• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

XP-Pro UNC network locks up several times a day, what to do?

B

Bo Berglund

Flightless Bird
I have an extremely annoying problem with my XP-Pro laptop.
Several times a day (say 5-10 times) the networking locks up so that
if I try anything in any application that has anything to do with
networking then that application locks up. The block is on for several
*minutes*, after which it goes away and the PC works normally again.

The strange thing is that TCP/IP networking seems to be OK all the
time, but not the accesses using UNC naming or any access to a mapped
drive, which behind the scenes ia acually an UNC name mapping.

These actions will trigger an application lock-up:
- Save as and select the dropdown combobox at the top of the dialog.
- Scroll the folder list in Windows explorer down until the first
network item is to be shown. At this time Explorer locks up.
- In a command window type dir I:/ (where I: is a mapped drive)
- In MS Word the lockup may happen anytime while typing. Letters just
stop appearing on screen and Word is completely unresponsive.
- etc etc

While the lockup is active I *can* do this:
- In a command window ping any resource on the LAN. Returns OK.
- In MS Outlook 2003 read and write email, no problems here.
- Use the web browser causes no problems.

During this time I see no suspicious activity in Task Manager and my
network icon in the tray does not light up showing excess network
traffic.

I have checked my drive mappings but all of them are for shares that
are located on the network and *are* accessible both before and after
the lockup.

I have cleared everything out of "My Network Places" and adjusted the
registry to stop caching network addresses I access.

I am normally running a number of applications:
- MS Outlook 2003
- MS Word 2003
- Borland Delphi 7 development IDE
- FireFox web browser
- A number of Windows Explorer windows on different folders
- UltraEdit text editor

I have Microsoft Virtual PC 2007 installed but not running and I also
have VMWare Workstation 7 installed but not running.

What can I start looking for to solve this *extremely* annoying
behaviour?

--

Bo Berglund (Sweden)
 
J

John John - MVP

Flightless Bird
Bo Berglund wrote:
> I have an extremely annoying problem with my XP-Pro laptop.
> Several times a day (say 5-10 times) the networking locks up so that
> if I try anything in any application that has anything to do with
> networking then that application locks up. The block is on for several
> *minutes*, after which it goes away and the PC works normally again.
>
> The strange thing is that TCP/IP networking seems to be OK all the
> time, but not the accesses using UNC naming or any access to a mapped
> drive, which behind the scenes ia acually an UNC name mapping.
>
> These actions will trigger an application lock-up:
> - Save as and select the dropdown combobox at the top of the dialog.
> - Scroll the folder list in Windows explorer down until the first
> network item is to be shown. At this time Explorer locks up.
> - In a command window type dir I:/ (where I: is a mapped drive)
> - In MS Word the lockup may happen anytime while typing. Letters just
> stop appearing on screen and Word is completely unresponsive.
> - etc etc
>
> While the lockup is active I *can* do this:
> - In a command window ping any resource on the LAN. Returns OK.
> - In MS Outlook 2003 read and write email, no problems here.
> - Use the web browser causes no problems.
>
> During this time I see no suspicious activity in Task Manager and my
> network icon in the tray does not light up showing excess network
> traffic.
>
> I have checked my drive mappings but all of them are for shares that
> are located on the network and *are* accessible both before and after
> the lockup.
>
> I have cleared everything out of "My Network Places" and adjusted the
> registry to stop caching network addresses I access.
>
> I am normally running a number of applications:
> - MS Outlook 2003
> - MS Word 2003
> - Borland Delphi 7 development IDE
> - FireFox web browser
> - A number of Windows Explorer windows on different folders
> - UltraEdit text editor
>
> I have Microsoft Virtual PC 2007 installed but not running and I also
> have VMWare Workstation 7 installed but not running.
>
> What can I start looking for to solve this *extremely* annoying
> behaviour?


See if anything is showing up in the Event Log.

John
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:

> I have an extremely annoying problem with my XP-Pro laptop.
> Several times a day (say 5-10 times) the networking locks up so
> that if I try anything in any application that has anything to do
> with networking then that application locks up. The block is on
> for several *minutes*, after which it goes away and the PC works
> normally again.
>
> The strange thing is that TCP/IP networking seems to be OK all the
> time, but not the accesses using UNC naming or any access to a
> mapped drive, which behind the scenes ia acually an UNC name
> mapping.
>
> These actions will trigger an application lock-up:
> - Save as and select the dropdown combobox at the top of the
> dialog.
> - Scroll the folder list in Windows explorer down until
> the first network item is to be shown. At this time Explorer locks
> up.
> - In a command window type dir I:/ (where I: is a mapped
> drive)
> - In MS Word the lockup may happen anytime while typing.
> Letters just stop appearing on screen and Word is completely
> unresponsive.
> - etc etc
>
> While the lockup is active I *can* do this:
> - In a command window ping any resource on the LAN. Returns OK.
> - In MS Outlook 2003 read and write email, no problems here.
> - Use the web browser causes no problems.
>
> During this time I see no suspicious activity in Task Manager and
> my network icon in the tray does not light up showing excess
> network traffic.
>
> I have checked my drive mappings but all of them are for shares
> that are located on the network and *are* accessible both before
> and after the lockup.
>
> I have cleared everything out of "My Network Places" and adjusted
> the registry to stop caching network addresses I access.
>
> I am normally running a number of applications:
> - MS Outlook 2003
> - MS Word 2003
> - Borland Delphi 7 development IDE
> - FireFox web browser
> - A number of Windows Explorer windows on different folders
> - UltraEdit text editor
>
> I have Microsoft Virtual PC 2007 installed but not running and I
> also have VMWare Workstation 7 installed but not running.
>
> What can I start looking for to solve this *extremely* annoying
> behaviour?
>


What seems painfully apparent is that these hang-ups are caused by
failed attempts to access networked drives and/or UNC resources.
Knowing what these networked resources are would be helpful. For
example if your "I:" drive is mapped to an XP-Home machine, that
machine will not allow more than 5 concurrent incoming connections.
If all five connections are used up when you do something that
requires access to the I: drive, you will have a hang until the
connection times-out or the resource becomes available. If a mapped
drive is not accessed for 15 minutes (default), then that connection
is dropped. The next attempt to access the drive may fail if other
resources have acquired the 5 input connection limit.

My first step would be to eliminate all mapped network drives,
particularly ones that map to XP Home and Pro machines. Instead, use
shortcuts to a UNC path or a UNC path itself to access a network
resource. The advantage here is that accessing "My Computer" will
not attempt to connect to these networked drives and possibly
eliminate your delay. (Mapped drives are shown under "My Computer"
and accessed/statused when you open or access it using most of the
triggers you cite above) This approach can often quickly identify
which network resource is hanging the computer.

Another step would be at the server end to decrease the
Autodisconnect time for idle server connections which would increase
the availabily of these connections.

Try this article:
"Inbound connections limit in Windows XP"
<http://support.microsoft.com/kb/314882>

HTH,
John
 
B

Bo Berglund

Flightless Bird
On Mon, 08 Mar 2010 22:28:43 -0800, John Wunderlich
<jwunderlich@lycos.com> wrote:

>Bo Berglund <boberglund@myotherhome.sec> wrote in
>news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:
>
>> I have an extremely annoying problem with my XP-Pro laptop.
>> Several times a day (say 5-10 times) the networking locks up so
>> that if I try anything in any application that has anything to do
>> with networking then that application locks up. The block is on
>> for several *minutes*, after which it goes away and the PC works
>> normally again.
>>
>> The strange thing is that TCP/IP networking seems to be OK all the
>> time, but not the accesses using UNC naming or any access to a
>> mapped drive, which behind the scenes ia acually an UNC name
>> mapping.
>>
>> These actions will trigger an application lock-up:
>> - Save as and select the dropdown combobox at the top of the
>> dialog.
>> - Scroll the folder list in Windows explorer down until
>> the first network item is to be shown. At this time Explorer locks
>> up.
>> - In a command window type dir I:/ (where I: is a mapped
>> drive)
>> - In MS Word the lockup may happen anytime while typing.
>> Letters just stop appearing on screen and Word is completely
>> unresponsive.
>> - etc etc
>>
>> While the lockup is active I *can* do this:
>> - In a command window ping any resource on the LAN. Returns OK.
>> - In MS Outlook 2003 read and write email, no problems here.
>> - Use the web browser causes no problems.
>>
>> During this time I see no suspicious activity in Task Manager and
>> my network icon in the tray does not light up showing excess
>> network traffic.
>>
>> I have checked my drive mappings but all of them are for shares
>> that are located on the network and *are* accessible both before
>> and after the lockup.
>>
>> I have cleared everything out of "My Network Places" and adjusted
>> the registry to stop caching network addresses I access.
>>
>> I am normally running a number of applications:
>> - MS Outlook 2003
>> - MS Word 2003
>> - Borland Delphi 7 development IDE
>> - FireFox web browser
>> - A number of Windows Explorer windows on different folders
>> - UltraEdit text editor
>>
>> I have Microsoft Virtual PC 2007 installed but not running and I
>> also have VMWare Workstation 7 installed but not running.
>>
>> What can I start looking for to solve this *extremely* annoying
>> behaviour?
>>

>
>What seems painfully apparent is that these hang-ups are caused by
>failed attempts to access networked drives and/or UNC resources.
>Knowing what these networked resources are would be helpful. For
>example if your "I:" drive is mapped to an XP-Home machine, that
>machine will not allow more than 5 concurrent incoming connections.
>If all five connections are used up when you do something that
>requires access to the I: drive, you will have a hang until the
>connection times-out or the resource becomes available. If a mapped
>drive is not accessed for 15 minutes (default), then that connection
>is dropped. The next attempt to access the drive may fail if other
>resources have acquired the 5 input connection limit.
>
>My first step would be to eliminate all mapped network drives,
>particularly ones that map to XP Home and Pro machines. Instead, use


My problems happen on our corporate LAN and there are absolutely no
XP-Home machines there. All mapped drives (I have 4) are towards
Windows 2003 Servers, so these should be OK.

>shortcuts to a UNC path or a UNC path itself to access a network
>resource. The advantage here is that accessing "My Computer" will
>not attempt to connect to these networked drives and possibly
>eliminate your delay. (Mapped drives are shown under "My Computer"


I never ever use "My Computer" or "My Documents".....

>and accessed/statused when you open or access it using most of the
>triggers you cite above) This approach can often quickly identify
>which network resource is hanging the computer.
>
>Another step would be at the server end to decrease the
>Autodisconnect time for idle server connections which would increase
>the availabily of these connections.
>
>Try this article:
>"Inbound connections limit in Windows XP"
><http://support.microsoft.com/kb/314882>


Looks like it is for XP <-> XP connections, but I have XP Pro <->
Server 2003 connections.....

--

Bo Berglund (Sweden)
 
J

John John - MVP

Flightless Bird
Bo Berglund wrote:
> On Mon, 08 Mar 2010 22:28:43 -0800, John Wunderlich
> <jwunderlich@lycos.com> wrote:
>
>> Bo Berglund <boberglund@myotherhome.sec> wrote in
>> news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:
>>
>>> I have an extremely annoying problem with my XP-Pro laptop.
>>> Several times a day (say 5-10 times) the networking locks up so
>>> that if I try anything in any application that has anything to do
>>> with networking then that application locks up. The block is on
>>> for several *minutes*, after which it goes away and the PC works
>>> normally again.
>>>
>>> The strange thing is that TCP/IP networking seems to be OK all the
>>> time, but not the accesses using UNC naming or any access to a
>>> mapped drive, which behind the scenes ia acually an UNC name
>>> mapping.
>>>
>>> These actions will trigger an application lock-up:
>>> - Save as and select the dropdown combobox at the top of the
>>> dialog.
>>> - Scroll the folder list in Windows explorer down until
>>> the first network item is to be shown. At this time Explorer locks
>>> up.
>>> - In a command window type dir I:/ (where I: is a mapped
>>> drive)
>>> - In MS Word the lockup may happen anytime while typing.
>>> Letters just stop appearing on screen and Word is completely
>>> unresponsive.
>>> - etc etc
>>>
>>> While the lockup is active I *can* do this:
>>> - In a command window ping any resource on the LAN. Returns OK.
>>> - In MS Outlook 2003 read and write email, no problems here.
>>> - Use the web browser causes no problems.
>>>
>>> During this time I see no suspicious activity in Task Manager and
>>> my network icon in the tray does not light up showing excess
>>> network traffic.
>>>
>>> I have checked my drive mappings but all of them are for shares
>>> that are located on the network and *are* accessible both before
>>> and after the lockup.
>>>
>>> I have cleared everything out of "My Network Places" and adjusted
>>> the registry to stop caching network addresses I access.
>>>
>>> I am normally running a number of applications:
>>> - MS Outlook 2003
>>> - MS Word 2003
>>> - Borland Delphi 7 development IDE
>>> - FireFox web browser
>>> - A number of Windows Explorer windows on different folders
>>> - UltraEdit text editor
>>>
>>> I have Microsoft Virtual PC 2007 installed but not running and I
>>> also have VMWare Workstation 7 installed but not running.
>>>
>>> What can I start looking for to solve this *extremely* annoying
>>> behaviour?
>>>

>> What seems painfully apparent is that these hang-ups are caused by
>> failed attempts to access networked drives and/or UNC resources.
>> Knowing what these networked resources are would be helpful. For
>> example if your "I:" drive is mapped to an XP-Home machine, that
>> machine will not allow more than 5 concurrent incoming connections.
>> If all five connections are used up when you do something that
>> requires access to the I: drive, you will have a hang until the
>> connection times-out or the resource becomes available. If a mapped
>> drive is not accessed for 15 minutes (default), then that connection
>> is dropped. The next attempt to access the drive may fail if other
>> resources have acquired the 5 input connection limit.
>>
>> My first step would be to eliminate all mapped network drives,
>> particularly ones that map to XP Home and Pro machines. Instead, use

>
> My problems happen on our corporate LAN and there are absolutely no
> XP-Home machines there. All mapped drives (I have 4) are towards
> Windows 2003 Servers, so these should be OK.
>
>> shortcuts to a UNC path or a UNC path itself to access a network
>> resource. The advantage here is that accessing "My Computer" will
>> not attempt to connect to these networked drives and possibly
>> eliminate your delay. (Mapped drives are shown under "My Computer"

>
> I never ever use "My Computer" or "My Documents".....
>
>> and accessed/statused when you open or access it using most of the
>> triggers you cite above) This approach can often quickly identify
>> which network resource is hanging the computer.
>>
>> Another step would be at the server end to decrease the
>> Autodisconnect time for idle server connections which would increase
>> the availabily of these connections.
>>
>> Try this article:
>> "Inbound connections limit in Windows XP"
>> <http://support.microsoft.com/kb/314882>

>
> Looks like it is for XP <-> XP connections, but I have XP Pro <->
> Server 2003 connections.....
>


Check the Power Management setting on the network adapter's properties
and see if it is set to 'Allow the computer to turn off the device to
save power', maybe the adapter gets turned off while you are working.

John
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:c5ubp59ipeae4uqo524mai6divffqcscaj@4ax.com:

>> My first step would be to eliminate all mapped network drives,
>> particularly ones that map to XP Home and Pro machines. Instead,
>> use

>
> My problems happen on our corporate LAN and there are absolutely
> no XP-Home machines there. All mapped drives (I have 4) are
> towards Windows 2003 Servers, so these should be OK.


OK. This is new information. Your problem still seems to be associated
with re-attaching to a network mapping which has apparently gone idle.

>
>> shortcuts to a UNC path or a UNC path itself to access a network
>> resource. The advantage here is that accessing "My Computer"
>> will not attempt to connect to these networked drives and
>> possibly eliminate your delay. (Mapped drives are shown under "My
>> Computer"

>
> I never ever use "My Computer" or "My Documents".....


Maybe not directly but "select the dropdown combobox at top of dialog"
brings up a window that contains "My Computer and the lettered drives
within. "Scroll the folder list in Windows Explorer until network
drive..." (same thing); "Dir I:" references network drive; MS Word
lockup may be different... are you editing a file on a network drive at
the time? It could be when "autosave" kicks in it accesses contents of
"My Computer" behind the scenes.

I still would eliminate network drive mapping in favor of UNC/shortcut
access, at least temporarily, in an attempt to discover which network
connection is having problems.

John-John's suggestion of not allowing network card to power down also
has merit.

HTH,
John
 
B

Bo Berglund

Flightless Bird
On Tue, 09 Mar 2010 08:29:01 -0400, John John - MVP
<audetweld@nbnot.nb.ca> wrote:

>Bo Berglund wrote:
>Check the Power Management setting on the network adapter's properties
>and see if it is set to 'Allow the computer to turn off the device to
>save power', maybe the adapter gets turned off while you are working.
>


I don't think it is a powerdown problem because whenever the lockup
happens (it lasts for 3 minutes) then I can use my web browser just
fine via the same NIC and I can open a command window and ping
successfully the server on which my mapped drive resides.

So it seems that neither my own nor the server's NIC is in fact dead,
it is just the UNC name handling that has gone haywire....

--

Bo Berglund (Sweden)
 
B

Bo Berglund

Flightless Bird
On Tue, 09 Mar 2010 16:32:58 GMT, John Wunderlich
<jwunderlich@lycos.com> wrote:

>Bo Berglund <boberglund@myotherhome.sec> wrote in
>news:c5ubp59ipeae4uqo524mai6divffqcscaj@4ax.com:
>
>>> My first step would be to eliminate all mapped network drives,
>>> particularly ones that map to XP Home and Pro machines. Instead,
>>> use

>>
>> My problems happen on our corporate LAN and there are absolutely
>> no XP-Home machines there. All mapped drives (I have 4) are
>> towards Windows 2003 Servers, so these should be OK.

>
>OK. This is new information. Your problem still seems to be associated
>with re-attaching to a network mapping which has apparently gone idle.


As I said above this happens at work, so today (I'm back home now) I
made an experiment:
I created a Delphi application that has a timer inside and every time
this times out I run a FileExist call on a file that I have put on the
server (\\server\share\path\filename)

The timer interval is set to 1 second and I read the current time tick
before and after the FileExist call. Then I compute the execution time
and if it is longer than 2 s I log the event.

During 5 hours of monitoring it detected 4 events of this kind, each
lasting between 174 and 186 seconds....

>
>I still would eliminate network drive mapping in favor of UNC/shortcut
>access, at least temporarily, in an attempt to discover which network
>connection is having problems.


Well, the test described above uses a unc path to the file but it does
not help....

>John-John's suggestion of not allowing network card to power down also
>has merit.
>

As I replied to him, while the UNC problem is on I can use my own NIC
for standard TCP/IP connections like web browsing and ping. And the
server I am trying to access by UNC responds immediately to ping
requests. So its NIC is also not dead.

So it is definitely something amiss with the UNC handling.

I downloaded and installed Wireshark in order to try and see what is
going on on my NIC, but unfortunately it records way too much data for
me to make anything sensible out of.....

--

Bo Berglund (Sweden)
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm@4ax.com:

> So it is definitely something amiss with the UNC handling.
>
> I downloaded and installed Wireshark in order to try and see what
> is going on on my NIC, but unfortunately it records way too much
> data for me to make anything sensible out of.....
>
>


It would probably help a little with the volume of data to only
capture the data of interest. When you start Wireshark, click the
"Capture Option" and where you see "Capture Filter", enter a filter of:

host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)

Where you substitute the IP address of your server where you see "192.168.1.123"
This still may capture a lot of data but once you hit your hangup,
you can examine the last of the capture.

HTH,
John
 
B

Bo Berglund

Flightless Bird
On Tue, 09 Mar 2010 22:22:12 GMT, John Wunderlich
<jwunderlich@lycos.com> wrote:

>Bo Berglund <boberglund@myotherhome.sec> wrote in
>news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm@4ax.com:
>
>> So it is definitely something amiss with the UNC handling.
>>
>> I downloaded and installed Wireshark in order to try and see what
>> is going on on my NIC, but unfortunately it records way too much
>> data for me to make anything sensible out of.....
>>
>>

>
>It would probably help a little with the volume of data to only
>capture the data of interest. When you start Wireshark, click the
>"Capture Option" and where you see "Capture Filter", enter a filter of:
>
>host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)
>
>Where you substitute the IP address of your server where you see "192.168.1.123"
>This still may capture a lot of data but once you hit your hangup,
>you can examine the last of the capture.
>


Thanks for this! It really cut back on the info being recorded.

I have kept my test application running all day while at the same time
letting Wireshark record with your filter in place. I have had more
than 10 blackouts during this time each lasting 3 minutes. :-(

With the log from my test application I can see the timestamp of the
probelm and locate the right spot in the Wireshark capture file.

The result is really strange. Here are events from one of the lockups:

2612 13:02:03.660702 172.30.176.35 172.30.177.70 SMB Tree
Disconnect Request
2613 13:02:03.660967 172.30.177.70 172.30.176.35 SMB Tree
Disconnect Response
2614 13:02:03.661084 172.30.176.35 172.30.177.70 SMB Logoff
AndX Request
2615 13:02:03.661523 172.30.177.70 172.30.176.35 SMB Logoff
AndX Response
2616 13:02:03.661616 172.30.176.35 172.30.177.70 SMB Tree
Disconnect Request
2617 13:02:03.661846 172.30.177.70 172.30.176.35 SMB Tree
Disconnect Response

The above is where the blackout starts.
After 2 minutes there are a bit of activity from KeepAlive packets:

2623 13:04:03.100948 172.30.177.14 172.30.176.35 TCP [TCP
Keep-Alive] microsoft-ds > fg-fps [ACK] Seq=158703 Ack=117676
Win=63014 Len=1
2624 13:04:03.100999 172.30.176.35 172.30.177.14 TCP [TCP
Keep-Alive ACK] fg-fps > microsoft-ds [ACK] Seq=117676 Ack=158704
Win=36451 Len=0 TSV=4957644 TSER=16429060
2625 13:04:03.802338 172.30.177.70 172.30.176.35 TCP [TCP
Keep-Alive] microsoft-ds > abcvoice-port [ACK] Seq=2848 Ack=6057
Win=65536 Len=1
2626 13:04:03.802389 172.30.176.35 172.30.177.70 TCP [TCP
Keep-Alive ACK] abcvoice-port > microsoft-ds [ACK] Seq=6057 Ack=2849
Win=145688 Len=0 TSV=4957650 TSER=163213097

Then this happens 2.5 minutes into the blackout:
2627 13:04:29.636063 172.30.177.70 172.30.176.35 TCP
microsoft-ds > abcvoice-port [RST, ACK] Seq=2849 Ack=6057 Win=0 Len=0

And finally the end of blackout is signalled by these packets:
2628 13:04:58.511867 172.30.176.35 172.30.177.14 SMB Trans2
Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Bosse
2629 13:04:58.512593 172.30.177.14 172.30.176.35 SMB Trans2
Response, QUERY_PATH_INFO
2630 13:04:58.513369 172.30.176.35 172.30.177.14 SMB Trans2
Request, FIND_FIRST2, Pattern: \Bosse\CheckFile.txt
2631 13:04:58.514038 172.30.177.14 172.30.176.35 SMB Trans2
Response, FIND_FIRST2, Files: CheckFile.txt

From now on the network is OK until the next blackout, which can
happen anytime....
All blackouts last 3 minutes within about 5 seconds and they have the
same basic structure as shown above. Sometimes there are a few TCP
packets inside the blackout (the .... section above) but most often
there is nothing the first 2 minutes until the KeepAlive starts.

What can I do to find out why there are disconnect and logoff requests
posted to the domain controller (172.30.177.70)???
And most importantly to stop it from happening....

--

Bo Berglund (Sweden)
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:dsufp51jsh142rscpqnb8eq36m6hq5gimt@4ax.com:

> What can I do to find out why there are disconnect and logoff
> requests posted to the domain controller (172.30.177.70)???
> And most importantly to stop it from happening....
>


I'm assuming that .35 is the server you're connected to, .70 is the
domain controller, and .14 is yourself. It seems strange to me that
you can record a packet between your server and the domain controller
unless you are using hubs instead of switches... and it does seem
strange to see the disconnect/logoff.

You've reached the limit of my knowledge.
All I could come up with on the KB articles is the following. You
can check it out and see if it applies:

"Your system stops responding, you experience slow file server
performance, or delays occur when you work with files that are
located on a file server"
<http://support.microsoft.com/kb/822219>

Good Luck,
John
 
B

Bo Berglund

Flightless Bird
On Wed, 10 Mar 2010 22:10:20 -0800, John Wunderlich
<jwunderlich@lycos.com> wrote:

>Bo Berglund <boberglund@myotherhome.sec> wrote in
>news:dsufp51jsh142rscpqnb8eq36m6hq5gimt@4ax.com:
>
>> What can I do to find out why there are disconnect and logoff
>> requests posted to the domain controller (172.30.177.70)???
>> And most importantly to stop it from happening....
>>

>
>I'm assuming that .35 is the server you're connected to, .70 is the
>domain controller, and .14 is yourself. It seems strange to me that
>you can record a packet between your server and the domain controller
>unless you are using hubs instead of switches... and it does seem
>strange to see the disconnect/logoff.
>
>You've reached the limit of my knowledge.
>All I could come up with on the KB articles is the following. You
>can check it out and see if it applies:
>
>"Your system stops responding, you experience slow file server
>performance, or delays occur when you work with files that are
>located on a file server"
> <http://support.microsoft.com/kb/822219>
>


Well, the IP:s are:
Server .70 (this is the primary DC, there is a second one at .78)
Laptop .35 (The SMB traffic is originating from my laptop)
Filesrv .14 ( this is the file server on which I have my mapped
drives. I don't know why this comes up for the
keepalive stuff..)

I will have a look at the KB, but all of these blackouts happen when i
am working with *local* files. Basically while I am editing and
testing programs I develop using the Delphi 7 IDE.
For example, if I need to save a new file in the IDE there will be a
save as dislog coming up and this will be completely locked up if it
hits a blackout period. After the 3 minutes it wakes up..

I do have a few mapped drives to our file server, but I have no open
files on either of them.
Also, of course I have a couple of registered printers on the network
and Windows is for some reason checking on these periodically even
though I am not at all printing anything...

--

Bo Berglund (Sweden)
 
B

Bo Berglund

Flightless Bird
On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund
<boberglund@myotherhome.sec> wrote:

I have now made an experiment:
- Connected from home via Cisco VPN to the corporate LAN.
- Started my test application and Wireshark to see how the blackouts
would look in this scenario.

