mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-17 07:47:22 +00:00
add alt text for images
This commit is contained in:
Jeanie Decker
parent
225d4271a3
commit
baa9bb18f5
@ -36,17 +36,17 @@ If the initial TCP handshake is failing because of packet drops then you would s
|
|||||||
|
|
||||||
Source side connecting on port 445:
|
Source side connecting on port 445:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Destination side: applying the same filter, you do not see any packets.
|
Destination side: applying the same filter, you do not see any packets.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
For the rest of the data, TCP will retransmit the packets 5 times.
|
For the rest of the data, TCP will retransmit the packets 5 times.
|
||||||
|
|
||||||
**Source 192.168.1.62 side trace:**
|
**Source 192.168.1.62 side trace:**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**Destination 192.168.1.2 side trace:**
|
**Destination 192.168.1.2 side trace:**
|
||||||
|
|
||||||
@ -71,15 +71,15 @@ In the below screenshots, you see that the packets seen on the source and the de
|
|||||||
|
|
||||||
**Source Side**
|
**Source Side**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
**On the destination-side trace**
|
**On the destination-side trace**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
|
You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
|
The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
|
||||||
|
|
||||||
@ -102,8 +102,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
|
|||||||
|
|
||||||
You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
|
You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
|
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
|
||||||
|
|
||||||
|
|
||||||
@ -54,21 +54,21 @@ Specifically, about outbound connections as incoming connections will not requir
|
|||||||
|
|
||||||
Since outbound connections start to fail, you will see a lot of the below behaviors:
|
Since outbound connections start to fail, you will see a lot of the below behaviors:
|
||||||
|
|
||||||
- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
|
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Group Policy update failures:
|
- Group Policy update failures:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- File shares are inaccessible:
|
- File shares are inaccessible:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- RDP from the affected server fails:
|
- RDP from the affected server fails:
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Any other application running on the machine will start to give out errors
|
- Any other application running on the machine will start to give out errors
|
||||||
|
|
||||||
@ -82,15 +82,15 @@ If you suspect that the machine is in a state of port exhaustion:
|
|||||||
|
|
||||||
a. **Event ID 4227**
|
a. **Event ID 4227**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
b. **Event ID 4231**
|
b. **Event ID 4231**
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
|
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
|
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
|
||||||
|
|
||||||
@ -132,7 +132,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
|
|||||||
1. Add a column called “handles” under details/processes.
|
1. Add a column called “handles” under details/processes.
|
||||||
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
|
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
|
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
|
||||||
|
|
||||||
@ -153,7 +153,7 @@ Steps to use Process explorer:
|
|||||||
|
|
||||||
File \Device\AFD
|
File \Device\AFD
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
|
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
|
||||||
|
|
||||||
|
|||||||
@ -158,15 +158,15 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
|
|||||||
|
|
||||||
- Look for the “EPM” Protocol Under the “Protocol” column.
|
- Look for the “EPM” Protocol Under the “Protocol” column.
|
||||||
|
|
||||||
- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
|
- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
- Check if we are connecting successfully to this Dynamic port successfully.
|
- Check if we are connecting successfully to this Dynamic port successfully.
|
||||||
|
|
||||||
- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip>
|
- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
This should help you verify the connectivity and isolate if any network issues are seen.
|
This should help you verify the connectivity and isolate if any network issues are seen.
|
||||||
|
|
||||||
@ -175,7 +175,7 @@ This should help you verify the connectivity and isolate if any network issues a
|
|||||||
|
|
||||||
The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
|
The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
The port cannot be reachable due to one of the following reasons:
|
The port cannot be reachable due to one of the following reasons:
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user