Microsoft KB Archive/898060

= Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail =

Article ID: 898060

Article Last Modified on 10/11/2007

-

APPLIES TO

 Microsoft Windows Server 2003 SP1, when used with:  Microsoft Windows Server 2003, Standard Edition (32-bit x86)

 Microsoft Windows Server 2003, Enterprise Edition

 Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)

 Microsoft Windows Server 2003, Web Edition</li></ul>

 Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li></ul>

 Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li></ul> </li> Microsoft Windows Server 2003, Standard x64 Edition</li> Microsoft Windows Server 2003, Enterprise x64 Edition</li> Microsoft Windows Server 2003, Datacenter x64 Edition</li> Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems</li> Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems</li> Microsoft Windows Server 2003, Standard Edition (32-bit x86)</li> Microsoft Windows Server 2003, Enterprise Edition</li> Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)</li> Microsoft Windows Server 2003, Web Edition</li> Microsoft Windows XP Home Edition</li> Microsoft Windows XP Home Edition</li> Microsoft Windows XP Professional</li> <li>Microsoft Windows XP Professional</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Advanced Server</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Datacenter Server</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Professional Edition</li> <li>Microsoft Windows 2000 Service Pack 3</li> <li>Microsoft Windows 2000 Service Pack 4</li> <li>Microsoft Windows XP Professional x64 Edition</li></ul>

-

<div class="notice_section">

<div class="symptoms_section">

SYMPTOMS
Network connectivity between clients and servers may fail. This failure occurs after the installation of either security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1 (SP1). Any one or more of the following symptoms may occur:
 * Inability to connect to terminal servers or to file share access.
 * Failure of domain controller replication across WAN links.
 * Inability of Microsoft Exchange servers to connect to domain controllers.
 * Requests to a server that is running Microsoft Internet Information Services (IIS) may either time out or may become very slow.

These symptoms are more likely to occur in WAN and LAN scenarios. These scenarios typically exist where routers and data-link level protocols that have different Maximum Transmission Units (MTUs) are used over the network. In this scenario, the sending host can receive several Internet Control Message Protocol (ICMP) destination unreachable messages that have MTU updates for a destination. These symptoms are most likely to occur if the following conditions are true:
 * During the PathMTUDiscovery process, several routers on the route to the destination send MTU updates to the source host. One of the possible reasons for this could be that source and destination hosts are in different WAN segments. Additionally, these segments are connected through a tunnel with a small MTU.
 * Network load balancing, dynamic routing, or both are used. In this scenario, there are several possible routes to a destination that has MTUs that differ from the MTU of the sending subnet and that differ from each other. Therefore, changing the route of IP packets over time can produce several MTU updates for the destination address.

Note There may be some other similar scenarios where these symptoms occur. These scenarios can typically be diagnosed by sniffing the network traffic on either the source host side or on one of the intermediate network routers. If there are multiple ICMP destination unreachable messages sent over time for a destination, the source host that has the MS05-019 security update or Windows Server 2003 SP1 installed is likely to have this problem.

<div class="cause_section">

CAUSE
This problem occurs because the code incorrectly increments the number of host routes on the computer when the code modifies the MTU size of a host route. The maximum number of host routes is controlled by the registry value in MaxIcmpHostRoutes. The default number of host routes is 10,000. Because of the incorrect increment, the number of host routes eventually reaches the maximum value. After the maximum value is reached, the ICMP packets are ignored.

Note The default number of host routes was incorrectly listed as 1,000 in the original version of this article. The change to 10,000 reflects a correction, not a code change.

<div class="resolution_section">

Security update information
To resolve this problem, install security update 913446 (security bulletin MS06-007). For more information about how to obtain and install security update 913446, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

Note Security update 913446 (security bulletin MS06-007) supersedes this hotfix (898060). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

913446 MS06-007: Vulnerability in TCP/IP could allow denial of service

Security update 913446 also supersedes security update 893066 (security bulletin MS05-019). For more information about security update 893066, click the following article number to view the article in the Microsoft Knowledge Base:

893066 MS05-019: Vulnerabilities in TCP/IP could allow remote code execution and denial of service

Note Security update 893066 has been updated to correct this problem for the original release version of Windows Server 2003. If you deploy security update 913446, you do not have to deploy hotfix 898060 or security update 893066. Security update 893066 does not apply to Windows Server 2003 with Service Pack 1.

Hotfix information
Note This hotfix information is applicable only to x86-based versions, Itanium-based versions, and x64-based versions of Windows Server 2003 with Service Pack 1 and to x64-based versions of Windows XP Professional.

A supported hotfix is now available for download from the Microsoft Download Center.

Microsoft Windows Server 2003, x86-based versions with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=A0245532-0ACE-4B85-85BF-758E936173DF&displaylang=en

Microsoft Windows Server 2003, Itanium-based versions with Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=538F2EFC-215B-4907-AF17-22851A370F8C&displaylang=en

Microsoft Windows Server 2003, x64-based versions
http://www.microsoft.com/downloads/details.aspx?FamilyId=BAAFE288-9BC5-479B-88E5-EB7E06EAD443&displaylang=en

Microsoft Windows XP, x64-based versions
http://www.microsoft.com/downloads/details.aspx?FamilyId=E15C903D-8B6F-4B72-A8F3-BD58517AB156&displaylang=en

The hotfix corrects the network-connectivity problem that is described in this Microsoft Knowledge Base article. We recommend that you apply the hotfix to the systems that are experiencing this specific problem. You may also want to consider installing this hotfix to help prevent future connectivity problems similar to this one.

The updated hotfix for Windows Server 2003 Service Pack 1 (SP1) contains a change that addresses an issue that you experience only when you run Internet Security Systems (ISS) products.

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Microsoft Windows Server 2003, x86-based versions with Service Pack 1
<pre class="fixed_text">  Date         Time   Version         Size        File name  Platform  Folder --  26-May-2005  01:06  5.2.3790.2453   333,312     Tcpip.sys  x86       SP1GDR 26-May-2005 01:10  5.2.3790.2453   333,312     Tcpip.sys  x86       SP1QFE

Microsoft Windows Server 2003, Itanium-based versions with Service Pack 1
<pre class="fixed_text">  Date         Time   Version         Size       File name  Platform  Folder --  26-May-2005  02:17  5.2.3790.2453   1,116,160  Tcpip.sys  IA-64     SP1GDR 26-May-2005 02:17  5.2.3790.2453   1,116,160  Tcpip.sys  IA-64     SP1QFE

Microsoft Windows Server 2003, x64-based versions
<pre class="fixed_text">  Date         Time   Version         Size        File name  Platform  Folder --  26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1GDR 26-May-2005 02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1QFE

Microsoft Windows XP, x64-based versions
<pre class="fixed_text">  Date         Time   Version         Size        File name  Platform  Folder --  26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1GDR 26-May-2005 02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1QFE Note The file information is the same for x64-based versions of Microsoft Windows Server 2003 and for x64-based versions of Microsoft Windows XP.

<div class="workaround_section">

WORKAROUND
To work around this problem, set the default MTU size to the largest size that the routers can process. The actual MTU value that is required to work around this problem depends on the network configuration. However, an MTU value of 576 should help reduce the effect of the problem because routers on the Internet should be able to handle such packets without fragmentation. You must restart the computer for this registry change to take effect. For more information about how to change the MTU registry settings, click the following article numbers to view the articles in the Microsoft Knowledge Base:

120642 TCP/IP and NBT configuration parameters for Windows 2000 or Windows NT

314053 TCP/IP and NBT configuration parameters for Windows XP

Important Depending on the network configuration and typical networking applications used, setting a low default MTU value can cause the network performance to decrease.

<div class="moreinformation_section">

MORE INFORMATION
The MTU parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport transmits over the underlying network. The size includes the transport header. An IP datagram can span multiple packets. Values larger than the default value for the underlying network cause the transport to use the network default MTU. Values smaller than 68 cause the transport to use an MTU of 68.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

Value Type: REG_DWORD Number

Valid Range: 68 to

Default: 0xFFFFFFFF

Note is the network adapter to which TCP/IP is bound. To determine the relationship between an adapter ID and a network connection, view HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\ \Connection. The Name value in these keys provides the friendly name for a network connection that is used in the Network Connections folder. Values under these keys are specific to each adapter. Parameters that have a DHCP configured value and a statically configured value may not exist. Their existence depends on whether the computer or the adapter is DHCP configured and whether static override values are specified.

The following network trace illustrates the problem. <pre class="fixed_text">001 CLIENT  TRMSRV  TCP  Control Bits: ....S., len:    0, seq:1962957351-1962957352, ack:         0, win:65535, src: 1083  dst: 3389 002 TRMSRV  CLIENT  TCP  Control Bits: .A..S., len:    0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389  dst: 1083 003 TRMSRV  CLIENT  TCP  Control Bits: .A..S., len:    0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389  dst: 1083 004 CLIENT  TRMSRV  TCP  Control Bits: .A...., len:    0, seq:1962957352-1962957352, ack:3814299444, win:65535, src: 1083  dst: 3389 005 CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:   39, seq:1962957352-1962957391, ack:3814299444, win:65535, src: 1083  dst: 3389 006 TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:   11, seq:3814299444-3814299455, ack:1962957391, win:17481, src: 3389  dst: 1083 007 CLIENT  TRMSRV  TCP  Control Bits: .A...., len:  280, seq:1962957391-1962957671, ack:3814299455, win:65524, src: 1083  dst: 3389 008 TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299455-3814299455, ack:1962957671, win:17201, src: 3389  dst: 1083 009 CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:  132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083  dst: 3389 010 TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 011 ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 009) Inside 011: Notice the Next Hop MTU being smaller,and router requesting the sender to fragment the packet 10.ICMP: Destination Unreachable: 10.102.45.12 (See frame 009) ICMP: Packet Type = Destination Unreachable ICMP: Unreachable Code = Fragmentation Needed, DF Flag Set       <<<< ICMP: Checksum = 0x6FAA ICMP: Next Hop MTU = 320 (0x140)                                 <<<< ICMP: Data: Number of data bytes remaining = 28 (0x001C) ICMP: Description of original IP frame ICMP: (IP) Version = 4 (0x4) ICMP: (IP) Header Length = 20 (0x14) ICMP: (IP) Service Type = 64 (0x40) ICMP: (IP) Precedence = 0x40 ICMP: (IP) Type of Service = 0x40 ICMP: (IP) Total Length = 373 (0x175) ICMP: (IP) Identification = 10838 (0x2A56) ICMP: (IP) Flags Summary = 2 (0x2) ICMP: .......0 = Last fragment in datagram ICMP: ......1. = Cannot fragment datagram ICMP: (IP) Fragment Offset = 0 (0x0) bytes ICMP: (IP) Time to Live = 127 (0x7F) ICMP: (IP) Protocol = TCP - Transmission Control ICMP: (IP) Checksum = 0x8C1D ICMP: (IP) Source Address = 10.102.1.248 ICMP: (IP) Destination Address = 10.102.45.12 ICMP: (IP) Data: Number of data bytes remaining = 8 (0x0008) 012 CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:  132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083  dst: 3389 013 TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299788-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 014 TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 TRMSRV ignores the ICMP packet 11, and resends the same packet 10 without fragmentation 015 ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 014) 016 TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 017 ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 016) 018 TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 019 ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 017) 020 CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:    9, seq:1962957803-1962957812, ack:3814299455, win:65524, src: 1083  dst: 3389 021 CLIENT  TRMSRV  TCP  Control Bits: .A...F, len:    0, seq:1962957812-1962957813, ack:3814299455, win:65524, src: 1083  dst: 3389 022 TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299788-3814299788, ack:1962957813, win:17060, src: 3389  dst: 1083 023 TRMSRV  CLIENT  TCP  Control Bits: .A.R.., len:    0, seq:3814299788-3814299788, ack:1962957813, win:    0, src: 3389  dst: 1083 024 CLIENT  TRMSRV  TCP  Control Bits: .A...., len:    0, seq:1962957813-1962957813, ack:3814299455, win:65524, src: 1083  dst: 3389 025 TRMSRV  CLIENT  TCP  Control Bits: ...R.., len:    0, seq:3814299455-3814299455, ack:3814299455, win:    0, src: 3389  dst: 1083 Frames 14, 16, 18, are re-sends, and the connection leading to termination in frame 25.

<div class="moreinformation_section">

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

<div class="references_section">