Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Tracking Down Severity 20 Error


Tracking Down Severity 20 Error

Author
Message
Brandie Tarvin
Brandie Tarvin
SSCertifiable
SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)

Group: General Forum Members
Points: 7738 Visits: 8716
I just received a Severity 20 Error Alert:


DATE/TIME:   8/31/2011 6:32:30 AM

DESCRIPTION:   Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: XXX.XXX.XXX.XXX]

COMMENT:   (None)

JOB RUN:   (None)


I'm trying to track down the process that caused this statement error. The SQL Error Log just reiterates this same message. Of interesting note, while the Event Viewer Application Log reiterates the error, the next message is a warning that says:


Event Type:   Warning
Event Source:   McLogEvent
Event Category:   None
Event ID:   258
Date:      8/31/2011
Time:      6:33:02 AM
User:      NT AUTHORITY\SYSTEM
Computer:   <MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard ProtectionTonguerevent mass mailing worms from sending mail).


But so far as I can tell, the job that ran right before this, stopped a good minute & 1/2 before the severity 20 error got generated and there was not another job running until 5 minutes after the error generated. So I can't see the email warning being connected.

Any thoughts of other things I can check?

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Jo Pattyn
Jo Pattyn
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1584 Visits: 9714
Check any network modification parameters (firewall, networkcardsetting, switchconfiguration..).

We had mysterious errors about packets when
a firewall had extra ora_net filtering on (oracle)
tcp-offloading was enabled on a network card causing the ftp-server to drop connections
ALZDBA
ALZDBA
SSCertifiable
SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)

Group: General Forum Members
Points: 6966 Visits: 8839
fwiw this is where google leads me toWhistling
http://blogs.msdn.com/b/sql_protocols/archive/2006/09/30/sql-server-2005-remote-connectivity-issue-troubleshooting.aspx

or http://www.sqlservercentral.com/Forums/Topic464100-146-1.aspx

Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere w00t

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution" :-D


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me Alien but most of the time this is me Hehe
Roy Ernest
Roy Ernest
SSCrazy
SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)SSCrazy (2.5K reputation)

Group: General Forum Members
Points: 2494 Visits: 6852
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.

-Roy
venoym
venoym
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1353 Visits: 2082
The first error message actually looks a lot like the dynamic packet sizing (autotuning) in Windows 7 and what it did to places like Pandora.com (i.e. disconnect every few seconds).

link to speedguide.net to check/modify:
http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574



edit: added link
calvo
calvo
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1368 Visits: 3965
I get this message when we do vulnerability scans doing port scans, as Roy mentioned.
I've also received this message when trying to telnet to the SQL box.

IMHO, It's a serious message that usually means an intrusion attempt.

______________________________________________________________________________________________
Forum posting etiquette. Get your answers faster.
SanDroid
SanDroid
Ten Centuries
Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)Ten Centuries (1.4K reputation)

Group: General Forum Members
Points: 1410 Visits: 1046
Brandie Tarvin (8/31/2011)
I just received a Severity 20 Error Alert:

next message is a warning that says:

[quote]
Event Type:   Warning
Event Source:   McLogEvent
Event Category:   None
Event ID:   258
Date:      8/31/2011
Time:      6:33:02 AM
User:      NT AUTHORITY\SYSTEM
Computer:   <MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard ProtectionTonguerevent mass mailing worms from sending mail).


This Event Log is obviously from McAffe.
That email waring and what you are describing would make me check for anything McAffe might be doing on that server since the last Virus/Spam/BlackHole lists update.
Since that log message is from McAfee , Check all you McAfee settings for that server.
Also McAfee is telling you that something tried to do a mass email.
Is that something this server usually does? If it does this is what McAffe has to say about it.

McLogEvent - Event 258

This warning is informational only and can be safely ignored.

To disable these type of messages, do the following.

Run the McAfee Virus Scan Console
Select Tools -- Alerts
Click the 'Additional Alerting Options' Tab
Change the severity folder to severity < 4
Click OK

Brandie Tarvin
Brandie Tarvin
SSCertifiable
SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)

Group: General Forum Members
Points: 7738 Visits: 8716


I'll double-check the information on these links, but this isn't a new server.

What's frustrating is I can't figure out what the source of the error was since there's no job name. I have no idea what process caused this mess.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Brandie Tarvin
Brandie Tarvin
SSCertifiable
SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)

Group: General Forum Members
Points: 7738 Visits: 8716
Roy Ernest (8/31/2011)
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.


Oh, hey. Corporate put a new monitoring trace on all our servers recently. I wonder if that's the culprit.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Brandie Tarvin
Brandie Tarvin
SSCertifiable
SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)SSCertifiable (7.7K reputation)

Group: General Forum Members
Points: 7738 Visits: 8716
Thanks for the input, all. I will check all of the above to see if I can track this down. Everything you've mentioned is a possibility, but at least I know where to start now.

Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search