Tracking Down Severity 20 Error

  • I just received a Severity 20 Error Alert:

    DATE/TIME:8/31/2011 6:32:30 AM

    DESCRIPTION:Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: XXX.XXX.XXX.XXX]

    COMMENT:(None)

    JOB RUN:(None)

    I'm trying to track down the process that caused this statement error. The SQL Error Log just reiterates this same message. Of interesting note, while the Event Viewer Application Log reiterates the error, the next message is a warning that says:

    Event Type:Warning

    Event Source:McLogEvent

    Event Category:None

    Event ID:258

    Date:8/31/2011

    Time:6:33:02 AM

    User:NT AUTHORITY\SYSTEM

    Computer:<MyServerName>

    Description:

    Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).

    But so far as I can tell, the job that ran right before this, stopped a good minute & 1/2 before the severity 20 error got generated and there was not another job running until 5 minutes after the error generated. So I can't see the email warning being connected.

    Any thoughts of other things I can check?

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Check any network modification parameters (firewall, networkcardsetting, switchconfiguration..).

    We had mysterious errors about packets when

    a firewall had extra ora_net filtering on (oracle)

    tcp-offloading was enabled on a network card causing the ftp-server to drop connections

  • fwiw this is where google leads me to:Whistling:

    http://blogs.msdn.com/b/sql_protocols/archive/2006/09/30/sql-server-2005-remote-connectivity-issue-troubleshooting.aspx

    or http://www.sqlservercentral.com/Forums/Topic464100-146-1.aspx

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.

    -Roy

  • The first error message actually looks a lot like the dynamic packet sizing (autotuning) in Windows 7 and what it did to places like Pandora.com (i.e. disconnect every few seconds).

    link to speedguide.net to check/modify:

    http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574

    edit: added link

  • I get this message when we do vulnerability scans doing port scans, as Roy mentioned.

    I've also received this message when trying to telnet to the SQL box.

    IMHO, It's a serious message that usually means an intrusion attempt.

    ______________________________________________________________________________________________
    Forum posting etiquette.[/url] Get your answers faster.

  • Brandie Tarvin (8/31/2011)


    I just received a Severity 20 Error Alert:

    next message is a warning that says:

    Event Type:Warning

    Event Source:McLogEvent

    Event Category:None

    Event ID:258

    Date:8/31/2011

    Time:6:33:02 AM

    User:NT AUTHORITY\SYSTEM

    Computer:<MyServerName>

    Description:

    Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).

    This Event Log is obviously from McAffe.

    That email waring and what you are describing would make me check for anything McAffe might be doing on that server since the last Virus/Spam/BlackHole lists update.

    Since that log message is from McAfee , Check all you McAfee settings for that server.

    Also McAfee is telling you that something tried to do a mass email.

    Is that something this server usually does? If it does this is what McAffe has to say about it.

    McLogEvent - Event 258

    This warning is informational only and can be safely ignored.

    To disable these type of messages, do the following.

    Run the McAfee Virus Scan Console

    Select Tools -- Alerts

    Click the 'Additional Alerting Options' Tab

    Change the severity folder to severity < 4

    Click OK

  • I'll double-check the information on these links, but this isn't a new server.

    What's frustrating is I can't figure out what the source of the error was since there's no job name. I have no idea what process caused this mess.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Roy Ernest (8/31/2011)


    Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.

    Oh, hey. Corporate put a new monitoring trace on all our servers recently. I wonder if that's the culprit.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

  • Thanks for the input, all. I will check all of the above to see if I can track this down. Everything you've mentioned is a possibility, but at least I know where to start now.

    Brandie Tarvin, MCITP Database AdministratorLiveJournal Blog: http://brandietarvin.livejournal.com/[/url]On LinkedIn!, Google+, and Twitter.Freelance Writer: ShadowrunLatchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply