Re: IPSEC question
- From: "jim smith" <james.smith32@xxxxxxxxxxx>
- Date: Wed, 27 Jun 2007 08:01:46 -0500
Terrance:
Thank you for your response. I have been totally frustrated over this issue
since Service Pack 2 was installed bak in May. ISA is not installed. I am
convinced it is something to do with policy and/or registry settings as
things changed immediately after SP2 was installed. SP2 had issues so I had
help from MS support and we spent 32 hours over 1 week, 12 of which it took
just to get SP2 installed after the initial failure. The rest was spent
investigating the slow network. A new NIC was installed (per their
suggestion), all offloading was disabled, RSS, TCPA, etc. SMB sounds like a
real possibility.
Dare I even mention the fact that one of their main programs, ACT 6.0 now
fails completely after the SP2 update? We have 2 machines that can still
run the program connecting to the database on the server. They were
upgraded from W2K to XP Pro. All other machines were initially loaded with
XP Pro and now they fail to run the program after SP2.
The important issue is to get the server working properly first without
rebuilding it if at all possible.
I will try the suggestion you made this evening and let you know how they
work.
I hit the SBS weblog and tried their stuff. Your response has been the most
reasoned so far and you seem to grasp the idea that this is not suddenly a
hardware issue.
Jim
"Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:GpWsabHuHHA.360@xxxxxxxxxxxxxxxxxxxxxxxxx
Hello James,
Thank you for posting here.
From your description, I understand the issue is that the network is very
slow when you transfer large files to/from SBS thru shard folder. If I am
off base, please let me know.
Based on my research, I think this issue is no relationship with IPSec, if
you only enable IPSec on SBS, the client computers will completely cannot
access SBS. I suggest we try the following steps to see if we can resolve
this issue:
1. Disable SMB signing in the whole clients and SBS:
1) Make sure the following policies are all ''Disable'' (instead of ''Not
defined'') in BOTH ''Default Domain Policy'' and ''Default Domain
Controller Policy'':
A. Microsoft network client: Digitally sign communications (always):
Disabled
B. Microsoft network client: Digitally sign communications (if server
agrees): Disabled
C. Microsoft network server: Digitally sign communications (always):
Disabled
D. Microsoft network server: Digitally sign communications (if client
agrees): Disabled
E. LAN Manager Authentication Level set to Send LM and NTLM - use NTLMv2
session security if negotiated
You can find the policy as following:
A. Open Server Management, and then expand Advanced Management | Group
Policy Management | Forest | Domains | Server name.
B. Right click Default Domain Policy and select Edit.
C. In Group Policy Object Editor, expand Computer Configuration | Windows
Settings | Security Settings | Local Policies.
D. Click Security Options.
E. Open Server Management, and then expand Advanced Management | Group
Policy Management | Forest | Domains | Server name | Domain Controllers.
F. Right click Default Domain Controllers Policy and select Edit.
G. In Group Policy Object Editor, expand Computer Configuration | Windows
Settings | Security Settings | Local Policies.
H. Click Security Options.
2) Still on the DC, issue ''gpupdate /force'' in a command console.
3) Restart the DC and client computer to take effect.
More information:
298804 Internet firewalls can prevent browsing and file sharing
http://support.microsoft.com/?id=298804
2. You can try to install the update to see if it helps.
898060 Installing security update MS05-019 or Windows Server 2003 Service
Pack 1 may cause network connectivity between clients and servers to fail
http://support.microsoft.com/default.aspx?scid=kb;EN-US;898060
899148 Some firewalls may reject network traffic that originates from
Windows Server 2003 Service Pack 1-based computers
http://support.microsoft.com/?kbid=899148
Server Message Block communication between a client-side SMB component and
a server-side SMB component is not completed if the SMB signing settings
are mismatched in Group Policy or in the registry
http://support.microsoft.com/?kbid=916846
After applying above the hotfixes, please reboot the server box and client
computer and then test the issue to see if the issue fixed.
3. Make sure that you have selected Enable NetBIOS over TCP/IP on all
local
and remote computers and SBS server internal NIC as following:
1) Right click My Network Places and select Properties.
2) Right click Local Area Connection (client computer)/Network Connection
(server) and select Properties.
3) Click Internet Protocol (TCP/IP) and high light it. Click Properties.
4) On the General tab, click Advanced. Go to WINS tab.
5) Make sure that you select Enable NetBIOS over TCP/IP.
6) Click OK twice and close all the windows.
For detailed information, please refer to the following KB article:
318030 You cannot access shared files and folders or browse computers in
the
http://support.microsoft.com/?id=318030
4. Make sure the TCP/IP NetBIOS Helper service and the Server service and
Workstation service are running on SBS and client computers. You may check
them through running Services.msc.
5. Check WINS:
1) Open WINS console in the SBS Administrative Tools.
2) Make sure that the service is started.
6. Check Computer Browser on SBS and client computers:
1) Open Services console in the SBS Administrative Tools.
2) In the right pane, make sure that the "Computer Browser" service is
started and the startup type is "Automatic".
3) Check the same settings on all client computers and make sure that the
"Computer Browser" service is stopped and the startup type is "Disabled".
If the issue persists, please kindly help me collect some information for
further investigation:
1. How about transfer large files between client and client, is it slow
too?
2. Is ISA installed on the SBS server? What is the ISA edition? How many
NIC are installed on the SBS server?
3. Use the Networking MPS report to capture the SBS for further analysis:
a. Download MPSrepot_network from
http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd9
15706/MPSRPT_NETWORK.EXE
b. Run MPSRPT_NETWORK.exe on the server box.
c. The tool will automatically collect the information. This procedure
will
take 10~15 minutes.
d. Open Windows Explorer, navigate to the folder:
%SystemRoot%\MPSReports\Network\Reports\Cab\
e. Send the .cab file directly to me at v-terliu@xxxxxxxxxxxxxx
Hope this information helps. If you have further questions or concerns on
this issue, please let me know. I am looking forward to hearing from you.
Have a nice day!
Best regards,
Terence Liu(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check
the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In
doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------
| From: "jim smith" <james.smith32@xxxxxxxxxxx>
| Subject: IPSEC question
| Date: Tue, 26 Jun 2007 09:37:31 -0500
| Lines: 11
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3138
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
| Message-ID: <ukAf$9$tHHA.1052@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: cpe-76-185-127-107.tx.res.rr.com 76.185.127.107
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:46360
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Can IPSEC, if set up incorrectly, cause connection problems with
| workstations and servers? For example, transferring large files
peer-peer
| works fine and the network, but transferring them to/from the server and
a
| workstation is SSLLOOWW! Other issues such as NIC drivers are all
updated,
| no errors showing in any log, quality hardware throughout the network.
This
| just recently started happening after installing SP2 which installs some
| IPSEC functionality.
|
| What real danger is there in turning off IPSEC services?
|
|
|
.
- Follow-Ups:
- Re: IPSEC question
- From: Terence Liu [MSFT]
- Re: IPSEC question
- References:
- IPSEC question
- From: jim smith
- RE: IPSEC question
- From: Terence Liu [MSFT]
- IPSEC question
- Prev by Date: Re: R2 Upgrade on SBS 2003 before adding a Windows 2003 R2 Server
- Next by Date: Re: Network Interface IP settings not sticking
- Previous by thread: RE: IPSEC question
- Next by thread: Re: IPSEC question
- Index(es):
Relevant Pages
|
