Versions / Builds AffectedWebmonitor 2013 (all builds)
Problem SummaryAt intervals the TMG firewall process (wspsrv.exe) crashes. It does not happen when the WebMontior services are stopped.
TT / JIRAID1032
How to Identify1. The Microsoft ISA Firewall process (wspsrv.exe) crashes and the users lose internet access.
2. This will log one or more errors in the application log:
Event ID: 14057 The Firewall service stopped because an application filter module C:\Program Files\Microsoft ISA Server\WebMonPlg.dll generated an exception code C0000005 in address 2BF8F401 when function CompleteAsyncIO was called. To resolve this error, remove recently installed application filters and restart the service.
Event ID: 1000 Faulting application wspsrv.exe, version 4.0.2167.909, stamp 4977a087, faulting module webmonplg.dll, version 20110.920.0.1, stamp 4e782d89, debug? 0, fault address 0x0000f401
Workaround / Fix DetailsUpgrade to WebMonitor 2015
Required ActionsIf customer refuses to upgrade:
Collect TS files, windows events, crush dumps and escalate immediately.
Collecting User-Mode Dumps: http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
To enable and configure the feature, use the following registry values under the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps key:
Please set the DumpType to 2 (Full Dump).
Once the issue is reproduced, collect the dumps.
NOTE: It is important to avoid other tools to collect the crash dumps. The use or an active debugger in this case can lead WebMonitor to stop working properly