XP-Pro UNC network locks up several times a day, what to do?

[Bo Berglund]

I have an extremely annoying problem with my XP-Pro laptop.

Several times a day (say 5-10 times) the networking locks up so that

if I try anything in any application that has anything to do with

networking then that application locks up. The block is on for several

*minutes*, after which it goes away and the PC works normally again.



The strange thing is that TCP/IP networking seems to be OK all the

time, but not the accesses using UNC naming or any access to a mapped

drive, which behind the scenes ia acually an UNC name mapping.



These actions will trigger an application lock-up:

- Save as and select the dropdown combobox at the top of the dialog.

- Scroll the folder list in Windows explorer down until the first

network item is to be shown. At this time Explorer locks up.

- In a command window type dir I:\ (where I: is a mapped drive)

- In MS Word the lockup may happen anytime while typing. Letters just

stop appearing on screen and Word is completely unresponsive.

- etc etc



While the lockup is active I *can* do this:

- In a command window ping any resource on the LAN. Returns OK.

- In MS Outlook 2003 read and write email, no problems here.

- Use the web browser causes no problems.



During this time I see no suspicious activity in Task Manager and my

network icon in the tray does not light up showing excess network

traffic.



I have checked my drive mappings but all of them are for shares that

are located on the network and *are* accessible both before and after

the lockup.



I have cleared everything out of "My Network Places" and adjusted the

registry to stop caching network addresses I access.



I am normally running a number of applications:

- MS Outlook 2003

- MS Word 2003

- Borland Delphi 7 development IDE

- FireFox web browser

- A number of Windows Explorer windows on different folders

- UltraEdit text editor



I have Microsoft Virtual PC 2007 installed but not running and I also

have VMWare Workstation 7 installed but not running.



What can I start looking for to solve this *extremely* annoying

behaviour?



--



Bo Berglund (Sweden)

 

[John John - MVP]

Bo Berglund wrote:

> I have an extremely annoying problem with my XP-Pro laptop.

> Several times a day (say 5-10 times) the networking locks up so that

> if I try anything in any application that has anything to do with

> networking then that application locks up. The block is on for several

> *minutes*, after which it goes away and the PC works normally again.

>

> The strange thing is that TCP/IP networking seems to be OK all the

> time, but not the accesses using UNC naming or any access to a mapped

> drive, which behind the scenes ia acually an UNC name mapping.

>

> These actions will trigger an application lock-up:

> - Save as and select the dropdown combobox at the top of the dialog.

> - Scroll the folder list in Windows explorer down until the first

> network item is to be shown. At this time Explorer locks up.

> - In a command window type dir I:\ (where I: is a mapped drive)

> - In MS Word the lockup may happen anytime while typing. Letters just

> stop appearing on screen and Word is completely unresponsive.

> - etc etc

>

> While the lockup is active I *can* do this:

> - In a command window ping any resource on the LAN. Returns OK.

> - In MS Outlook 2003 read and write email, no problems here.

> - Use the web browser causes no problems.

>

> During this time I see no suspicious activity in Task Manager and my

> network icon in the tray does not light up showing excess network

> traffic.

>

> I have checked my drive mappings but all of them are for shares that

> are located on the network and *are* accessible both before and after

> the lockup.

>

> I have cleared everything out of "My Network Places" and adjusted the

> registry to stop caching network addresses I access.

>

> I am normally running a number of applications:

> - MS Outlook 2003

> - MS Word 2003

> - Borland Delphi 7 development IDE

> - FireFox web browser

> - A number of Windows Explorer windows on different folders

> - UltraEdit text editor

>

> I have Microsoft Virtual PC 2007 installed but not running and I also

> have VMWare Workstation 7 installed but not running.

>

> What can I start looking for to solve this *extremely* annoying

> behaviour?



See if anything is showing up in the Event Log.



John

 

[John Wunderlich]

Bo Berglund wrote in

news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:



> I have an extremely annoying problem with my XP-Pro laptop.

> Several times a day (say 5-10 times) the networking locks up so

> that if I try anything in any application that has anything to do

> with networking then that application locks up. The block is on

> for several *minutes*, after which it goes away and the PC works

> normally again.

>

> The strange thing is that TCP/IP networking seems to be OK all the

> time, but not the accesses using UNC naming or any access to a

> mapped drive, which behind the scenes ia acually an UNC name

> mapping.

>

> These actions will trigger an application lock-up:

> - Save as and select the dropdown combobox at the top of the

> dialog.

> - Scroll the folder list in Windows explorer down until

> the first network item is to be shown. At this time Explorer locks

> up.

> - In a command window type dir I:\ (where I: is a mapped

> drive)

> - In MS Word the lockup may happen anytime while typing.

> Letters just stop appearing on screen and Word is completely

> unresponsive.

> - etc etc

>

> While the lockup is active I *can* do this:

> - In a command window ping any resource on the LAN. Returns OK.

> - In MS Outlook 2003 read and write email, no problems here.

> - Use the web browser causes no problems.

>

> During this time I see no suspicious activity in Task Manager and

> my network icon in the tray does not light up showing excess

> network traffic.

>

> I have checked my drive mappings but all of them are for shares

> that are located on the network and *are* accessible both before

> and after the lockup.

>

> I have cleared everything out of "My Network Places" and adjusted

> the registry to stop caching network addresses I access.

>

> I am normally running a number of applications:

> - MS Outlook 2003

> - MS Word 2003

> - Borland Delphi 7 development IDE

> - FireFox web browser

> - A number of Windows Explorer windows on different folders

> - UltraEdit text editor

>

> I have Microsoft Virtual PC 2007 installed but not running and I

> also have VMWare Workstation 7 installed but not running.

>

> What can I start looking for to solve this *extremely* annoying

> behaviour?

>



What seems painfully apparent is that these hang-ups are caused by

failed attempts to access networked drives and/or UNC resources.

Knowing what these networked resources are would be helpful. For

example if your "I:" drive is mapped to an XP-Home machine, that

machine will not allow more than 5 concurrent incoming connections.

If all five connections are used up when you do something that

requires access to the I: drive, you will have a hang until the

connection times-out or the resource becomes available. If a mapped

drive is not accessed for 15 minutes (default), then that connection

is dropped. The next attempt to access the drive may fail if other

resources have acquired the 5 input connection limit.



My first step would be to eliminate all mapped network drives,

particularly ones that map to XP Home and Pro machines. Instead, use

shortcuts to a UNC path or a UNC path itself to access a network

resource. The advantage here is that accessing "My Computer" will

not attempt to connect to these networked drives and possibly

eliminate your delay. (Mapped drives are shown under "My Computer"

and accessed/statused when you open or access it using most of the

triggers you cite above) This approach can often quickly identify

which network resource is hanging the computer.



Another step would be at the server end to decrease the

Autodisconnect time for idle server connections which would increase

the availabily of these connections.



Try this article:

"Inbound connections limit in Windows XP"





HTH,

John

 

[Bo Berglund]

On Mon, 08 Mar 2010 22:28:43 -0800, John Wunderlich

wrote:



>Bo Berglund wrote in

>news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:

>

>> I have an extremely annoying problem with my XP-Pro laptop.

>> Several times a day (say 5-10 times) the networking locks up so

>> that if I try anything in any application that has anything to do

>> with networking then that application locks up. The block is on

>> for several *minutes*, after which it goes away and the PC works

>> normally again.

>>

>> The strange thing is that TCP/IP networking seems to be OK all the

>> time, but not the accesses using UNC naming or any access to a

>> mapped drive, which behind the scenes ia acually an UNC name

>> mapping.

>>

>> These actions will trigger an application lock-up:

>> - Save as and select the dropdown combobox at the top of the

>> dialog.

>> - Scroll the folder list in Windows explorer down until

>> the first network item is to be shown. At this time Explorer locks

>> up.

>> - In a command window type dir I:\ (where I: is a mapped

>> drive)

>> - In MS Word the lockup may happen anytime while typing.

>> Letters just stop appearing on screen and Word is completely

>> unresponsive.

>> - etc etc

>>

>> While the lockup is active I *can* do this:

>> - In a command window ping any resource on the LAN. Returns OK.

>> - In MS Outlook 2003 read and write email, no problems here.

>> - Use the web browser causes no problems.

>>

>> During this time I see no suspicious activity in Task Manager and

>> my network icon in the tray does not light up showing excess

>> network traffic.

>>

>> I have checked my drive mappings but all of them are for shares

>> that are located on the network and *are* accessible both before

>> and after the lockup.

>>

>> I have cleared everything out of "My Network Places" and adjusted

>> the registry to stop caching network addresses I access.

>>

>> I am normally running a number of applications:

>> - MS Outlook 2003

>> - MS Word 2003

>> - Borland Delphi 7 development IDE

>> - FireFox web browser

>> - A number of Windows Explorer windows on different folders

>> - UltraEdit text editor

>>

>> I have Microsoft Virtual PC 2007 installed but not running and I

>> also have VMWare Workstation 7 installed but not running.

>>

>> What can I start looking for to solve this *extremely* annoying

>> behaviour?

>>

>

>What seems painfully apparent is that these hang-ups are caused by

>failed attempts to access networked drives and/or UNC resources.

>Knowing what these networked resources are would be helpful. For

>example if your "I:" drive is mapped to an XP-Home machine, that

>machine will not allow more than 5 concurrent incoming connections.

>If all five connections are used up when you do something that

>requires access to the I: drive, you will have a hang until the

>connection times-out or the resource becomes available. If a mapped

>drive is not accessed for 15 minutes (default), then that connection

>is dropped. The next attempt to access the drive may fail if other

>resources have acquired the 5 input connection limit.

>

>My first step would be to eliminate all mapped network drives,

>particularly ones that map to XP Home and Pro machines. Instead, use



My problems happen on our corporate LAN and there are absolutely no

XP-Home machines there. All mapped drives (I have 4) are towards

Windows 2003 Servers, so these should be OK.



>shortcuts to a UNC path or a UNC path itself to access a network

>resource. The advantage here is that accessing "My Computer" will

>not attempt to connect to these networked drives and possibly

>eliminate your delay. (Mapped drives are shown under "My Computer"



I never ever use "My Computer" or "My Documents".....



>and accessed/statused when you open or access it using most of the

>triggers you cite above) This approach can often quickly identify

>which network resource is hanging the computer.

>

>Another step would be at the server end to decrease the

>Autodisconnect time for idle server connections which would increase

>the availabily of these connections.

>

>Try this article:

>"Inbound connections limit in Windows XP"

>



Looks like it is for XP XP connections, but I have XP Pro

Server 2003 connections.....



--



Bo Berglund (Sweden)

 

[John John - MVP]

Bo Berglund wrote:

> On Mon, 08 Mar 2010 22:28:43 -0800, John Wunderlich

> wrote:

>

>> Bo Berglund wrote in

>> news:9uvap5hdvvu96driv7k83460204nbp87n1@4ax.com:

>>

>>> I have an extremely annoying problem with my XP-Pro laptop.

>>> Several times a day (say 5-10 times) the networking locks up so

>>> that if I try anything in any application that has anything to do

>>> with networking then that application locks up. The block is on

>>> for several *minutes*, after which it goes away and the PC works

>>> normally again.

>>>

>>> The strange thing is that TCP/IP networking seems to be OK all the

>>> time, but not the accesses using UNC naming or any access to a

>>> mapped drive, which behind the scenes ia acually an UNC name

>>> mapping.

>>>

>>> These actions will trigger an application lock-up:

>>> - Save as and select the dropdown combobox at the top of the

>>> dialog.

>>> - Scroll the folder list in Windows explorer down until

>>> the first network item is to be shown. At this time Explorer locks

>>> up.

>>> - In a command window type dir I:\ (where I: is a mapped

>>> drive)

>>> - In MS Word the lockup may happen anytime while typing.

>>> Letters just stop appearing on screen and Word is completely

>>> unresponsive.

>>> - etc etc

>>>

>>> While the lockup is active I *can* do this:

>>> - In a command window ping any resource on the LAN. Returns OK.

>>> - In MS Outlook 2003 read and write email, no problems here.

>>> - Use the web browser causes no problems.

>>>

>>> During this time I see no suspicious activity in Task Manager and

>>> my network icon in the tray does not light up showing excess

>>> network traffic.

>>>

>>> I have checked my drive mappings but all of them are for shares

>>> that are located on the network and *are* accessible both before

>>> and after the lockup.

>>>

>>> I have cleared everything out of "My Network Places" and adjusted

>>> the registry to stop caching network addresses I access.

>>>

>>> I am normally running a number of applications:

>>> - MS Outlook 2003

>>> - MS Word 2003

>>> - Borland Delphi 7 development IDE

>>> - FireFox web browser

>>> - A number of Windows Explorer windows on different folders

>>> - UltraEdit text editor

>>>

>>> I have Microsoft Virtual PC 2007 installed but not running and I

>>> also have VMWare Workstation 7 installed but not running.

>>>

>>> What can I start looking for to solve this *extremely* annoying

>>> behaviour?

>>>

>> What seems painfully apparent is that these hang-ups are caused by

>> failed attempts to access networked drives and/or UNC resources.

>> Knowing what these networked resources are would be helpful. For

>> example if your "I:" drive is mapped to an XP-Home machine, that

>> machine will not allow more than 5 concurrent incoming connections.

>> If all five connections are used up when you do something that

>> requires access to the I: drive, you will have a hang until the

>> connection times-out or the resource becomes available. If a mapped

>> drive is not accessed for 15 minutes (default), then that connection

>> is dropped. The next attempt to access the drive may fail if other

>> resources have acquired the 5 input connection limit.

>>

>> My first step would be to eliminate all mapped network drives,

>> particularly ones that map to XP Home and Pro machines. Instead, use

>

> My problems happen on our corporate LAN and there are absolutely no

> XP-Home machines there. All mapped drives (I have 4) are towards

> Windows 2003 Servers, so these should be OK.

>

>> shortcuts to a UNC path or a UNC path itself to access a network

>> resource. The advantage here is that accessing "My Computer" will

>> not attempt to connect to these networked drives and possibly

>> eliminate your delay. (Mapped drives are shown under "My Computer"

>

> I never ever use "My Computer" or "My Documents".....

>

>> and accessed/statused when you open or access it using most of the

>> triggers you cite above) This approach can often quickly identify

>> which network resource is hanging the computer.

>>

>> Another step would be at the server end to decrease the

>> Autodisconnect time for idle server connections which would increase

>> the availabily of these connections.

>>

>> Try this article:

>> "Inbound connections limit in Windows XP"

>>

>

> Looks like it is for XP XP connections, but I have XP Pro

> Server 2003 connections.....

>



Check the Power Management setting on the network adapter's properties

and see if it is set to 'Allow the computer to turn off the device to

save power', maybe the adapter gets turned off while you are working.



John

 

[John Wunderlich]

Bo Berglund wrote in

news:c5ubp59ipeae4uqo524mai6divffqcscaj@4ax.com:



>> My first step would be to eliminate all mapped network drives,

>> particularly ones that map to XP Home and Pro machines. Instead,

>> use

>

> My problems happen on our corporate LAN and there are absolutely

> no XP-Home machines there. All mapped drives (I have 4) are

> towards Windows 2003 Servers, so these should be OK.



OK. This is new information. Your problem still seems to be associated

with re-attaching to a network mapping which has apparently gone idle.



>

>> shortcuts to a UNC path or a UNC path itself to access a network

>> resource. The advantage here is that accessing "My Computer"

>> will not attempt to connect to these networked drives and

>> possibly eliminate your delay. (Mapped drives are shown under "My

>> Computer"

>

> I never ever use "My Computer" or "My Documents".....



Maybe not directly but "select the dropdown combobox at top of dialog"

brings up a window that contains "My Computer and the lettered drives

within. "Scroll the folder list in Windows Explorer until network

drive..." (same thing); "Dir I:" references network drive; MS Word

lockup may be different... are you editing a file on a network drive at

the time? It could be when "autosave" kicks in it accesses contents of

"My Computer" behind the scenes.



I still would eliminate network drive mapping in favor of UNC/shortcut

access, at least temporarily, in an attempt to discover which network

connection is having problems.



John-John's suggestion of not allowing network card to power down also

has merit.



HTH,

John

 

[Bo Berglund]

On Tue, 09 Mar 2010 08:29:01 -0400, John John - MVP

wrote:



>Bo Berglund wrote:

>Check the Power Management setting on the network adapter's properties

>and see if it is set to 'Allow the computer to turn off the device to

>save power', maybe the adapter gets turned off while you are working.

>



I don't think it is a powerdown problem because whenever the lockup

happens (it lasts for 3 minutes) then I can use my web browser just

fine via the same NIC and I can open a command window and ping

successfully the server on which my mapped drive resides.



So it seems that neither my own nor the server's NIC is in fact dead,

it is just the UNC name handling that has gone haywire....



--



Bo Berglund (Sweden)

 

[Bo Berglund]

On Tue, 09 Mar 2010 16:32:58 GMT, John Wunderlich

wrote:



>Bo Berglund wrote in

>news:c5ubp59ipeae4uqo524mai6divffqcscaj@4ax.com:

>

>>> My first step would be to eliminate all mapped network drives,

>>> particularly ones that map to XP Home and Pro machines. Instead,

>>> use

>>

>> My problems happen on our corporate LAN and there are absolutely

>> no XP-Home machines there. All mapped drives (I have 4) are

>> towards Windows 2003 Servers, so these should be OK.

>

>OK. This is new information. Your problem still seems to be associated

>with re-attaching to a network mapping which has apparently gone idle.



As I said above this happens at work, so today (I'm back home now) I

made an experiment:

I created a Delphi application that has a timer inside and every time

this times out I run a FileExist call on a file that I have put on the

server (\\server\share\path\filename)



The timer interval is set to 1 second and I read the current time tick

before and after the FileExist call. Then I compute the execution time

and if it is longer than 2 s I log the event.



During 5 hours of monitoring it detected 4 events of this kind, each

lasting between 174 and 186 seconds....



>

>I still would eliminate network drive mapping in favor of UNC/shortcut

>access, at least temporarily, in an attempt to discover which network

>connection is having problems.



Well, the test described above uses a unc path to the file but it does

not help....



>John-John's suggestion of not allowing network card to power down also

>has merit.

>

As I replied to him, while the UNC problem is on I can use my own NIC

for standard TCP/IP connections like web browsing and ping. And the

server I am trying to access by UNC responds immediately to ping

requests. So its NIC is also not dead.



So it is definitely something amiss with the UNC handling.



I downloaded and installed Wireshark in order to try and see what is

going on on my NIC, but unfortunately it records way too much data for

me to make anything sensible out of.....



--



Bo Berglund (Sweden)

 

[John Wunderlich]

Bo Berglund wrote in

news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm@4ax.com:



> So it is definitely something amiss with the UNC handling.

>

> I downloaded and installed Wireshark in order to try and see what

> is going on on my NIC, but unfortunately it records way too much

> data for me to make anything sensible out of.....

>

>



It would probably help a little with the volume of data to only

capture the data of interest. When you start Wireshark, click the

"Capture Option" and where you see "Capture Filter", enter a filter of:



host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)



Where you substitute the IP address of your server where you see "192.168.1.123"

This still may capture a lot of data but once you hit your hangup,

you can examine the last of the capture.



HTH,

John

 

[Bo Berglund]

On Tue, 09 Mar 2010 22:22:12 GMT, John Wunderlich

wrote:



>Bo Berglund wrote in

>news:7v0dp59iftllhk1ce0h4l8ql3ntr6ibafm@4ax.com:

>

>> So it is definitely something amiss with the UNC handling.

>>

>> I downloaded and installed Wireshark in order to try and see what

>> is going on on my NIC, but unfortunately it records way too much

>> data for me to make anything sensible out of.....

>>

>>

>

>It would probably help a little with the volume of data to only

>capture the data of interest. When you start Wireshark, click the

>"Capture Option" and where you see "Capture Filter", enter a filter of:

>

>host 192.168.1.123 && (port 135 || port 137 || port 138 || port 139 || port 445)

>

>Where you substitute the IP address of your server where you see "192.168.1.123"

>This still may capture a lot of data but once you hit your hangup,

>you can examine the last of the capture.

>



Thanks for this! It really cut back on the info being recorded.



I have kept my test application running all day while at the same time

letting Wireshark record with your filter in place. I have had more

than 10 blackouts during this time each lasting 3 minutes. :-(



With the log from my test application I can see the timestamp of the

probelm and locate the right spot in the Wireshark capture file.



The result is really strange. Here are events from one of the lockups:



2612 13:02:03.660702 172.30.176.35 172.30.177.70 SMB Tree

Disconnect Request

2613 13:02:03.660967 172.30.177.70 172.30.176.35 SMB Tree

Disconnect Response

2614 13:02:03.661084 172.30.176.35 172.30.177.70 SMB Logoff

AndX Request

2615 13:02:03.661523 172.30.177.70 172.30.176.35 SMB Logoff

AndX Response

2616 13:02:03.661616 172.30.176.35 172.30.177.70 SMB Tree

Disconnect Request

2617 13:02:03.661846 172.30.177.70 172.30.176.35 SMB Tree

Disconnect Response



The above is where the blackout starts.

After 2 minutes there are a bit of activity from KeepAlive packets:



2623 13:04:03.100948 172.30.177.14 172.30.176.35 TCP [TCP

Keep-Alive] microsoft-ds > fg-fps [ACK] Seq=158703 Ack=117676

Win=63014 Len=1

2624 13:04:03.100999 172.30.176.35 172.30.177.14 TCP [TCP

Keep-Alive ACK] fg-fps > microsoft-ds [ACK] Seq=117676 Ack=158704

Win=36451 Len=0 TSV=4957644 TSER=16429060

2625 13:04:03.802338 172.30.177.70 172.30.176.35 TCP [TCP

Keep-Alive] microsoft-ds > abcvoice-port [ACK] Seq=2848 Ack=6057

Win=65536 Len=1

2626 13:04:03.802389 172.30.176.35 172.30.177.70 TCP [TCP

Keep-Alive ACK] abcvoice-port > microsoft-ds [ACK] Seq=6057 Ack=2849

Win=145688 Len=0 TSV=4957650 TSER=163213097



Then this happens 2.5 minutes into the blackout:

2627 13:04:29.636063 172.30.177.70 172.30.176.35 TCP

microsoft-ds > abcvoice-port [RST, ACK] Seq=2849 Ack=6057 Win=0 Len=0



And finally the end of blackout is signalled by these packets:

2628 13:04:58.511867 172.30.176.35 172.30.177.14 SMB Trans2

Request, QUERY_PATH_INFO, Query File Basic Info, Path: \Bosse

2629 13:04:58.512593 172.30.177.14 172.30.176.35 SMB Trans2

Response, QUERY_PATH_INFO

2630 13:04:58.513369 172.30.176.35 172.30.177.14 SMB Trans2

Request, FIND_FIRST2, Pattern: \Bosse\CheckFile.txt

2631 13:04:58.514038 172.30.177.14 172.30.176.35 SMB Trans2

Response, FIND_FIRST2, Files: CheckFile.txt



From now on the network is OK until the next blackout, which can

happen anytime....

All blackouts last 3 minutes within about 5 seconds and they have the

same basic structure as shown above. Sometimes there are a few TCP

packets inside the blackout (the .... section above) but most often

there is nothing the first 2 minutes until the KeepAlive starts.



What can I do to find out why there are disconnect and logoff requests

posted to the domain controller (172.30.177.70)???

And most importantly to stop it from happening....



--



Bo Berglund (Sweden)

 

[John Wunderlich]

Bo Berglund wrote in

news:dsufp51jsh142rscpqnb8eq36m6hq5gimt@4ax.com:



> What can I do to find out why there are disconnect and logoff

> requests posted to the domain controller (172.30.177.70)???

> And most importantly to stop it from happening....

>



I'm assuming that .35 is the server you're connected to, .70 is the

domain controller, and .14 is yourself. It seems strange to me that

you can record a packet between your server and the domain controller

unless you are using hubs instead of switches... and it does seem

strange to see the disconnect/logoff.



You've reached the limit of my knowledge.

All I could come up with on the KB articles is the following. You

can check it out and see if it applies:



"Your system stops responding, you experience slow file server

performance, or delays occur when you work with files that are

located on a file server"





Good Luck,

John

 

[Bo Berglund]

On Wed, 10 Mar 2010 22:10:20 -0800, John Wunderlich

wrote:



>Bo Berglund wrote in

>news:dsufp51jsh142rscpqnb8eq36m6hq5gimt@4ax.com:

>

>> What can I do to find out why there are disconnect and logoff

>> requests posted to the domain controller (172.30.177.70)???

>> And most importantly to stop it from happening....

>>

>

>I'm assuming that .35 is the server you're connected to, .70 is the

>domain controller, and .14 is yourself. It seems strange to me that

>you can record a packet between your server and the domain controller

>unless you are using hubs instead of switches... and it does seem

>strange to see the disconnect/logoff.

>

>You've reached the limit of my knowledge.

>All I could come up with on the KB articles is the following. You

>can check it out and see if it applies:

>

>"Your system stops responding, you experience slow file server

>performance, or delays occur when you work with files that are

>located on a file server"

>

>



Well, the IP:s are:

Server .70 (this is the primary DC, there is a second one at .78)

Laptop .35 (The SMB traffic is originating from my laptop)

Filesrv .14 ( this is the file server on which I have my mapped

drives. I don't know why this comes up for the

keepalive stuff..)



I will have a look at the KB, but all of these blackouts happen when i

am working with *local* files. Basically while I am editing and

testing programs I develop using the Delphi 7 IDE.

For example, if I need to save a new file in the IDE there will be a

save as dislog coming up and this will be completely locked up if it

hits a blackout period. After the 3 minutes it wakes up..



I do have a few mapped drives to our file server, but I have no open

files on either of them.

Also, of course I have a couple of registered printers on the network

and Windows is for some reason checking on these periodically even

though I am not at all printing anything...



--



Bo Berglund (Sweden)

 

[Bo Berglund]

On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund

wrote:



I have now made an experiment:

- Connected from home via Cisco VPN to the corporate LAN.

- Started my test application and Wireshark to see how the blackouts

would look in this scenario.



Result: After some 15 hours of logging I have not yet encountered any

SMB/UNC blackout!



With the direct connection to the LAN at work I get something like one

blackout of 3 minutes every half hour or so.



Strange.....

--



Bo Berglund (Sweden)

 

[John Wunderlich]

Bo Berglund wrote in

news:14hlp5180aoa31nrrdffuealqbqcrbef6q@4ax.com:



> On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund

> wrote:

>

> I have now made an experiment:

> - Connected from home via Cisco VPN to the corporate LAN.

> - Started my test application and Wireshark to see how the

> blackouts would look in this scenario.

>

> Result: After some 15 hours of logging I have not yet encountered

> any SMB/UNC blackout!

>

> With the direct connection to the LAN at work I get something like

> one blackout of 3 minutes every half hour or so.

>

> Strange.....



Hmmm... Maybe not so strange.



I know that the Cisco VPN client contains a Stateful Firewall. This

firewall is enabled even when the VPN client isn't active and can

interfere with Microsoft Networking even (particularly?) when not

active.



Test: Startup the Cisco VPN Client. Before connecting, click on

"Options" Menu and make sure there is *not* a checkmark in front of

"Stateful firewall (Always on)". Close the client afterward. See if

this clears up your problem.



Microsoft has a KB article that [kind of] addresses this:

"Internet firewalls can prevent browsing and file sharing"





HTH,

John

 

[Bo Berglund]

On Fri, 12 Mar 2010 21:48:32 -0800, John Wunderlich

wrote:



>Bo Berglund wrote in

>news:14hlp5180aoa31nrrdffuealqbqcrbef6q@4ax.com:

>

>> On Tue, 09 Mar 2010 00:09:53 +0100, Bo Berglund

>> wrote:

>>

>> I have now made an experiment:

>> - Connected from home via Cisco VPN to the corporate LAN.

>> - Started my test application and Wireshark to see how the

>> blackouts would look in this scenario.

>>

>> Result: After some 15 hours of logging I have not yet encountered

>> any SMB/UNC blackout!

>>

>> With the direct connection to the LAN at work I get something like

>> one blackout of 3 minutes every half hour or so.

>>

>> Strange.....

>

>Hmmm... Maybe not so strange.

>

>I know that the Cisco VPN client contains a Stateful Firewall. This

>firewall is enabled even when the VPN client isn't active and can

>interfere with Microsoft Networking even (particularly?) when not

>active.

>

>Test: Startup the Cisco VPN Client. Before connecting, click on

>"Options" Menu and make sure there is *not* a checkmark in front of

>"Stateful firewall (Always on)". Close the client afterward. See if

>this clears up your problem.

>

>Microsoft has a KB article that [kind of] addresses this:

>"Internet firewalls can prevent browsing and file sharing"

>

>

>HTH,

> John

Thanks for the tip, but that setting was already OFF....

I have contacted the IT department and we willl change out my HP

docking station and move my network patch to anoter switch on Monday

to see if there is a difference.



--



Bo Berglund (Sweden)

 

[Bo Berglund]

On Sat, 13 Mar 2010 08:01:44 +0100, Bo Berglund

wrote:



>Thanks for the tip, but that setting was already OFF....

>I have contacted the IT department and we willl change out my HP

>docking station and move my network patch to anoter switch on Monday

>to see if there is a difference.



Didn't change the docking station yet, but I changed from using the

wired network in the office to using the WiFi instead.

This turned out to work just fine, no blackouts for almost a full day.

So then the IT department tried to patch my network connection into a

different switch to see if that would help, but it did not. In less

than a half our after I returned to using the Broadcomm Gigabit NIC

via the re-patched network cable I had the blackouts again...



So the situation now is like this:

+ No blackout if I use the office WiFi network.

+ No blackout if I use the Cisco VPN from home.

+ Blackouts if I use the Broadcomm NIC via the docking station.



Next to test:

+ Change out the docking station, then use the Broadcomm NIC.

+ Use the Broadcomm NIC without the docking station entirely.



The latter is harder because I will lose my office wide screen display

(no DVI on my laptop) and oter gadgets hooked to the docking

station....



--



Bo Berglund (Sweden)

 

[John Wunderlich]

Bo Berglund wrote in

news:beaup517v4ssgoag52c7690bsoaij94his@4ax.com:



> Didn't change the docking station yet, but I changed from using

> the wired network in the office to using the WiFi instead. This

> turned out to work just fine, no blackouts for almost a full day.

> So then the IT department tried to patch my network connection

> into a different switch to see if that would help, but it did not.

> In less than a half our after I returned to using the Broadcomm

> Gigabit NIC via the re-patched network cable I had the blackouts

> again...

>

> So the situation now is like this:

>+ No blackout if I use the office WiFi network. + No blackout if I

>use the Cisco VPN from home. + Blackouts if I use the Broadcomm NIC

>via the docking station.

>

> Next to test:

>+ Change out the docking station, then use the Broadcomm NIC. + Use

>the Broadcomm NIC without the docking station entirely.

>

> The latter is harder because I will lose my office wide screen

> display (no DVI on my laptop) and oter gadgets hooked to the

> docking station....

>



You're really going after this with a vengence. In that event, let

me offer another suggestion. It might be a Master Browser issue on

your subnet. When you use WiFi or VPN, you tend to be about the

only machine on the subnet so things work better. On a wired LAN,

if only one other machine on your subnet has a firewall going (e.g.

Cisco), it can kill the master browser for the entire subnet. I

have gotten pretty good at finding these machines using Microsoft's

"Browstat.exe" program. The procedure goes something like this...

Step 1 is to determine the master browser on your subnet. From a

command Window (start->run->"cmd") issue the following command:



browstat status



It should reply quickly. If it takes a while or if the second line

starts: "Master name cannot be determined..." this is an indication

of a problem. If you get this, then issue the command:



browstat el 1 domain



where "1" is your network number as determined from the reply from a

"browstat dn" command and "domain" is replaced with your domain.

Then wait 25-30 seconds and repeat the "browstat status" command.

If all is well, the second line should read:



"Master browser name is: Comp01"



where "Comp01" is the name of the master browser on your subnet.



Next, ask the master browser for a list of machines on your subnet:



browstat vw 1 \\Comp01 0x40000000



where "1" and "Comp01" are replaced appropriately as above.



Look at the list that was just printed. There should be *exactly

one* line that contains the Master Browser designation "MBR". If

you see more than one, then chances are that the ones other than the

one have firewalls up and are disrupting Master Browsing on

the subnet. Hint: A quick way to show these is to type the

following:



browstat vw 1 \\Comp01 0x40000000 | find "MBR"



Once you discover the offending computers, you can correct the

problem by either turning off their firewall so that they behave

appropriately or you can stop/disable their "Computer Browser"

service either via "services.msc" or by command line:



reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f



Good Luck,

John

 

[Bo Berglund]

On Tue, 16 Mar 2010 20:02:01 GMT, John Wunderlich

wrote:



>> So the situation now is like this:

>>+ No blackout if I use the office WiFi network. + No blackout if I

>>use the Cisco VPN from home. + Blackouts if I use the Broadcomm NIC

>>via the docking station.

>>

>> Next to test:

>>+ Change out the docking station, then use the Broadcomm NIC.

>>+ Use the Broadcomm NIC without the docking station entirely.

>>

>> The latter is harder because I will lose my office wide screen

>> display (no DVI on my laptop) and oter gadgets hooked to the

>> docking station....



Today I went through the whole exercise:

- Changed docking station - no difference

- Used a different network outlet - no difference

- Connected the network directly to the laptop (no docking station at

all) - No difference



The only working solution so far at the office is WiFi.



The IT department is stumped as well....



I will use all of the hints below to see if anything works out.

But tomorrow is the last day at the office for almost 3 weeks so I

might not get it all done.



Thanks for your valued help!

>

>You're really going after this with a vengence. In that event, let

>me offer another suggestion. It might be a Master Browser issue on

>your subnet. When you use WiFi or VPN, you tend to be about the

>only machine on the subnet so things work better. On a wired LAN,

>if only one other machine on your subnet has a firewall going (e.g.

>Cisco), it can kill the master browser for the entire subnet. I

>have gotten pretty good at finding these machines using Microsoft's

>"Browstat.exe" program. The procedure goes something like this...

>Step 1 is to determine the master browser on your subnet. From a

>command Window (start->run->"cmd") issue the following command:

>

> browstat status

>

>It should reply quickly. If it takes a while or if the second line

>starts: "Master name cannot be determined..." this is an indication

>of a problem. If you get this, then issue the command:

>

> browstat el 1 domain

>

>where "1" is your network number as determined from the reply from a

>"browstat dn" command and "domain" is replaced with your domain.

>Then wait 25-30 seconds and repeat the "browstat status" command.

>If all is well, the second line should read:

>

> "Master browser name is: Comp01"

>

>where "Comp01" is the name of the master browser on your subnet.

>

>Next, ask the master browser for a list of machines on your subnet:

>

> browstat vw 1 \\Comp01 0x40000000

>

>where "1" and "Comp01" are replaced appropriately as above.

>

>Look at the list that was just printed. There should be *exactly

>one* line that contains the Master Browser designation "MBR". If

>you see more than one, then chances are that the ones other than the

> one have firewalls up and are disrupting Master Browsing on

>the subnet. Hint: A quick way to show these is to type the

>following:

>

> browstat vw 1 \\Comp01 0x40000000 | find "MBR"

>

>Once you discover the offending computers, you can correct the

>problem by either turning off their firewall so that they behave

>appropriately or you can stop/disable their "Computer Browser"

>service either via "services.msc" or by command line:

>

> reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f

>

>Good Luck,

> John



--



Bo Berglund (Sweden)

 

[Bo Berglund]

On Tue, 16 Mar 2010 21:31:27 +0100, Bo Berglund

wrote:



>

>I will use all of the hints below to see if anything works out.

>But tomorrow is the last day at the office for almost 3 weeks so I

>might not get it all done.

>

>Thanks for your valued help!

>>

>>You're really going after this with a vengence. In that event, let

>>me offer another suggestion. It might be a Master Browser issue on

>>your subnet. When you use WiFi or VPN, you tend to be about the

>>only machine on the subnet so things work better. On a wired LAN,

>>if only one other machine on your subnet has a firewall going (e.g.

>>Cisco), it can kill the master browser for the entire subnet. I

>>have gotten pretty good at finding these machines using Microsoft's

>>"Browstat.exe" program. The procedure goes something like this...

>>Step 1 is to determine the master browser on your subnet. From a

>>command Window (start->run->"cmd") issue the following command:

>>

>> browstat status



With WiFi network (lines may wrap). My PC is named WVBYBOBEL:



C:\Program Files\Support Tools>browstat status



Status for domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

Browsing is active on domain.

Master browser name is: WVBYBOBEL

Master browser is running build 2600

1 backup servers retrieved from master WVBYBOBEL

\\WVBYBOBEL

There are 1 servers in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

There are 1 domains in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}



Status for domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

Browsing is active on domain.

Master browser name is: WVBYBOBEL

Master browser is running build 2600

1 backup servers retrieved from master WVBYBOBEL

\\WVBYBOBEL

There are 1 servers in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

There are 1 domains in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}



Status for domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{8F9702A3-96B8-48CB-A370-595203982F57}

Browsing is active on domain.

Master browser name is: WVBYBOBEL

Master browser is running build 2600

3 backup servers retrieved from master WVBYBOBEL

\\WMONBERAXP

\\3RTS01

\\WBERALARC

Unable to retrieve server list from WVBYBOBEL: 71



Then I disconnected WiFi and connected wired network:



C:\Program Files\Support Tools>browstat status



Status for domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

Browsing is active on domain.

Master browser name is: WVBYBOBEL

Master browser is running build 2600

1 backup servers retrieved from master WVBYBOBEL

\\WVBYBOBEL

There are 1 servers in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

There are 1 domains in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}



Status for domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

Browsing is active on domain.

Master browser name is: WVBYBOBEL

Master browser is running build 2600

1 backup servers retrieved from master WVBYBOBEL

\\WVBYBOBEL

There are 1 servers in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

There are 1 domains in domain SYSTEM3R on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}



>>It should reply quickly. If it takes a while or if the second line

>>starts: "Master name cannot be determined..." this is an indication

>>of a problem. If you get this, then issue the command:

>>

>> browstat el 1 domain

>>

>>where "1" is your network number as determined from the reply from a

>>"browstat dn" command and "domain" is replaced with your domain.



This produces the following output:



C:\Program Files\Support Tools>browstat dn



List of transports currently bound to the browser



1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}



C:\Program Files\Support Tools>browstat vw 1 \\WVBYBOBEL 0x40000000

Remoting NetServerEnum to \\WVBYBOBEL on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3} with flags

40000000

1 entries returned. 1 total. 16 milliseconds



\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)



>>Then wait 25-30 seconds and repeat the "browstat status" command.

>>If all is well, the second line should read:

>>

>> "Master browser name is: Comp01"

>>

>>where "Comp01" is the name of the master browser on your subnet.

>>

>>Next, ask the master browser for a list of machines on your subnet:

>>

>> browstat vw 1 \\Comp01 0x40000000

>>

>>where "1" and "Comp01" are replaced appropriately as above.



Here I got this (tried both network numbers):



C:\Program Files\Support Tools>browstat dn



List of transports currently bound to the browser



1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}



C:\Program Files\Support Tools>browstat vw 1 \\WVBYBOBEL 0x40000000

Remoting NetServerEnum to \\WVBYBOBEL on transport

\Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3} with flags

40000000

1 entries returned. 1 total. 16 milliseconds



\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)





C:\Program Files\Support Tools>browstat vw 2 \\WVBYBOBEL 0x40000000

Remoting NetServerEnum to \\WVBYBOBEL on transport

\Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61} with flags

40000000

1 entries returned. 1 total. 0 milliseconds



\\WVBYBOBEL NT 05.01 (W,S,SQL,NT,PBR,MBR)



>>Look at the list that was just printed. There should be *exactly

>>one* line that contains the Master Browser designation "MBR". If

>>you see more than one, then chances are that the ones other than the

>> one have firewalls up and are disrupting Master Browsing on

>>the subnet. Hint: A quick way to show these is to type the

>>following:

>>

>> browstat vw 1 \\Comp01 0x40000000 | find "MBR"

>>

>>Once you discover the offending computers, you can correct the

>>problem by either turning off their firewall so that they behave

>>appropriately or you can stop/disable their "Computer Browser"

>>service either via "services.msc" or by command line:

>>

>> reg add HKLM\SYSTEM\CurrentControlSet\Services\Browser\Parameters /v MaintainServerList /t REG_MULTI_SZ /d false /f

>>



Looks like it is not this issue either....

My best bet now seems to be to go wireless for good. The wired network

connection is 10% blackouts now....



--



Bo Berglund (Sweden)

 

[John Wunderlich]

Bo Berglund wrote in

news:grk2q5haa82m2b0n109qnbru6l98iv6dop@4ax.com:



> C:\Program Files\Support Tools>browstat dn

>

> List of transports currently bound to the browser

>

> 1 \Device\NetBT_Tcpip_{741442F2-B450-42F7-967E-00AD8658A7F3}

> 2 \Device\NetBT_Tcpip_{3DD7AF76-C9DB-47AB-AC09-5FD763FDFD61}

>

[...]

>

> Looks like it is not this issue either....

> My best bet now seems to be to go wireless for good. The wired

> network connection is 10% blackouts now....



You're right. This doesn't seem to be the problem. But it does point

out another issue. It appears you have 2 transports bound to the

browser for the same domain (SYSTEM3R). It might be that only one of

these is actually connected in an operational sense (probably #1) and

if it picks the wrong binding, you may be waiting for a long timeout

before trying the other binding. When working wireless or over VPN,

you may only have one active binding -- eliminating your problem.



To test this, try un-binding one of the connections. The following

command will unbind connection #2 above, leaving only connection #1:



browstat unbind 2



Then test it with only one binding. This "unbinding" is temporary and

will hold until your next reboot. If #2 is the wrong one, try #1.



[As you might guess, "browstat" has more parameters than it advertises

in "browstat /help"]



HTH,

John