"user access disconnected" messages logged when a utility, or monitor tool scans tcp port 1680
|Article:TECH22081|||||Created: 2006-10-04|||||Updated: 2009-06-05|||||Article URL http://www.symantec.com/docs/TECH22081|
|NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.|
Erroneous " user access disconnected" messages when a utility, or some other action, polls or monitors
Erroneous "User X has disconnected" messages on the Carbon Copy agent systems will occur if the "notify on disconnect" option is enabled. These messages are again a result of the Carbon copy agent perceiving the port scan function as a connection attempt. When a timeout subsequently occurs, the erroneous notify and disconnect message appears.
When the Carbon copy agent service properly loads, it continually is monitoring TCP port 1680 in its process to wait for incoming calls and connection requests. Certain antivirus and other third-party utilities will monitor or scan TCP ports. When these utilities access TCP port 1680, Carbon copy perceives this as a connection attempt. The Carbon copy agent engages in a continuous loop of attempting to process what it perceives as an incoming connection requests. The Carbon Copy kernel (shellker.exe) which is engaged in this process, will utilize up to 100 percent CPU utilization.
They carbon copy 6.2 solution release resolves issues that are specific to the Carbon Copy Client when a utility or some other action polls or monitors TCP port 1680. The following represents specific problem symptoms resolved in this release:
1) When the cc client has the "notify on disconnect" option enabled, an erroneous "USERx has disconnected" will be generated.
2) When the above message is generated, a corresponding NSE (Notification Server Event) will be sent to Notification Server for processing, creating unneeded traffic on the network.
3) Shellker.exe will exhibit a temporary CPU utilization spike lasting 30-60 seconds and spiking between 75%-100%.
Article URL http://www.symantec.com/docs/TECH22081