Article ID: 898060
Article Last Modified on 10/11/2007
APPLIES TO
- Microsoft Windows Server 2003 SP1, when used with:
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Standard x64 Edition
- Microsoft Windows Server 2003, Enterprise x64 Edition
- Microsoft Windows Server 2003, Datacenter x64 Edition
- Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
- Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows Server 2003, Web Edition
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Home Edition
- Microsoft Windows XP Professional
- Microsoft Windows XP Professional
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Professional Edition
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Professional x64 Edition
SYMPTOMS
Network connectivity between clients and servers may fail. This failure occurs after the installation of either security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1 (SP1). Any one or more of the following symptoms may occur:
- Inability to connect to terminal servers or to file share access.
- Failure of domain controller replication across WAN links.
- Inability of Microsoft Exchange servers to connect to domain controllers.
- Requests to a server that is running Microsoft Internet Information Services (IIS) may either time out or may become very slow.
These symptoms are more likely to occur in WAN and LAN scenarios. These scenarios typically exist where routers and data-link level protocols that have different Maximum Transmission Units (MTUs) are used over the network. In this scenario, the sending host can receive several Internet Control Message Protocol (ICMP) destination unreachable messages that have MTU updates for a destination. These symptoms are most likely to occur if the following conditions are true:
- During the PathMTUDiscovery process, several routers on the route to the destination send MTU updates to the source host. One of the possible reasons for this could be that source and destination hosts are in different WAN segments. Additionally, these segments are connected through a tunnel with a small MTU.
- Network load balancing, dynamic routing, or both are used. In this scenario, there are several possible routes to a destination that has MTUs that differ from the MTU of the sending subnet and that differ from each other. Therefore, changing the route of IP packets over time can produce several MTU updates for the destination address.
Note There may be some other similar scenarios where these symptoms occur. These scenarios can typically be diagnosed by sniffing the network traffic on either the source host side or on one of the intermediate network routers. If there are multiple ICMP destination unreachable messages sent over time for a destination, the source host that has the MS05-019 security update or Windows Server 2003 SP1 installed is likely to have this problem.
CAUSE
This problem occurs because the code incorrectly increments the number of host routes on the computer when the code modifies the MTU size of a host route. The maximum number of host routes is controlled by the registry value in MaxIcmpHostRoutes. The default number of host routes is 10,000. Because of the incorrect increment, the number of host routes eventually reaches the maximum value. After the maximum value is reached, the ICMP packets are ignored.
Note The default number of host routes was incorrectly listed as 1,000 in the original version of this article. The change to 10,000 reflects a correction, not a code change.
RESOLUTION
Security update information
To resolve this problem, install security update 913446 (security bulletin MS06-007). For more information about how to obtain and install security update 913446, visit the following Microsoft Web site:
Note Security update 913446 (security bulletin MS06-007) supersedes this hotfix (898060). For more information, click the following article number to view the article in the Microsoft Knowledge Base:
913446 MS06-007: Vulnerability in TCP/IP could allow denial of service
Security update 913446 also supersedes security update 893066 (security bulletin MS05-019). For more information about security update 893066, click the following article number to view the article in the Microsoft Knowledge Base:
893066 MS05-019: Vulnerabilities in TCP/IP could allow remote code execution and denial of service
Note Security update 893066 has been updated to correct this problem for the original release version of Windows Server 2003. If you deploy security update 913446, you do not have to deploy hotfix 898060 or security update 893066. Security update 893066 does not apply to Windows Server 2003 with Service Pack 1.
Hotfix information
Note This hotfix information is applicable only to x86-based versions, Itanium-based versions, and x64-based versions of Windows Server 2003 with Service Pack 1 and to x64-based versions of Windows XP Professional.
A supported hotfix is now available for download from the Microsoft Download Center.
Microsoft Windows Server 2003, x86-based versions with Service Pack 1
Microsoft Windows Server 2003, Itanium-based versions with Service Pack 1
Microsoft Windows Server 2003, x64-based versions
Microsoft Windows XP, x64-based versions
http://www.microsoft.com/downloads/details.aspx?FamilyId=E15C903D-8B6F-4B72-A8F3-BD58517AB156&displaylang=en
The hotfix corrects the network-connectivity problem that is described in this Microsoft Knowledge Base article. We recommend that you apply the hotfix to the systems that are experiencing this specific problem. You may also want to consider installing this hotfix to help prevent future connectivity problems similar to this one.
The updated hotfix for Windows Server 2003 Service Pack 1 (SP1) contains a change that addresses an issue that you experience only when you run Internet Security Systems (ISS) products.
File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.
