deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 07:47:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

add alt text for images

Browse Source
This commit is contained in:
Jeanie Decker 2018-12-07 10:36:38 -08:00
parent 225d4271a3
commit baa9bb18f5
3 changed files with 22 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/client-management/troubleshoot-tcpip-connectivity.md
View File

@ -36,17 +36,17 @@ If the initial TCP handshake is failing because of packet drops then you would s
Source side connecting on port 445:
![](images/tcp-ts-6.png)
![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
Destination side: applying the same filter, you do not see any packets.
![](images/tcp-ts-7.png)
![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
For the rest of the data, TCP will retransmit the packets 5 times.
**Source 192.168.1.62 side trace:**
![](images/tcp-ts-8.png)
![Screenshot showing packet side trace](images/tcp-ts-8.png)
**Destination 192.168.1.2 side trace:**
@ -71,15 +71,15 @@ In the below screenshots, you see that the packets seen on the source and the de
**Source Side**
![](images/tcp-ts-9.png)
![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
**On the destination-side trace**
![](images/tcp-ts-10.png)
![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.
![](images/tcp-ts-11.png)
![Screenshot of packet flag](images/tcp-ts-11.png)
The application which is causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection.
@ -102,8 +102,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
![](images/tcp-ts-12.png)
![Screenshot of Event Properties](images/tcp-ts-12.png)
Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. Once you open this file and filter for the ID you find in the above event (2944008), you will be able to see a firewall rule name associated with this ID which is blocking the connection.
![](images/tcp-ts-13.png)
![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)

20
windows/client-management/troubleshoot-tcpip-port-exhaust.md
View File

@ -54,21 +54,21 @@ Specifically, about outbound connections as incoming connections will not requir
Since outbound connections start to fail, you will see a lot of the below behaviors:
- Unable to login to the machine with domain credentials, however login with local account works. Domain login will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain login might still work.
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
![](images/tcp-ts-14.png)
![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
- Group Policy update failures:
![](images/tcp-ts-15.png)
![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
- File shares are inaccessible:
![](images/tcp-ts-16.png)
![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
- RDP from the affected server fails:
![](images/tcp-ts-17.png)
![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
- Any other application running on the machine will start to give out errors
@ -82,15 +82,15 @@ If you suspect that the machine is in a state of port exhaustion:
a. **Event ID 4227**
![](images/tcp-ts-18.png)
![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
b. **Event ID 4231**
![](images/tcp-ts-19.png)
![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
![](images/tcp-ts-20.png)
![Screenshot of netstate command output](images/tcp-ts-20.png)
After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
@ -132,7 +132,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
1. Add a column called “handles” under details/processes.
2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
![](images/tcp-ts-21.png)
![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
@ -153,7 +153,7 @@ Steps to use Process explorer:
File \Device\AFD
![](images/tcp-ts-22.png)
![Screenshot of Process Explorer](images/tcp-ts-22.png)
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.

8
windows/client-management/troubleshoot-tcpip-rpc-errors.md
View File

@ -158,15 +158,15 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
- Look for the “EPM” Protocol Under the “Protocol” column.
- Now check if you are getting a response from the server or not, if you get a response note the Dynamic Port number that you have been allocated to use.
- Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
![](images/tcp-ts-23.png)
![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
- Check if we are connecting successfully to this Dynamic port successfully.
- The filter should be something like this: tcp.port==<dynamic-port-allocated> and ipv4.address==<server-ip>
![](images/tcp-ts-24.png)
![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
This should help you verify the connectivity and isolate if any network issues are seen.
@ -175,7 +175,7 @@ This should help you verify the connectivity and isolate if any network issues a
The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
![](images/tcp-ts-25.png)
![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
The port cannot be reachable due to one of the following reasons: