NetApp Filer using ONTAP 7.3.2 is dropping connection to the Windows 2008 configured SDI collector node

Article:TECH144314  |  Created: 2010-11-16  |  Updated: 2011-08-15  |  Article URL http://www.symantec.com/docs/TECH144314
Article Type
Technical Solution


Environment

Issue



The network connection between Symantec Data Insight's (SDI)  collector node and the Network Appliance (NetApp) Filer is being lost intermittently and resulting in errors when a scan is due.


Error



Server: fpolicy.fscreen.server.connectError:error]: FPOLICY: An attempt to connect to fpolicy server \\SHARE for policy matpol failed [0xc000005e].

 Server: fpolicy.fscreen.server.droppedConn:warning]: FPOLICY: File policy server 99.99.99.99 for fscreen policy matpol has disconnected from the filer.

 [cifs.server.infoMsg:info]: CIFS: Warning for server \\SHARE: Connection terminated.

[Server: cifs.server.errorMsg:error]: CIFS: Error for server \\SHARE: Error while negotiating protocol with server No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.

[cifs.pipe.errorMsg:error]: CIFS: Error on named pipe with \\SHARE: Response incorrectly signed

[cifs.trace.smbSignMismatch3:error]: CIFS: Request from client 99.99.99.99 for operation 117 (tconX) was rejected because the client requested enforcement of security signatures (SMB signing) and the signature provided by the client did not match the value calculated by the filer.


Environment



Windows server with SMB signing enabled

Windows 2003 or 2008

OnTAP client 7.3.2

Fpolicy configuration from windows server to NetApp box


Cause



When SMB (Server Message Bloc) signing is enabled, it is possible for clients that support SMB signing to connect and it is also possible for clients that do not support SMB signing to connect. When SMB signing is required, both computers in the SMB connection must support SMB signing. The SMB connection is not successful if one computer does not support SMB signing. By default, SMB signing is enabled for outgoing SMB sessions on the following operating systems:
• Windows Server 2003

If there is a mismatch in the SMB setting in the client and NetApp the errors may result and the SDI product will not be able to successful create and maintain a connection.

Once configured the setting should remain the same where SDI is expected to run.

When SMB signing is enabled on the storage system, it is the equivalent of the Microsoft Network server policy "Digitally sign communications (if client agrees)." It is not possible to configure the storage system to require SMB signing communications from clients, which is the equivalent of the Microsoft Network server policy "Digitally sign communications (always)." For performance reasons, SMB signing is disabled by default on the storage system.

Note: When SMB signing is enabled, all CIFS communications to and from Windows clients experience a significant impact on performance, which affects both the clients and the server (that is, the storage system running Data ONTAP).
The performance degradation shows as increased CPU usage on both the clients and the server, although the amount of network traffic does not change.


Solution



Recommended to disable the group policy set on Microsoft Operating System by default.

Reference: support.microsoft.com/kb/887429

Recommended if not required as a security precaution on the network to disable to the SMB settings for better performance and to avoid mismatches.

Windows  SMB setting is located at
Regedit :: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

Default
enablesecuritySignature = 1 (recommend setting to 0 {ZERO.EN_US})
requiredsecuritySignature=0

netapp SMB setting flag is
option cifs.signing.enable off

Note: The ONTAP 7.3.3 upgrade from NetApp handles the mismatched settings more gracefully than the 7.3.2 version




Article URL http://www.symantec.com/docs/TECH144314


Terms of use for this information are found in Legal Notices