views:

502

answers:

3

I have a user who is intermittently receiving an HTTP 405 when clicking a link within my application. There is nothing funny about the link, as far as I can see...

<a id="ctl00_ctlNavigationMenu_viewTransfersLink" href="Navigate.ashx?target=6">- View Transfers</a>

As I said, most of the time the link executes successfully. However, very ocassionally the user has been met with:

405 - HTTP verb used to access this page is not allowed.

When I inspect the IIS log, I can see the following entry:

2009-02-04 15:12:50 192.168.202.204 2GET /Navigate.ashx target=6 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 13203

This seems to be reporting that the user's browser has submitted a request using the verb 2GET. How can this be?

Looking through the log on our test server, I can see a few other instances of this problem:

2008-11-06 13:30:10 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 109
2008-11-06 13:31:44 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 62
2008-11-06 13:37:20 192.168.202.204 2GET /Content/Css/datepicker.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 109
2008-11-06 14:06:00 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 125
2008-11-06 16:30:42 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 406
2008-11-07 11:01:07 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 406
2008-11-10 11:27:31 192.168.202.204 2GET /Content/Css/origo_advanced_horiz.css - 80 - 192.168.202.190 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322) 405 0 1 46
2009-02-03 12:00:38 192.168.202.204 2GET /Navigate.ashx target=6 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 13438
2009-02-03 12:00:49 192.168.202.204 2GET /Navigate.ashx target=6 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 1593
2009-02-04 15:12:50 192.168.202.204 2GET /Navigate.ashx target=6 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 13203

We're running on IIS7.

Any ideas? Does 2GET exist as a verb? Can it be related to the UpdatePanel on my form?

Sandy

UPDATE: I'm getting all kinds of odd verbs: 2GET, 9GET, 1POST, 5POST...

2009-02-04 15:12:50 192.168.202.204 2GET /Navigate.ashx target=6 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 13203
2009-02-04 15:28:12 192.168.202.204 1POST /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 3171
2009-02-04 15:28:28 192.168.202.204 5POST /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 2515
2009-02-04 15:34:21 192.168.202.204 5POST /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 1828
2009-02-04 15:44:52 192.168.202.204 2GET /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 5390
2009-02-04 16:15:23 192.168.202.204 2POST /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 7781
2009-02-04 16:16:04 192.168.202.204 2GET /Navigate.ashx target=3 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 44938
2009-02-04 16:16:09 192.168.202.204 2GET /Navigate.ashx target=3 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 45876
2009-02-04 16:16:27 192.168.202.204 2GET /Content/Css/reset.css - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 4687
2009-02-04 16:16:52 192.168.202.204 9GET /Transfer/View.aspx - 80 - 192.168.202.141 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322;+InfoPath.2;+.NET+CLR+2.0.50727) 405 0 1 5468
+2  A: 

This request is malformed GET request is coming from the browser side. And you can pinpoint error to IP 192.168.202.204.

It is not IIS or your server, it is not network card (TCP has error correction).

It can be that browser is buggy or that there is some proxy / firewall on that box that interceps http trafic. Could be the virus too. But, as I see, it's on the client side.

dmajkic
A: 

Very odd indeed.

  • Is this only occurring from one computer?
  • Are these requests coming directly from the user's computer, via a proxy, or perhaps via ISA Server?
  • Is it an option to install IEHttpHeaders onto the problem browser and monitor the HTTP headers from that end?
J c
+1  A: 

If you have access to the client machine, run Wireshark on it to capture the traffic going to your server. You should also run Wireshark on the server and filter for trafic coming from that IP address, to rule out a problem in IIS (unlikely as it is.)

Knowing what goes on the wire can help you to narrow down where the problem is. Most likely, you'll see traffic closer to the browser looking OK, and getting corrupted by something on its way to the server, but at least you'll be able to narrow down on a smaller list of likely suspects.

Ori Pessach