Hi
We have a Windows 2008 R2 SP1 (6.1.7601 Service Pack 1 Build 7601) serving as file server. Clients are Windows XP and Windows 7.
The files are being served happily and all of a sudden the server stops continuing on NEW SMB2 connections.
For ex,
A. time0 : connection 1 (and all connections before it) came in and is successfully established and is being served
B. time1: I assume something happens to the internals of server
C. time1: connection 2 comes in and tcp handshake is successful.
D. time+1msec: client sends SMB2 Negotiate
E. time+200 msec: server sends an ACK
F. time+59~sec: Server sends a RST
G. Now all the new connections from same or different clients have TCP handshake go thru and a reset from the server on NegotiateRequest!!!!
H. XP clients work fine to same server means SMBv1 or server resource is not an issue
I. If a client had an ongoing connection from BEFORE B (say connection 1). It still gets served but new connections get reset.
J. The only work around is to reboot the server!! Until it happens again!!
This sounds like something on Windows 2008 R2 SMB2 stack which goes into a state where it intentionally stops taking new connection. Some kind of anti-DDOS behavior or something??
Appreciate any help
Here is D (time+1msec: client sends SMB2 Negotiate)
NetBIOS Session Service
Message Type: Session message (0x00)
Length: 155
SMB (Server Message Block Protocol)
SMB Header
Server Component: SMB
SMB Command: Negotiate Protocol (0x72)
NT Status: STATUS_SUCCESS (0x00000000)
Flags: 0x18
0... .... = Request/Response: Message is a request to the server
.0.. .... = Notify: Notify client only on open
..0. .... = Oplocks: OpLock not requested/granted
...1 .... = Canonicalized Pathnames: Pathnames are canonicalized
.... 1... = Case Sensitivity: Path names are caseless
.... ..0. = Receive Buffer Posted: Receive buffer has not been posted
.... ...0 = Lock and Read: Lock&Read, Write&Unlock are not supported
Flags2: 0xc853
1... .... .... .... = Unicode Strings: Strings are Unicode
.1.. .... .... .... = Error Code Type: Error codes are NT error codes
..0. .... .... .... = Execute-only Reads: Don't permit reads if execute-only
...0 .... .... .... = Dfs: Don't resolve pathnames with Dfs
.... 1... .... .... = Extended Security Negotiation: Extended security negotiation is supported
.... .0.. .... .... = Reparse Path: The request does not use a @GMT reparse path
.... .... .1.. .... = Long Names Used: Path names in request are long file names
.... .... ...1 .... = Security Signatures Required: Security signatures are required
.... .... .... 0... = Compressed: Compression is not requested
.... .... .... .0.. = Security Signatures: Security signatures are not supported
.... .... .... ..1. = Extended Attributes: Extended attributes are supported
.... .... .... ...1 = Long Names Allowed: Long file names are allowed in the response
Process ID High: 0
Signature: 0000000000000000
Reserved: 0000
Tree ID: 65535
Process ID: 65279
User ID: 0
Multiplex ID: 0
Negotiate Protocol Request (0x72)
Word Count (WCT): 0
Byte Count (BCC): 120
Requested Dialects
Dialect: PC NETWORK PROGRAM 1.0
Buffer Format: Dialect (2)
Name: PC NETWORK PROGRAM 1.0
Dialect: LANMAN1.0
Buffer Format: Dialect (2)
Name: LANMAN1.0
Dialect: Windows for Workgroups 3.1a
Buffer Format: Dialect (2)
Name: Windows for Workgroups 3.1a
Dialect: LM1.2X002
Buffer Format: Dialect (2)
Name: LM1.2X002
Dialect: LANMAN2.1
Buffer Format: Dialect (2)
Name: LANMAN2.1
Dialect: NT LM 0.12
Buffer Format: Dialect (2)
Name: NT LM 0.12
Dialect: SMB 2.002
Buffer Format: Dialect (2)
Name: SMB 2.002
Dialect: SMB 2.???
Buffer Format: Dialect (2)
Name: SMB 2.???
Here is E (time+200 msec: server sends an ACK)
[Time delta from previous captured frame: 0.201044000 seconds]
Flags: 0x010 (ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Here is F (F. time+59~sec: Server sends a RST)
[Time delta from previous captured frame: 59.765376000 seconds]
Flags: 0x014 (RST, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .1.. = Reset: Set
[Expert Info (Chat/Sequence): Connection reset (RST)]
[Message: Connection reset (RST)]
[Severity level: Chat]
[Group: Sequence]
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set