Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Tracking Down Severity 20 Error Expand / Collapse
Author
Message
Posted Wednesday, August 31, 2011 4:51 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 9:11 AM
Points: 7,128, Visits: 6,291
I just received a Severity 20 Error Alert:


DATE/TIME: 8/31/2011 6:32:30 AM

DESCRIPTION: Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: XXX.XXX.XXX.XXX]

COMMENT: (None)

JOB RUN: (None)


I'm trying to track down the process that caused this statement error. The SQL Error Log just reiterates this same message. Of interesting note, while the Event Viewer Application Log reiterates the error, the next message is a warning that says:


Event Type: Warning
Event Source: McLogEvent
Event Category: None
Event ID: 258
Date: 8/31/2011
Time: 6:33:02 AM
User: NT AUTHORITY\SYSTEM
Computer: <MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).


But so far as I can tell, the job that ran right before this, stopped a good minute & 1/2 before the severity 20 error got generated and there was not another job running until 5 minutes after the error generated. So I can't see the email warning being connected.

Any thoughts of other things I can check?


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #1167995
Posted Wednesday, August 31, 2011 5:08 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Today @ 2:11 AM
Points: 1,386, Visits: 6,251
Check any network modification parameters (firewall, networkcardsetting, switchconfiguration..).

We had mysterious errors about packets when
a firewall had extra ora_net filtering on (oracle)
tcp-offloading was enabled on a network card causing the ftp-server to drop connections
Post #1168003
Posted Wednesday, August 31, 2011 5:23 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 12:40 AM
Points: 7,001, Visits: 8,439
fwiw this is where google leads me to
http://blogs.msdn.com/b/sql_protocols/archive/2006/09/30/sql-server-2005-remote-connectivity-issue-troubleshooting.aspx

or http://www.sqlservercentral.com/Forums/Topic464100-146-1.aspx


Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution"


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me
Post #1168015
Posted Wednesday, August 31, 2011 6:26 AM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Thursday, July 17, 2014 10:43 AM
Points: 3,309, Visits: 6,700
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.


-Roy
Post #1168043
Posted Wednesday, August 31, 2011 7:23 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 2:54 PM
Points: 982, Visits: 1,618
The first error message actually looks a lot like the dynamic packet sizing (autotuning) in Windows 7 and what it did to places like Pandora.com (i.e. disconnect every few seconds).

link to speedguide.net to check/modify:
http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574



edit: added link
Post #1168084
Posted Wednesday, August 31, 2011 7:43 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Monday, July 21, 2014 10:07 AM
Points: 1,260, Visits: 3,545
I get this message when we do vulnerability scans doing port scans, as Roy mentioned.
I've also received this message when trying to telnet to the SQL box.

IMHO, It's a serious message that usually means an intrusion attempt.


______________________________________________________________________________________________
Forum posting etiquette. Get your answers faster.
Post #1168106
Posted Wednesday, August 31, 2011 8:37 AM
Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, January 31, 2013 8:01 AM
Points: 1,232, Visits: 1,046
Brandie Tarvin (8/31/2011)
I just received a Severity 20 Error Alert:

next message is a warning that says:

[quote]
Event Type: Warning
Event Source: McLogEvent
Event Category: None
Event ID: 258
Date: 8/31/2011
Time: 6:33:02 AM
User: NT AUTHORITY\SYSTEM
Computer: <MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).


This Event Log is obviously from McAffe.
That email waring and what you are describing would make me check for anything McAffe might be doing on that server since the last Virus/Spam/BlackHole lists update.
Since that log message is from McAfee , Check all you McAfee settings for that server.
Also McAfee is telling you that something tried to do a mass email.
Is that something this server usually does? If it does this is what McAffe has to say about it.

McLogEvent - Event 258

This warning is informational only and can be safely ignored.

To disable these type of messages, do the following.

Run the McAfee Virus Scan Console
Select Tools -- Alerts
Click the 'Additional Alerting Options' Tab
Change the severity folder to severity < 4
Click OK
Post #1168154
Posted Wednesday, August 31, 2011 8:46 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 9:11 AM
Points: 7,128, Visits: 6,291


I'll double-check the information on these links, but this isn't a new server.

What's frustrating is I can't figure out what the source of the error was since there's no job name. I have no idea what process caused this mess.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #1168164
Posted Wednesday, August 31, 2011 8:47 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 9:11 AM
Points: 7,128, Visits: 6,291
Roy Ernest (8/31/2011)
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.


Oh, hey. Corporate put a new monitoring trace on all our servers recently. I wonder if that's the culprit.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #1168166
Posted Wednesday, August 31, 2011 8:48 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Wednesday, July 23, 2014 9:11 AM
Points: 7,128, Visits: 6,291
Thanks for the input, all. I will check all of the above to see if I can track this down. Everything you've mentioned is a possibility, but at least I know where to start now.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #1168167
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse