Solved

network freezes with windows server standard 2008

Posted on 2009-04-06
32
1,405 Views
Last Modified: 2012-05-06
We have Windows 2008 standard installed last July(2008).   Even since it was set up, the network would freeze intermittently.  The symptoms are: one pc uses one file on the shared network, then the PC would stop working ( in the way, task manager, mouse, keyboard, all stopped working.  PC screen freezes).   at the same time, other pcs, if they do not touch any of the shared information (which reside on Windows 2008 server), they are fine.   but as soon as they touch the shared network, they freeze too.   I tried everything.  We hired consultants and they tried everything.    The only solution is: if we restart the server, it would come back fine.  

We tried Wireshark, changed cables, did all sorts of tests that people on related subject suggested,  upgraded Symantec from Antivirus to Endpoint 11, and then upgraded with every version they released.  Now we are running Endpoint 11, MR4, MP1.  The newest.   Still the same problem happens.    

Any insight would be highly appreciated.  

Lucy

0
Comment
Question by:charliesheen
  • 12
  • 12
  • 5
  • +1
32 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 24077405
O.K. to make sure I understand.

When a desktop PC accesses a file share on the server, that desktop PC locks up  Correct?

If you re-boot the server, the desktop returns to normal?

What is the status of the server when the desktop locks up?  Is it usable, or is it locked up also?

Are they any events in the event logs, on either the server or the desktops, at the time the hang occurs?

Do you have managed or un-managed switches?



0
 

Author Comment

by:charliesheen
ID: 24077657
Thanks.  

1) When a desktop PC accesses a file share on the server, that desktop PC locks up   - correct.
2)  if another desktop tries to access a file shared on the server, any file, it locks up too
3) server looks fine at this time.   it can ping all the pcs.  
4) event log doesn't have any suspicious acitivities.  
5) I do have some wireshark shots.  I do not really know how to interpret them.  I will put them in the attachment.  
6) we use HP procurve 26xx.  i do not think that they are managed.  

Thanks.  

p.s. it seems even zipped wireshark files are too big to upload.   please let me know whether there is any file that you could upload to be more informative.    
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24078002
So, the server can ping the PC that is hung?

You can try and save the Wireshark trace as K12 text file (one of the options in the "Save as Type").  Then zip that and try and upload.

The 2600 and 2610 series switches are both supposed to be managed.  Why I am asking is that you instead of tracing from the server (which I am assuming you are doing) you can setup a port on the switch to mirror the port that one of the desktops on is, then you are only capture the data to/from the desktop instead of the server.  Which should generate less traffic.
0
 

Author Comment

by:charliesheen
ID: 24078474
yes.   the server can ping the PC that is hung.  
Wireshark files in the attachment.   one is a general capture when the problem happens.  one is the capture of connection between server and the PC that first reported the problem.    Thanks.  

P.S.  well, the txt files are bigger than the Pcap files.   i still could not uploade.  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24078767
Even after you zipped them?  If they are still too big to upload after the zip, you can try uploading them to ee-stuff:

     http://www.ee-stuff.com/login.php

You can use your ee user-id/password to logon and then just post the link.


Where were you running the wireshark trace, the server or the desktop?  Is there data transfer going on between the server and the "hung" desktop after the desktop gets hung up?  If so, what type of data transfer is going on?
0
 

Author Comment

by:charliesheen
ID: 24079286
Thanks.  for some reason, the zipped txt file is still bigger than 20 mb, the limit on ee-stuff.   sorry about this.  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24079317
O.K., so:

Where were you running wireshark?  The server or the desktop?

Does it show data transfer between the server and the desktop that got hung after the hang?  

If so, what is the data?

If possible can you just snip out a piece of the trace from after the hang?
0
 

Author Comment

by:charliesheen
ID: 24079934
These are some captures of problems on april 1st.   I can get most recent ones if requested.   right at this moment, the system is working fine.    thanks.
04-01-qc-freeze-general.jpg
freeze-again.jpg
freeze-again-1.jpg
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24080014
--> right at this moment, the system is working fine.  

So you are saying that right now you can access the server and the desktop does not hang?

I am assuming that 192.168.1.6 is the server and 192.168.1.235 is the client.

How big was the file you were opening?

Does (did) the same thing happen if you open a small file?



0
 

Author Comment

by:charliesheen
ID: 24080039
it does happen if i open a small file.  file size/type doesn't matter.   Ip 235 is just one of the PCS.     it happens with any pc on the network.  
0
 

Author Comment

by:charliesheen
ID: 24080046
I ran it on the server.  

I do not really know how i could interpret the wireshark data, but i captured the stream when the problem happens, everything that is running and transactions between the server and one pc.  

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24082809
SEP MR4 still causes 2008 servers to hang. I would call Symantec to get the cleanwipe tool to fully remove SEP from the server. If you call MS they will ask you to call Symantec to get the cleanwipe tool before they will start to troubleshoot because of the issue SEP calls. If you search this site you will see multiple posts like yours. Also, go to the properties of your NIC then then configure select the advance tab disable IP Checksum, TCP Offload, IP Offload, and TCP Checksum.
0
 

Expert Comment

by:rmcan
ID: 24093219
i had a similar problem but less severe.
there are 2 things i did to fix
1. I disabled smb 2.0 on server 2008
here is a link with all the info you need
http://www.petri.co.il/how-to-disable-smb-2-on-windows-vista-or-server-2008.htm

2. i disabled recent history on each xp pro workstation
go to start - run
type regedit
go to
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Polocies\Explorer]
add a dword value named NoRecentDocsHistory
set the value to 1

then go to
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Polocies\Explorer]
add a dword value named NoRecentDocsHistory
set the value to 1

 I also cleared out the recent docs folder by going to
C:\Documents and Settings\"user_name"\Application Data\Microsoft\Office\Recent

Hope this helps
0
 

Author Comment

by:charliesheen
ID: 24100181
Thanks a lot.  I will try 1) out.   we have about 100 PCs on site.  it will be quite a lot fo change history on every PC.    Thanks a lot. i will update you.  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24100447
I doubt that will do anything.  Setting the NoRecentDocsHistory entry to 1 does is prevent Windows from adding to a the list of recently opened documents.

Disabling SMB 2.0 may or may not help.  If both the server and client support SMB 2.0, you should use it as it is much better and faster than SMB 1.0.

You may want to try and do a wireshark trace from a client, however, just open a small file.
0
 

Author Comment

by:charliesheen
ID: 24100972
O.K. i will try that.   interestingly the network has had any problem this week.    but when it happens again(freezes),  i will use Wireshark to capture traces from both  the server and a PC.   thanks.  
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 57

Expert Comment

by:giltjr
ID: 24103340
In that case you may want to do a trace right now with a small file.  Then use the same small file when you have problems.  That way you have a trace of what should happen to compare it to.
0
 

Expert Comment

by:rmcan
ID: 24108044
I was assuming that the workstations were xp and I believe xp only uses smb1.0.
i do agree with giltjr about removing sep and changing the nic settings and continuing to use wireshark to monitor traffic
as for NoRecentDocsHistory changes i only had 6 pc's to deal with but it did improve the performance maybe only test 1 or 2 pc's.

0
 

Expert Comment

by:rmcan
ID: 24108132
Sorry I agree with dariusq about removing sep and nic setting and giltjr to use wireshark to monitor traffic
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24109335
Remove SEP that is the issue.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24109383
Only Vista and Windows Server 2008 use SMB 2.0.  I don't think MS has added SMB 2.0 to anything else (XP, 2000, 2003), so they still use SMB 1.0.

So if you have Vista or Server 2008 talking to other computers running XP, 2000, 2003 or Linux (SAMBA) you need to leave SMB 1.0 enabled.
0
 

Author Comment

by:charliesheen
ID: 24147813
Update:  the network froze this morning.  I was able to capture some wireshark information.    I wonder whether anybody could help me interpret this.    Symptom: one PC will hang when accessing shared files.   before, all other PCs accessing any shared info would hang too.  But this time, other pcs are still on.    thanks.  

Only restart of the server will help the hanging PCs.  
04-15-morning-freeze.txt
04-15-morning-freeze-with-partic.txt
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 24180041
Have you removed SEP yet?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24180047
0
 

Author Comment

by:charliesheen
ID: 24205787
Now this problem is getting worse.     i do not feel comfortable removing SEP.    what do you use after it is removed?   I had to restart the server 4 times yesterday.       We only have one processor.    

Please help.  
4-21-slow-response-to-open-word.txt
4-21-slow-response-to-open-word-.txt
4-21-total-freeze.txt
4-21-total-freeze-with-ip.txt
4-21-total-freeze-more.txt
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24205881
What was the file name you were attempting to get?  I see a few "file not found" messages.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24205886
I also see a few "access denied" messages.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24205993
We removed SEP then installed McAfee Total Protection which worked great. I can be almost 100% sure that once you remove SEP with the cleanwipe tool you won't have any problems. MS won't even work on your system until you remove SEP.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24206034
I took a look at a couple of the last files.  The only unusual thing that  4-21-slow-response-to-open-word-.txt  seems to show is that you appear to be looking for various files and paths that are not on the file server, such as:

     hpkeys32.dll
     \2008 Audit
     \Desktop.ini

There also seems to have been a request to look for something that was canceled.  It is a bit weird as it appears that the directory "\2008 Audit" existed and then disappeared.

Should that directory exist?  Should it exist directly on 192.168.1.6?
0
 

Author Comment

by:charliesheen
ID: 24255093
yes \2008 Audit should be on the server.  when it works, it is.  

anyway, we still experience the same problems.  I have more captures.   this afternoon, i uninstalled SEP from the server.  The Endpoint manager is still on.    Now the server is not protected by any anti-virus.  I might install AVG tomorrow.    but let's just see what will happen now.  
0
 
LVL 57

Expert Comment

by:giltjr
ID: 24256785
Is that directory on a hard drive that is physically in the box, or it is a mount point on a SAN?
0
 

Author Comment

by:charliesheen
ID: 24314587
After many many months of struggles with this issue, i finally took off Symantec Endpoint client copy on the server last week, following one of the suggestions on this site.     The problem has not resurfaced for a week.  So i guess i will have to look for a different form of protection for the server.    

For now, the case can be closed.  
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now