Mystery of frequent occurence of Event id 14197
Issue: Recently I worked on a case where we were getting following eventid
Event Type: Error
Event Source: Microsoft ISA Server Web Proxy
Event Category: None
Event ID: 14197
Time: 12:05:03 AM
ISA Server was unable to write content to the cache file.
Frequently during certain periods of the day not necessarily at the peak times. Users were all internal web proxy clients. Apart from this event there was no real disruption in the ISA server operations. But admin wanted to know why it was occurring.
Troubleshooting and Solution
- Admin had antivirus on the ISA server, Admin had not excluded the ISA folders from antivirus scanning.Made sure admin had excluded all the ISA server folders from antivirus scanning as per following article https://technet.microsoft.com/en-us/library/cc707727.aspx. Then we monitored it for a day and it came back up again during different times a day.
- Followed the suggestions given in following blog post by Yuri Diogenes https://blogs.technet.com/b/yuridiogenes/archive/2010/01/30/isa-server-triggers-lots-of-14197-events.aspx and enabled. Auditing for object access To see which process was accessing it at the time we get the event. Then went through the logs and there were only two processes accessing it all the time wspsrv(firewall service) and mspadmin(ISA control service) accessing the cache folder which is right they are supposed to do that. It still does not explain why we were getting those events.
- Engaged the performance team to check the health of the Hard drive as in perfmonce montor I saw Avg. Disk queue length spiking randomly but it was around 2 most of the time not above it. Performance team informed us that C drive although is very active but still not (Avg. disk queue length counter)spiking at the time when we see the events.
- Then once again started looking at how the cache is configured and saw the cache drive size which was 1000 MB on the C drive. Asked customer about the number of users who access the internet through ISA in an average, although he was not sure but he said it should be around 5000 users. Explained him that 1000MB is too less for 5000 users.
- What’s the right number was question by admin and answer is provided in following blog post by me https://blogs.technet.com/b/sooraj-sec/archive/2010/04/12/formula-for-cache-drive-size.aspx as per which cache drive size for this scenario should be
6. We changed the value to 2510MB and monitored and Event never occurred again.