Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Network disconnects during large file transfers - SEP 12.1.2

Created: 28 Nov 2012 • Updated: 28 Nov 2012 | 17 comments

Hi all, I'm having the same issue as in the article linked below.  Any PC in my organization, with SEP installed, get's blown off the network during high bandwidth utilization (usually when copying large files across the network.)

http://www.symantec.com/connect/forums/symantec-endpoint-protection-121-disconnects-network

We've confirmed that it is SEP that's causing the problem, since we can duplicate the issue repeatedly when SEP is installed, however once we uninstall it, there is no longer an issue.  We started seeing this once we upgraded to MP1, and just tested with 12.1 RU2 and the problem is still occuring.  Has anyone found a solution to this yet?  It's frusterating to a large number of my user base, and removing Antivirus isn't an option, unless I have another AV to install in it's place.

Any help would be GREATLY appreciated on this issue.

Thank you,

Travis

Comments 17 CommentsJump to latest comment

.Brian's picture

What components are installed?

Disable NTP and check again.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

trav531's picture

Yep, gonna try that next on my test box.  But after a MP and a new RU, the answer "half our product doesn't work, don't use it" really isn't what I want to pass along to senior management.

.Brian's picture

Agreed, but if you can at least narrow it down to a component, it will make it that much easier and quicker for support

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

trav531's picture

We've narrowed it down to strictly the Firewall component.  If you uninstall that module from the client, the problem goes away.  What appears to happen, is the client-side ARP table stops updating, the machine then starts calling out to the switch, asking for information, the switch returns it, however since the workstation doesn't add that info to it's ARP table, it just keeps calling out for the same information over and over again, and not allowing ANY other network traffic.

.Brian's picture

Was a support ticket opened?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

kingdaveontour's picture

We are having the same issue. We have upgraded 900 users to 12.1 RU1 MP1. About 25 users so far get random network drop outs throughout the day.

We have rolled back some client versions and the problem goes away. We have also removed the NTP client component and the problem goes away.

Therefore, we know that the network disconnections are symantec related but do not know how to go about fixing it other than rolling back or disabling features.

Client PC's are running XP x86.

Any ideas?

.Brian's picture

Was a support ticket opened?

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

trav531's picture

Are you using any Checkpoint Endpoint products, by any chance?

cus000's picture

Have you try to escalate this to the Advance Team?

Since you already pointpont the possible issue they should be able to help or advice you.

Also is there any particular logs found from SEP's NTP or IPS component?

Vippe's picture

I have seen this issue on certain laptops with SEP 12.1 or above on them, and I tracked the issue down to being a configuration issue on the network card.

The laptops we had with the problem with were Lenovo T410, X201 and T510 and they all have the same "Intel 82577LM" network card.

The root cause was found to be that the default "Recieve buffers" setting for the network card was 80, compared to all other intel chipset witch are set to 256. So by setting the Recieve buffers to 256 and also "Transmit buffers" to 256 the problem was solved.

We also discovered that uninstalling NTP seemed to solve the issue, but it seems lige NTP is not the cause of the problem but having it installed compounds the problem so it appears more frequent.

The problem was reproducable on our systems when you tried to laucnh a java applet from an internal website where it had to download the java application, then it would just die in the download process and the network stop working.

So check the setting of the "Send Buffers" & "Transmit Buffers" in the advanced settings for your network card.

kingdaveontour's picture

Hi Vippe

Thanks for your reply.

I have checked several of the problem PC's and they all show 256 / 640

None are below this number...

Back to the drawing board.

I am in the process of removing NTP from all 900 users!!

:-(

Ashish-Sharma's picture

HI,

Are you removing NTP all System ?

Why you are not raised support ticket for same .

Thanks In Advance

Ashish Sharma

kingdaveontour's picture

We have raised 3 now - they either do not get back to us, close the ticket or try to contact us at 11PM local time.....

Looking at a different product now..

Wayne1's picture

Funny, we have exactly the same symptoms with SEP 12.1 RU2 but without NTP installed!

In our local network all the Server 2008 R2 SP1 fileservers have SEP 12.1 without NTP installed. They all provide shares with mapped drives to all our client computers; WinXP and Win7. During the client login, the login-script map all the drives to these servers, but after while the mapped drives have a red X in the Windows Explorer on the Win7 clients, WinXP clients never have any disconnected drives. On all computers is SEP 12.1 installed without Firewall, just basic AV components.

First we checked all the Windows settings and changed alot serverside...

disabled autodisconnect on the servers kb297684
set keepconn to 65535 on each Win7
disabled Chimney Offload State
completly disabled IPv6 on both sides
updated all NIC drivers
disabled power saving on all NIC
played with the Spanning-tree and portfast settings on Cisco switches
set the keep alive interval on 120 seconds
disabled Netbios over TCPIP on some test computers

We haven't any DNS problems, we can't see any disconnects or dropped packets on our Cisco switches and we have the same behaviour not just with one Windows 2008 R2 server.

After a Whireshark trace on both sides, we could see that after the login script mapped the drives, the Server 2008 sends the keep alive packets on TCP445 to the client and the client responds with ACK each 120 seconds. But after a while the server doesn't send any keep alive packet anymore, instead it sends out a TCP445 RST, ACK packet and resets the connection. Immediately the clients have a red X in the Explorer. Sometimes it takes longer when the client is keeping the Explorer open instead of closing the Explorer, but it happens as well. But it happens after different time periods, sometimes twice a day, somtimes more often.

So we changed the 2008 server to only use SMB1 and disabled SMB2 and the problem not occured anymore. So fact 1, it happend just with the SMB2 protocol, SMB1 isn't affected, that's why we have seen the problem only with Win7 and never with XP clients.
Then we activated again SMB2 and uninstalled SEP 12.1 on the Server 2008 R2 and boom, the problem was solved! No disconnects anymore after we uninstalled SEP 12.1.

So fact 2, SEP is responsible for the disconnects.

What we realized as well is, that when SEP was installed and running on the server, the nonpaged memory pool usage was in very high usage. 2.7GB of the total 8GB memory was nonpaged memory. After we uninstalled SEP the value went down to 60MB. So maybe SEP has just a memory leak and that's the way how it affects the OS with sending keepalive packets.

We opened a ticket now at Symantec.