>
</Data>
<Data>0</Data>
<Data>06780d81-c0bf-11e1-841a-f4ce46b67fce</Data>
<Data>4</Data>
</EventData>
</Event>
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 28.06.2012 03:19:00
Event ID: 14003
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: Belinda.DOMAINNAME.TLD
Description:
Firewall service started.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft Forefront TMG Firewall" />
<EventID Qualifiers="16384">14003</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T01:19:00.000000000Z" />
<EventRecordID>27826</EventRecordID>
<Channel>Application</Channel>
<Computer>Belinda.DOMAINNAME.TLD</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>
Log Name: Application
Source: Microsoft Forefront TMG Firewall
Date: 28.06.2012 03:26:45
Event ID: 14057
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: Belinda.DOMAINNAME.TLD
Description:
The Firewall service stopped because an application filter module C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll generated an exception code C0000005 in address 000000007092254F when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft Forefront TMG Firewall" />
<EventID Qualifiers="49152">14057</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2012-06-28T01:26:45.000000000Z" />
<EventRecordID>27828</EventRecordID>
<Channel>Application</Channel>
<Computer>Belinda.DOMAINNAME.TLD</Computer>
<Security />
</System>
<EventData>
<Data>C:Program FilesMicrosoft Forefront Threat Management Gatewayw3filter.dll</Data>
<Data>000000007092254F</Data>
<Data>C0000005</Data>
<Data>CompleteAsyncIO</Data>
</EventData>
</Event>
Das Problem trat nur an TMG 2010 mit der Versionsnummer 7.0.9193.500 auf, was dem Service Pack 2 ohne den beiden Update Rollups entspricht. Das Problem wird im KB 2658903 FIX: The Forefront Threat Management Gateway Firewall service (Wspsrv.exe) may crash frequently for a published website secured by SSL after you install Service Pack 2 beschrieben und durch das Update Rollup 1 behoben.
Warum gerade heute Nacht der Ausfall war ist mir noch ein Rätsel.
Viele Grüße
Dieter
—
Dieter Rauscher
MVP Forefront