Result: After some 15 hours of logging I have not yet encountered any
SMB/UNC blackout! :)

With the direct connection to the LAN at work I get something like one
blackout of 3 minutes every half hour or so.

Strange.....
--

Bo Berglund (Sweden)
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:14hlp5180aoa31nrrdffuealqbqcrbef6q@4ax.com:

> On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund
> <boberglund@myotherhome.sec> wrote:
>
> I have now made an experiment:
> - Connected from home via Cisco VPN to the corporate LAN.
> - Started my test application and Wireshark to see how the
> blackouts would look in this scenario.
>
> Result: After some 15 hours of logging I have not yet encountered
> any SMB/UNC blackout! :)
>
> With the direct connection to the LAN at work I get something like
> one blackout of 3 minutes every half hour or so.
>
> Strange.....


Hmmm... Maybe not so strange.

I know that the Cisco VPN client contains a Stateful Firewall. This
firewall is enabled even when the VPN client isn't active and can
interfere with Microsoft Networking even (particularly?) when not
active.

Test: Startup the Cisco VPN Client. Before connecting, click on
"Options" Menu and make sure there is *not* a checkmark in front of
"Stateful firewall (Always on)". Close the client afterward. See if
this clears up your problem.

Microsoft has a KB article that [kind of] addresses this:
"Internet firewalls can prevent browsing and file sharing"
<http://support.microsoft.com/kb/298804>

HTH,
John
 
B

Bo Berglund

Flightless Bird
On Fri, 12 Mar 2010 21:48:32 -0800, John Wunderlich
<jwunderlich@lycos.com> wrote:

>Bo Berglund <boberglund@myotherhome.sec> wrote in
>news:14hlp5180aoa31nrrdffuealqbqcrbef6q@4ax.com:
>
>> On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund
>> <boberglund@myotherhome.sec> wrote:
>>
>> I have now made an experiment:
>> - Connected from home via Cisco VPN to the corporate LAN.
>> - Started my test application and Wireshark to see how the
>> blackouts would look in this scenario.
>>
>> Result: After some 15 hours of logging I have not yet encountered
>> any SMB/UNC blackout! :)
>>
>> With the direct connection to the LAN at work I get something like
>> one blackout of 3 minutes every half hour or so.
>>
>> Strange.....

>
>Hmmm... Maybe not so strange.
>
>I know that the Cisco VPN client contains a Stateful Firewall. This
>firewall is enabled even when the VPN client isn't active and can
>interfere with Microsoft Networking even (particularly?) when not
>active.
>
>Test: Startup the Cisco VPN Client. Before connecting, click on
>"Options" Menu and make sure there is *not* a checkmark in front of
>"Stateful firewall (Always on)". Close the client afterward. See if
>this clears up your problem.
>
>Microsoft has a KB article that [kind of] addresses this:
>"Internet firewalls can prevent browsing and file sharing"
> <http://support.microsoft.com/kb/298804>
>
>HTH,
> John

Thanks for the tip, but that setting was already OFF....
I have contacted the IT department and we willl change out my HP
docking station and move my network patch to anoter switch on Monday
to see if there is a difference.

--

Bo Berglund (Sweden)
 
B

Bo Berglund

Flightless Bird
On Sat, 13 Mar 2010 08:01:44 +0100, Bo Berglund
<boberglund@myotherhome.sec> wrote:

>Thanks for the tip, but that setting was already OFF....
>I have contacted the IT department and we willl change out my HP
>docking station and move my network patch to anoter switch on Monday
>to see if there is a difference.


Didn't change the docking station yet, but I changed from using the
wired network in the office to using the WiFi instead.
This turned out to work just fine, no blackouts for almost a full day.
So then the IT department tried to patch my network connection into a
different switch to see if that would help, but it did not. In less
than a half our after I returned to using the Broadcomm Gigabit NIC
via the re-patched network cable I had the blackouts again...

So the situation now is like this:
+ No blackout if I use the office WiFi network.
+ No blackout if I use the Cisco VPN from home.
+ Blackouts if I use the Broadcomm NIC via the docking station.

Next to test:
+ Change out the docking station, then use the Broadcomm NIC.
+ Use the Broadcomm NIC without the docking station entirely.

The latter is harder because I will lose my office wide screen display
(no DVI on my laptop) and oter gadgets hooked to the docking
station....

--

Bo Berglund (Sweden)
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:beaup517v4ssgoag52c7690bsoaij94his@4ax.com:

> Didn't change the docking station yet, but I changed from using
> the wired network in the office to using the WiFi instead. This
> turned out to work just fine, no blackouts for almost a full day.
> So then the IT department tried to patch my network connection
> into a different switch to see if that would help, but it did not.
> In less than a half our after I returned to using the Broadcomm
> Gigabit NIC via the re-patched network cable I had the blackouts
> again...
>
> So the situation now is like this:
>+ No blackout if I use the office WiFi network. + No blackout if I
>use the Cisco VPN from home. + Blackouts if I use the Broadcomm NIC
>via the docking station.
>
> Next to test:
>+ Change out the docking station, then use the Broadcomm NIC. + Use
>the Broadcomm NIC without the docking station entirely.
>
> The latter is harder because I will lose my office wide screen
> display (no DVI on my laptop) and oter gadgets hooked to the
> docking station....
>


You're really going after this with a vengence. In that event, let
me offer another suggestion. It might be a Master Browser issue on
your subnet. When you use WiFi or VPN, you tend to be about the
only machine on the subnet so things work better. On a wired LAN,
if only one other machine on your subnet has a firewall going (e.g.
Cisco), it can kill the master browser for the entire subnet. I
have gotten pretty good at finding these machines using Microsoft's
"Browstat.exe" program. The procedure goes something like this...
Step 1 is to determine the master browser on your subnet. From a
command Window (start->run->"cmd") issue the following command:

browstat status

It should reply quickly. If it takes a while or if the second line
starts: "Master name cannot be determined..." this is an indication
of a problem. If you get this, then issue the command:

browstat el 1 domain

where "1" is your network number as determined from the reply from a
"browstat dn" command and "domain" is replaced with your domain.
Then wait 25-30 seconds and repeat the "browstat status" command.
If all is well, the second line should read:

"Master browser name is: Comp01"

where "Comp01" is the name of the master browser on your subnet.

Next, ask the master browser for a list of machines on your subnet:

browstat vw 1 \\Comp01 0x40000000

where "1" and "Comp01" are replaced appropriately as above.

Look at the list that was just printed. There should be *exactly
one* line that contains the Master Browser designation "MBR". If
you see more than one, then chances are that the ones other than the
<Comp01> one have firewalls up and are disrupting Master Browsing on
the subnet. Hint: A quick way to show these is to type the
following:

browstat vw 1 \\Comp01 0x40000000 | find "MBR"

Once you discover the offending computers, you can correct the
problem by either turning off their firewall so that they behave
appropriately or you can stop/disable their "Computer Browser"
service either via "services.msc" or by command line:

reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f

Good Luck,
John
 
B

Bo Berglund

Flightless Bird
On Tue, 16 Mar 2010 20:02:01 GMT, John Wunderlich
<jwunderlich@lycos.com> wrote:

>> So the situation now is like this:
>>+ No blackout if I use the office WiFi network. + No blackout if I
>>use the Cisco VPN from home. + Blackouts if I use the Broadcomm NIC
>>via the docking station.
>>
>> Next to test:
>>+ Change out the docking station, then use the Broadcomm NIC.
>>+ Use the Broadcomm NIC without the docking station entirely.
>>
>> The latter is harder because I will lose my office wide screen
>> display (no DVI on my laptop) and oter gadgets hooked to the
>> docking station....


Today I went through the whole exercise:
- Changed docking station - no difference
- Used a different network outlet - no difference
- Connected the network directly to the laptop (no docking station at
all) - No difference

The only working solution so far at the office is WiFi.

The IT department is stumped as well....

I will use all of the hints below to see if anything works out.
But tomorrow is the last day at the office for almost 3 weeks so I
might not get it all done.

Thanks for your valued help!
>
>You're really going after this with a vengence. In that event, let
>me offer another suggestion. It might be a Master Browser issue on
>your subnet. When you use WiFi or VPN, you tend to be about the
>only machine on the subnet so things work better. On a wired LAN,
>if only one other machine on your subnet has a firewall going (e.g.
>Cisco), it can kill the master browser for the entire subnet. I
>have gotten pretty good at finding these machines using Microsoft's
>"Browstat.exe" program. The procedure goes something like this...
>Step 1 is to determine the master browser on your subnet. From a
>command Window (start->run->"cmd") issue the following command:
>
> browstat status
>
>It should reply quickly. If it takes a while or if the second line
>starts: "Master name cannot be determined..." this is an indication
>of a problem. If you get this, then issue the command:
>
> browstat el 1 domain
>
>where "1" is your network number as determined from the reply from a
>"browstat dn" command and "domain" is replaced with your domain.
>Then wait 25-30 seconds and repeat the "browstat status" command.
>If all is well, the second line should read:
>
> "Master browser name is: Comp01"
>
>where "Comp01" is the name of the master browser on your subnet.
>
>Next, ask the master browser for a list of machines on your subnet:
>
> browstat vw 1 \\Comp01 0x40000000
>
>where "1" and "Comp01" are replaced appropriately as above.
>
>Look at the list that was just printed. There should be *exactly
>one* line that contains the Master Browser designation "MBR". If
>you see more than one, then chances are that the ones other than the
><Comp01> one have firewalls up and are disrupting Master Browsing on
>the subnet. Hint: A quick way to show these is to type the
>following:
>
> browstat vw 1 \\Comp01 0x40000000 | find "MBR"
>
>Once you discover the offending computers, you can correct the
>problem by either turning off their firewall so that they behave
>appropriately or you can stop/disable their "Computer Browser"
>service either via "services.msc" or by command line:
>
> reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f
>
>Good Luck,
> John


--

Bo Berglund (Sweden)
 
B

Bo Berglund

Flightless Bird
On Tue, 16 Mar 2010 21:31:27 +0100, Bo Berglund
<boberglund@myotherhome.sec> wrote:

>
>I will use all of the hints below to see if anything works out.
>But tomorrow is the last day at the office for almost 3 weeks so I
>might not get it all done.
>
>Thanks for your valued help!
>>
>>You're really going after this with a vengence. In that event, let
>>me offer another suggestion. It might be a Master Browser issue on
>>your subnet. When you use WiFi or VPN, you tend to be about the
>>only machine on the subnet so things work better. On a wired LAN,
>>if only one other machine on your subnet has a firewall going (e.g.
>>Cisco), it can kill the master browser for the entire subnet. I
>>have gotten pretty good at finding these machines using Microsoft's
>>"Browstat.exe" program. The procedure goes something like this...
>>Step 1 is to determine the master browser on your subnet. From a
>>command Window (start->run->"cmd") issue the following command:
>>
>> browstat status


