August 31, 2011 at 4:51 am
I just received a Severity 20 Error Alert:
DATE/TIME:8/31/2011 6:32:30 AM
DESCRIPTION:Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: XXX.XXX.XXX.XXX]
COMMENT:(None)
JOB RUN:(None)
I'm trying to track down the process that caused this statement error. The SQL Error Log just reiterates this same message. Of interesting note, while the Event Viewer Application Log reiterates the error, the next message is a warning that says:
Event Type:Warning
Event Source:McLogEvent
Event Category:None
Event ID:258
Date:8/31/2011
Time:6:33:02 AM
User:NT AUTHORITY\SYSTEM
Computer:<MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).
But so far as I can tell, the job that ran right before this, stopped a good minute & 1/2 before the severity 20 error got generated and there was not another job running until 5 minutes after the error generated. So I can't see the email warning being connected.
Any thoughts of other things I can check?
August 31, 2011 at 5:08 am
Check any network modification parameters (firewall, networkcardsetting, switchconfiguration..).
We had mysterious errors about packets when
a firewall had extra ora_net filtering on (oracle)
tcp-offloading was enabled on a network card causing the ftp-server to drop connections
August 31, 2011 at 5:23 am
fwiw this is where google leads me to:Whistling:
or http://www.sqlservercentral.com/Forums/Topic464100-146-1.aspx
Johan
Learn to play, play to learn !
Dont drive faster than your guardian angel can fly ...
but keeping both feet on the ground wont get you anywhere :w00t:
- How to post Performance Problems
- How to post data/code to get the best help[/url]
- How to prevent a sore throat after hours of presenting ppt
press F1 for solution, press shift+F1 for urgent solution 😀
Need a bit of Powershell? How about this
Who am I ? Sometimes this is me but most of the time this is me
August 31, 2011 at 6:26 am
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.
-Roy
August 31, 2011 at 7:23 am
The first error message actually looks a lot like the dynamic packet sizing (autotuning) in Windows 7 and what it did to places like Pandora.com (i.e. disconnect every few seconds).
link to speedguide.net to check/modify:
http://www.speedguide.net/articles/windows-7-vista-2008-tweaks-2574
edit: added link
August 31, 2011 at 7:43 am
I get this message when we do vulnerability scans doing port scans, as Roy mentioned.
I've also received this message when trying to telnet to the SQL box.
IMHO, It's a serious message that usually means an intrusion attempt.
August 31, 2011 at 8:37 am
Brandie Tarvin (8/31/2011)
next message is a warning that says:
Event Type:Warning
Event Source:McLogEvent
Event Category:None
Event ID:258
Date:8/31/2011
Time:6:33:02 AM
User:NT AUTHORITY\SYSTEM
Computer:<MyServerName>
Description:
Would be blocked by port blocking rule (rule is in warn-only mode) (Anti-virus Standard Protection:Prevent mass mailing worms from sending mail).
This Event Log is obviously from McAffe.
That email waring and what you are describing would make me check for anything McAffe might be doing on that server since the last Virus/Spam/BlackHole lists update.
Since that log message is from McAfee , Check all you McAfee settings for that server.
Also McAfee is telling you that something tried to do a mass email.
Is that something this server usually does? If it does this is what McAffe has to say about it.
McLogEvent - Event 258
This warning is informational only and can be safely ignored.
To disable these type of messages, do the following.
Run the McAfee Virus Scan Console
Select Tools -- Alerts
Click the 'Additional Alerting Options' Tab
Change the severity folder to severity < 4
Click OK
August 31, 2011 at 8:46 am
ALZDBA (8/31/2011)
fwiw this is where google leads me to:Whistling:or http://www.sqlservercentral.com/Forums/Topic464100-146-1.aspx
I'll double-check the information on these links, but this isn't a new server.
What's frustrating is I can't figure out what the source of the error was since there's no job name. I have no idea what process caused this mess.
August 31, 2011 at 8:47 am
Roy Ernest (8/31/2011)
Looks more like a port scanner running on your DB box. Or a service trying to identify all the servers in the network.
Oh, hey. Corporate put a new monitoring trace on all our servers recently. I wonder if that's the culprit.
August 31, 2011 at 8:48 am
Thanks for the input, all. I will check all of the above to see if I can track this down. Everything you've mentioned is a possibility, but at least I know where to start now.
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply