dropped connection -- med/large external downloads - unable to read the source file. domain pc's only

Hello -- we recently discovered a problem with downloading large external files on our network.  

Brief overview: prior network setup had users logging into MS terminal server for outlook mail/applications/files/etc.  GPO was setup on these users for rights/permissions on the TS server.  Since users were mobile their laptops were part of their local workgroup.  If they needed something locally from the file server they could pull it down locally via VPN.

New setup:  we are adding all laptops to the domain so that Local outlook can be setup in cached mode, applications installed locally, files accessed locally, etc.  Mainly this is so that we improve productivity and have more control on what users are able to install on their laptops.  We created and setup seperate GPOs for domain computers (very few restrictions, just folder redirection, things like that) -- loopback enabled, mode: replace.  

Problem: when downloading external files (300mb+ xp sp3 from microsoft for example) after 10-30mins of download the connection drops with an error 'unable to read the source file' or connection with server was reset.  We have been able to isolate this to pc's/laptops which are part of the domain.  We can download the same files to laptops which are not part of the domain using the same cables.  In this scenario on 1 domain laptop the download crashed, i then connected the same patch cable to another laptop which is not part of the domain and the download worked several times (the full 300+mb file downloaded).  I repeated the test on the original laptop - failed everytime, although the time always varies (10-30 mins). same event on domain servers and other domain pc's/laptops.

i don't know if we have always had problems downloading on domain computers since before we only had the servers on the domain and nobody had any need to download large external files to the servers (other than service packs but those seem to download ok from windows update). We can however move GB's worth of data between laptops/servers on the local network without any problems - no crashes.  Local network is not affected -- if that makes any sense.

additional info:

sonicwall 2040 pro -- latest firmware
network is on 100 full duplex (auto), 1500 MTU.  
switches are unmanaged SMC EZ Switch SMCGS24 10/100/1000Mbps
4 VPN site to site connections
nothing in local event log which would suggest a problem
nothing in limited sonicwall log which would indicate a problem

we can replicate the problem everytime on domain connected pc/laptops irregardless of usertype (domain admin/domain user).  GPOs do not inherit.  

things we have tried:

1.  disable group specific GPOs (gpupdate/force) -- didn't help
2.  disable all GPOs (gpupdate/force) -- didnt help
3.  remove pc's from GPO controlled AD group -- didn't help
4.  disabled Windows firewall on client pc's -- didn't help
5.  made sure GPOs do not inherit -- didn't help
6.  checked to ensure MTU on clients is same as on sonicwall -- it is
7.  checked for collision packets -- very limited tests, but didn't see anything
8.  checked to ensure router/network/clients all on same network speed -- auto negotiate 100 full/duplex
9.  Ran wireshark 1.07 on a laptop and found some info below, not sure if it's relevant.  

any help appreciated.
exceprt from wireshark where we think it shows the download crashing.  external ip is microsoft, internal 100.47 is the test domain laptop. please look for "136311 568.099415 192.168.100.47 87.248.217.253 TCP 4963 > http [ACK] Seq=1 Ack=131303146 Win=65535 Len=0" -- this :
 
packet#  time            source               destination         prot  info
136302 568.074468 192.168.100.47 87.248.217.253 TCP 4963 > http [ACK] Seq=1 Ack=131297306 Win=65535 Len=0
136303 568.080646 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136304 568.086876 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136305 568.086950 Usi_cd:54:ee Broadcast ARP Who has 192.168.100.101?  Tell 192.168.100.47
136306 568.087131 Sonicwal_38:41:14 Usi_cd:54:ee ARP 192.168.100.101 is at 00:06:b1:38:41:14
136307 568.087138 192.168.100.47 87.248.217.253 TCP 4963 > http [ACK] Seq=1 Ack=131300226 Win=65535 Len=0
136308 568.087158 Sonicwal_2a:02:54 Usi_cd:54:ee ARP 192.168.100.101 is at 00:06:b1:2a:02:54
136309 568.093061 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136310 568.099383 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136311 568.099415 192.168.100.47 87.248.217.253 TCP 4963 > http [ACK] Seq=1 Ack=131303146 Win=65535 Len=0
136312 568.099972 87.248.217.253 192.168.100.47 TCP http > 4963 [RST] Seq=131303146 Win=65535 Len=4
136314 568.105609 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136315 568.111729 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136316 568.111744 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136317 568.117943 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136318 568.117964 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136319 568.124125 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136320 568.124139 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136321 568.130341 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136322 568.130366 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136324 568.136886 87.248.217.253 192.168.100.47 HTTP Continuation or non-HTTP traffic
136325 568.136905 192.168.100.47 87.248.217.253 TCP 4963 > http [RST] Seq=1 Win=0 Len=0
136326 568.244589 192.168.100.47 192.168.100.212 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \AgnieszkaB\Application Data\Mozilla\Firefox\Profiles\32rgx5pb.default\downloads.sqlite-journal
136327 568.245059 192.168.100.212 192.168.100.47 SMB Trans2 Response, QUERY_PATH_INFO, Error: STATUS_OBJECT_NAME_NOT_FOUND
136328 568.268723 192.168.100.47 192.168.100.212 SMB NT Create AndX Request, Path: \AgnieszkaB\Application Data\Mozilla\Firefox\Profiles\32rgx5pb.default\downloads.sqlite-journal
136329 568.269137 192.168.100.212 192.168.100.47 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
136330 568.269273 192.168.100.47 192.168.100.212 SMB NT Create AndX Request, Path: \AgnieszkaB\Application Data\Mozilla\Firefox\Profiles\32rgx5pb.default\downloads.sqlite-journal
136331 568.269585 192.168.100.212 192.168.100.47 SMB NT Create AndX Response, FID: 0x0000, Error: STATUS_OBJECT_NAME_NOT_FOUND
136332 568.269727 192.168.100.47 192.168.100.212 SMB Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \AgnieszkaB\Application Data\Mozilla\Firefox\Profiles\32rgx5pb.default\downloads.sqlite-journal
136333 568.270080 192.168.100.212 192.168.100.47 SMB Trans2 Response, QUERY_PATH_INFO, Error: STATUS_OBJECT_NAME_NOT_FOUND
136334 568.270300 192.168.100.47 192.168.100.212 SMB NT Create AndX Request, Path: \AgnieszkaB\Application Data\Mozilla\Firefox\Profiles\32rgx5pb.default\downloads.sqlite-journal
136335 568.270936 192.168.100.212 192.168.100.47 SMB NT Create AndX Response, FID: 0x800a
136336 568.270987 192.168.100.47 192.168.100.212 SMB Trans2 Request, QUERY_FILE_INFO, FID: 0x800a, Query File Internal Info
136337 568.271303 192.168.100.212 192.168.100.47 SMB Trans2 Response, FID: 0x800a, QUERY_FILE_INFO
136338 568.271403 192.168.100.47 192.168.100.212 SMB Write Request, FID: 0x800a, 0 bytes at offset 512

Open in new window

Whereismys4Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Did you check space quotas on domain controller?
0
Whereismys4Author Commented:
no GPO policies defined for disk quotas
i did have 1GB disk quota on the DC -- 1 user hit the limit, removed disk quota to see if it makes a difference
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Quotas need not to be defined on GPO level, they can apply on disk / folder level, too. Mabye temp download files are stored on the DC when logged in as domain user, and there is a quota.
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

Whereismys4Author Commented:
after removing the disk quota on the DC i reran the download tests with the same result
just a note we are running these tests with various users -- only one of these users hit a quota on the DC
0
Whereismys4Author Commented:
by way i realized i forgot to add that in the code i posted on line 16 or there about is where the download fails.  The external ip is to Microsoft download site, the internal is the Laptop we were testing.  Not sure if anyone can determine if any of the info is helpful in determining what is causing the dropped connection.

also, ARP timeout is 10mins (set on sonicwall by default) -- i flushed it just to see if that makes a difference
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Well.
In line 13, client sends ACK for bytes up to 131 303 146.
In line 14, 500 µs later, the server sends a Reset (RST) message for exact this byte (sequence number).
As reaction, the client sends RST, too, with Window size=0, which means "stop immediately, no bandwith or buffers available". The server doesn't believe the client, and sends some more packets, till line 25, when the "engines come to stop" at last.

What's that telling me? Not much. But: It is not domain related in any way. Only the server or router devices can send RST. And only if they want to stop ongoing data exchange, or initiate it (first packet always come with a RST). A normal close would end with a FIN flag, so this kind of emergency brake here. I cannot see any reason for it, everything went fine up to the packet in line 13.
0
Whereismys4Author Commented:
ARP flush did not make a difference, nor did increasing the lease time from 10 mins to 60 mins.
Rebooting the server did nothing.  Sonicwall 2040 pro is on the latest firmware.  

The only remaining piece of equipment is a DSL frame-relay switch which is connected to a modem (converts frame-relay to rj45), which in turn is connected to the sonicwall.

ISP --> frame replay switch (cannot configure) --> translation modem (is configured as transparent) --> sonicwall pro (is configured with NAT) --> SMC 10/100/1000 switch

I've contacted the vendor of the modem and they are going through my config file to determine if there is a misconfiguration.  
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
papaschlumpfCommented:
regarding the error Error: STATUS_OBJECT_NAME_NOT_FOUND, that looks like a microsoft issue. see also http://support.microsoft.com/kb/2628582 ! ( "STATUS_OBJECT_NAME_NOT_FOUND" error message when you open a newly-created file in a shared folder in Windows 7 or in Windows Server 2008 R2 )

workaround: To work around this issue, disable the directory cache.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.