With WiFi network (lines may wrap). My PC is named WVBYBOBEL:

C:/Program Files\Support Tools>browstat status

Status for domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
Browsing is active on domain.
Master browser name is: WVBYBOBEL
Master browser is running build 2600
1 backup servers retrieved from master WVBYBOBEL
\\WVBYBOBEL
There are 1 servers in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
There are 1 domains in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

Status for domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}
Browsing is active on domain.
Master browser name is: WVBYBOBEL
Master browser is running build 2600
1 backup servers retrieved from master WVBYBOBEL
\\WVBYBOBEL
There are 1 servers in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}
There are 1 domains in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

Status for domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{8F9702A3-96B8-48CB-A370-595203982F57}
Browsing is active on domain.
Master browser name is: WVBYBOBEL
Master browser is running build 2600
3 backup servers retrieved from master WVBYBOBEL
\\WMONBERAXP
\\3RTS01
\\WBERALARC
Unable to retrieve server list from WVBYBOBEL: 71

Then I disconnected WiFi and connected wired network:

C:/Program Files\Support Tools>browstat status

Status for domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
Browsing is active on domain.
Master browser name is: WVBYBOBEL
Master browser is running build 2600
1 backup servers retrieved from master WVBYBOBEL
\\WVBYBOBEL
There are 1 servers in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
There are 1 domains in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

Status for domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}
Browsing is active on domain.
Master browser name is: WVBYBOBEL
Master browser is running build 2600
1 backup servers retrieved from master WVBYBOBEL
\\WVBYBOBEL
There are 1 servers in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}
There are 1 domains in domain SYSTEM3R on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

>>It should reply quickly. If it takes a while or if the second line
>>starts: "Master name cannot be determined..." this is an indication
>>of a problem. If you get this, then issue the command:
>>
>> browstat el 1 domain
>>
>>where "1" is your network number as determined from the reply from a
>>"browstat dn" command and "domain" is replaced with your domain.


This produces the following output:

C:/Program Files\Support Tools>browstat dn

List of transports currently bound to the browser

1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

C:/Program Files\Support Tools>browstat vw 1 \\WVBYBOBEL 0x40000000
Remoting NetServerEnum to \\WVBYBOBEL on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3} with flags
40000000
1 entries returned. 1 total. 16 milliseconds

\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)

>>Then wait 25-30 seconds and repeat the "browstat status" command.
>>If all is well, the second line should read:
>>
>> "Master browser name is: Comp01"
>>
>>where "Comp01" is the name of the master browser on your subnet.
>>
>>Next, ask the master browser for a list of machines on your subnet:
>>
>> browstat vw 1 \\Comp01 0x40000000
>>
>>where "1" and "Comp01" are replaced appropriately as above.


Here I got this (tried both network numbers):

C:/Program Files\Support Tools>browstat dn

List of transports currently bound to the browser

1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

C:/Program Files\Support Tools>browstat vw 1 \\WVBYBOBEL 0x40000000
Remoting NetServerEnum to \\WVBYBOBEL on transport
\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3} with flags
40000000
1 entries returned. 1 total. 16 milliseconds

\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)


C:/Program Files\Support Tools>browstat vw 2 \\WVBYBOBEL 0x40000000
Remoting NetServerEnum to \\WVBYBOBEL on transport
\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61} with flags
40000000
1 entries returned. 1 total. 0 milliseconds

\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)

>>Look at the list that was just printed. There should be *exactly
>>one* line that contains the Master Browser designation "MBR". If
>>you see more than one, then chances are that the ones other than the
>><Comp01> one have firewalls up and are disrupting Master Browsing on
>>the subnet. Hint: A quick way to show these is to type the
>>following:
>>
>> browstat vw 1 \\Comp01 0x40000000 | find "MBR"
>>
>>Once you discover the offending computers, you can correct the
>>problem by either turning off their firewall so that they behave
>>appropriately or you can stop/disable their "Computer Browser"
>>service either via "services.msc" or by command line:
>>
>> reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f
>>


Looks like it is not this issue either....
My best bet now seems to be to go wireless for good. The wired network
connection is 10% blackouts now....

--

Bo Berglund (Sweden)
 
J

John Wunderlich

Flightless Bird
Bo Berglund <boberglund@myotherhome.sec> wrote in
news:grk2q5haa82m2b0n109qnbru6l98iv6dop@4ax.com:

> C:/Program Files\Support Tools>browstat dn
>
> List of transports currently bound to the browser
>
> 1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}
> 2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}
>

[...]
>
> Looks like it is not this issue either....
> My best bet now seems to be to go wireless for good. The wired
> network connection is 10% blackouts now....


You're right. This doesn't seem to be the problem. But it does point
out another issue. It appears you have 2 transports bound to the
browser for the same domain (SYSTEM3R). It might be that only one of
these is actually connected in an operational sense (probably #1) and
if it picks the wrong binding, you may be waiting for a long timeout
before trying the other binding. When working wireless or over VPN,
you may only have one active binding -- eliminating your problem.

To test this, try un-binding one of the connections. The following
command will unbind connection #2 above, leaving only connection #1:

browstat unbind 2

Then test it with only one binding. This "unbinding" is temporary and
will hold until your next reboot. If #2 is the wrong one, try #1.

[As you might guess, "browstat" has more parameters than it advertises
in "browstat /help"]

HTH,
John
 
Top