TMG Firewall Service beendet sich mit EventId 14057

Heute Nacht habe ich auf mehreren TMG 2010-Installationen das selbe Verhalten beobachtet und auch aus anderen Quellen Bestätigungen bekommen:

Gegen 03:17 hat sich an einem meiner TMGs der Firewall Service beendet, mehrfach neugestartet (Restart-Option in der Dienstesteuerung) und schließlich endgültig beendet. Hier Auszüge aus dem Eventlog:

Log Name: Application

Source: Microsoft Forefront TMG Firewall

Date: 28.06.2012 03:17:27

Event ID: 14057

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: Belinda.DOMAINNAME.TLD

Description:

The Firewall service stopped because an application filter module C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll generated an exception code C0000005 in address 000000007008254F when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft Forefront TMG Firewall" />

<EventID Qualifiers="49152">14057</EventID>

<Level>2</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-06-28T01:17:27.000000000Z" />

<EventRecordID>27819</EventRecordID>

<Channel>Application</Channel>

<Computer>Belinda.DOMAINNAME.TLD</Computer>

<Security />

</System>

<EventData>

<Data>C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll</Data>

<Data>000000007008254F</Data>

<Data>C0000005</Data>

<Data>CompleteAsyncIO</Data>

</EventData>

</Event>

Log Name: Application

Source: Application Error

Date: 28.06.2012 03:17:28

Event ID: 1000

Task Category: (100)

Level: Error

Keywords: Classic

User: N/A

Computer: Belinda.DOMAINNAME.TLD

Description:

Faulting application name: wspsrv.exe, version: 7.0.9193.500, time stamp:0x4e75ffd3 Faulting module name: w3filter.dll, version: 7.0.9193.500, time stamp: 0x4e7600fb Exception code: 0xc0000005 Fault offset:0x000000000005254f Faulting process id: 0xba8 Faulting application start time: 0x01cd2fb41f697ab4 Faulting application path: C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe Faulting module path: C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll Report Id: 06780d81-c0bf-11e1-841a-f4ce46b67fce

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Application Error" />

<EventID Qualifiers="0">1000</EventID>

<Level>2</Level>

<Task>100</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-06-28T01:17:28.000000000Z" />

<EventRecordID>27820</EventRecordID>

<Channel>Application</Channel>

<Computer>Belinda.DOMAINNAME.TLD</Computer>

<Security />

</System>

<EventData>

<Data>wspsrv.exe</Data>

<Data>7.0.9193.500</Data>

<Data>4e75ffd3</Data>

<Data>w3filter.dll</Data>

<Data>7.0.9193.500</Data>

<Data>4e7600fb</Data>

<Data>c0000005</Data>

<Data>000000000005254f</Data>

<Data>ba8</Data>

<Data>01cd2fb41f697ab4</Data>

<Data>C:\Program Files\Microsoft Forefront Threat Management Gateway\wspsrv.exe</Data>

<Data>C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll</Data>

<Data>06780d81-c0bf-11e1-841a-f4ce46b67fce</Data>

</EventData>

</Event>

Log Name: Application

Source: Windows Error Reporting

Date: 28.06.2012 03:17:30

Event ID: 1001

Task Category: None

Level: Information

Keywords: Classic

User: N/A

Computer: Belinda.DOMAINNAME.TLD

Description:

Fault bucket , type 0

Event Name: APPCRASH

Response: Not available

Cab Id: 0

Problem signature:

P1: wspsrv.exe

P2: 7.0.9193.500

P3: 4e75ffd3

P4: w3filter.dll

P5: 7.0.9193.500

P6: 4e7600fb

P7: c0000005

P8: 000000000005254f

P9:

P10:

Attached files:

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\wspsrv.exe.ba8.etl

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER16F7.tmp.appcompat.txt

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1765.tmp.WERInternalMetadata.xml

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1766.tmp.hdmp

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1D40.tmp.mdmp

These files may be available here:

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wspsrv.exe_afb62e6d02eadf84e1242ad5c23ae6ba1f3a2a_cab_fc1a1dca

Analysis symbol:

Rechecking for solution: 0

Report Id: 06780d81-c0bf-11e1-841a-f4ce46b67fce

Report Status: 4

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Windows Error Reporting" />

<EventID Qualifiers="0">1001</EventID>

<Level>4</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-06-28T01:17:30.000000000Z" />

<EventRecordID>27821</EventRecordID>

<Channel>Application</Channel>

<Computer>Belinda.DOMAINNAME.TLD</Computer>

<Security />

</System>

<EventData>

<Data>

</Data>

<Data>0</Data>

<Data>APPCRASH</Data>

<Data>Not available</Data>

<Data>0</Data>

<Data>wspsrv.exe</Data>

<Data>7.0.9193.500</Data>

<Data>4e75ffd3</Data>

<Data>w3filter.dll</Data>

<Data>7.0.9193.500</Data>

<Data>4e7600fb</Data>

<Data>c0000005</Data>

<Data>000000000005254f</Data>

<Data>

</Data>

<Data>

</Data>

<Data>

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\wspsrv.exe.ba8.etl

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER16F7.tmp.appcompat.txt

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1765.tmp.WERInternalMetadata.xml

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1766.tmp.hdmp

C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\WER1D40.tmp.mdmp</Data>

<Data>C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wspsrv.exe_afb62e6d02eadf84e1242ad5c23ae6ba1f3a2a_cab_fc1a1dca</Data>

<Data>

</Data>

<Data>0</Data>

<Data>06780d81-c0bf-11e1-841a-f4ce46b67fce</Data>

<Data>4</Data>

</EventData>

</Event>

Log Name: Application

Source: Microsoft Forefront TMG Firewall

Date: 28.06.2012 03:19:00

Event ID: 14003

Task Category: None

Level: Information

Keywords: Classic

User: N/A

Computer: Belinda.DOMAINNAME.TLD

Description:

Firewall service started.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft Forefront TMG Firewall" />

<EventID Qualifiers="16384">14003</EventID>

<Level>4</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-06-28T01:19:00.000000000Z" />

<EventRecordID>27826</EventRecordID>

<Channel>Application</Channel>

<Computer>Belinda.DOMAINNAME.TLD</Computer>

<Security />

</System>

<EventData>

</EventData>

</Event>

Log Name: Application

Source: Microsoft Forefront TMG Firewall

Date: 28.06.2012 03:26:45

Event ID: 14057

Task Category: None

Level: Error

Keywords: Classic

User: N/A

Computer: Belinda.DOMAINNAME.TLD

Description:

The Firewall service stopped because an application filter module C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll generated an exception code C0000005 in address 000000007092254F when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.

Event Xml:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<System>

<Provider Name="Microsoft Forefront TMG Firewall" />

<EventID Qualifiers="49152">14057</EventID>

<Level>2</Level>

<Task>0</Task>

<Keywords>0x80000000000000</Keywords>

<TimeCreated SystemTime="2012-06-28T01:26:45.000000000Z" />

<EventRecordID>27828</EventRecordID>

<Channel>Application</Channel>

<Computer>Belinda.DOMAINNAME.TLD</Computer>

<Security />

</System>

<EventData>

<Data>C:\Program Files\Microsoft Forefront Threat Management Gateway\w3filter.dll</Data>

<Data>000000007092254F</Data>

<Data>C0000005</Data>

<Data>CompleteAsyncIO</Data>

</EventData>

</Event>

 

Das Problem trat nur an TMG 2010 mit der Versionsnummer 7.0.9193.500 auf, was dem Service Pack 2 ohne den beiden Update Rollups entspricht. Das Problem wird im KB 2658903 FIX: The Forefront Threat Management Gateway Firewall service (Wspsrv.exe) may crash frequently for a published website secured by SSL after you install Service Pack 2 beschrieben und durch das Update Rollup 1 behoben.

Warum gerade heute Nacht der Ausfall war ist mir noch ein Rätsel.

 

Viele Grüße
Dieter


Dieter Rauscher
MVP Forefront