Microsoft Windows Server 2003, x86-based versions with Service Pack 1
Date Time Version Size File name Platform Folder -------------------------------------------------------------------------- 26-May-2005 01:06 5.2.3790.2453 333,312 Tcpip.sys x86 SP1GDR 26-May-2005 01:10 5.2.3790.2453 333,312 Tcpip.sys x86 SP1QFE
Microsoft Windows Server 2003, Itanium-based versions with Service Pack 1
Date Time Version Size File name Platform Folder -------------------------------------------------------------------------- 26-May-2005 02:17 5.2.3790.2453 1,116,160 Tcpip.sys IA-64 SP1GDR 26-May-2005 02:17 5.2.3790.2453 1,116,160 Tcpip.sys IA-64 SP1QFE
Microsoft Windows Server 2003, x64-based versions
Date Time Version Size File name Platform Folder -------------------------------------------------------------------------- 26-May-2005 02:32 5.2.3790.2453 702,976 Tcpip.sys x64 SP1GDR 26-May-2005 02:32 5.2.3790.2453 702,976 Tcpip.sys x64 SP1QFE
Microsoft Windows XP, x64-based versions
Date Time Version Size File name Platform Folder -------------------------------------------------------------------------- 26-May-2005 02:32 5.2.3790.2453 702,976 Tcpip.sys x64 SP1GDR 26-May-2005 02:32 5.2.3790.2453 702,976 Tcpip.sys x64 SP1QFE
Note The file information is the same for x64-based versions of Microsoft Windows Server 2003 and for x64-based versions of Microsoft Windows XP.
WORKAROUND
To work around this problem, set the default MTU size to the largest size that the routers can process. The actual MTU value that is required to work around this problem depends on the network configuration. However, an MTU value of 576 should help reduce the effect of the problem because routers on the Internet should be able to handle such packets without fragmentation. You must restart the computer for this registry change to take effect. For more information about how to change the MTU registry settings, click the following article numbers to view the articles in the Microsoft Knowledge Base:
120642 TCP/IP and NBT configuration parameters for Windows 2000 or Windows NT
314053 TCP/IP and NBT configuration parameters for Windows XP
Important Depending on the network configuration and typical networking applications used, setting a low default MTU value can cause the network performance to decrease.
MORE INFORMATION
The MTU parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport transmits over the underlying network. The size includes the transport header. An IP datagram can span multiple packets. Values larger than the default value for the underlying network cause the transport to use the network default MTU. Values smaller than 68 cause the transport to use an MTU of 68.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ID for Adapter
Value Type: REG_DWORD Number
Valid Range: 68 to the MTU of the underlying network
Default: 0xFFFFFFFF
Note ID for Adapter is the network adapter to which TCP/IP is bound. To determine the relationship between an adapter ID and a network connection, view HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\ID for Adapter\Connection. The Name value in these keys provides the friendly name for a network connection that is used in the Network Connections folder. Values under these keys are specific to each adapter. Parameters that have a DHCP configured value and a statically configured value may not exist. Their existence depends on whether the computer or the adapter is DHCP configured and whether static override values are specified.
The following network trace illustrates the problem.
001 CLIENT TRMSRV TCP Control Bits: ....S., len: 0, seq:1962957351-1962957352, ack: 0, win:65535, src: 1083 dst: 3389
002 TRMSRV CLIENT TCP Control Bits: .A..S., len: 0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389 dst: 1083
003 TRMSRV CLIENT TCP Control Bits: .A..S., len: 0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389 dst: 1083
004 CLIENT TRMSRV TCP Control Bits: .A...., len: 0, seq:1962957352-1962957352, ack:3814299444, win:65535, src: 1083 dst: 3389
005 CLIENT TRMSRV TCP Control Bits: .AP..., len: 39, seq:1962957352-1962957391, ack:3814299444, win:65535, src: 1083 dst: 3389
006 TRMSRV CLIENT TCP Control Bits: .AP..., len: 11, seq:3814299444-3814299455, ack:1962957391, win:17481, src: 3389 dst: 1083
007 CLIENT TRMSRV TCP Control Bits: .A...., len: 280, seq:1962957391-1962957671, ack:3814299455, win:65524, src: 1083 dst: 3389
008 TRMSRV CLIENT TCP Control Bits: .A...., len: 0, seq:3814299455-3814299455, ack:1962957671, win:17201, src: 3389 dst: 1083
009 CLIENT TRMSRV TCP Control Bits: .AP..., len: 132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083 dst: 3389
010 TRMSRV CLIENT TCP Control Bits: .AP..., len: 333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389 dst: 1083
011 ROUTER TRMSRV ICMP Destination Unreachable: 10.102.45.12 (See frame 009)
Inside 011: Notice the Next Hop MTU being smaller,and router requesting the sender to fragment the packet 10.ICMP: Destination Unreachable: 10.102.45.12 (See frame 009)
ICMP: Packet Type = Destination Unreachable
ICMP: Unreachable Code = Fragmentation Needed, DF Flag Set <<<<
ICMP: Checksum = 0x6FAA
ICMP: Next Hop MTU = 320 (0x140) <<<<
ICMP: Data: Number of data bytes remaining = 28 (0x001C)
ICMP: Description of original IP frame
ICMP: (IP) Version = 4 (0x4)
ICMP: (IP) Header Length = 20 (0x14)
ICMP: (IP) Service Type = 64 (0x40)
ICMP: (IP) Precedence = 0x40
ICMP: (IP) Type of Service = 0x40
ICMP: (IP) Total Length = 373 (0x175)
ICMP: (IP) Identification = 10838 (0x2A56)
ICMP: (IP) Flags Summary = 2 (0x2)
ICMP: .......0 = Last fragment in datagram
ICMP: ......1. = Cannot fragment datagram
ICMP: (IP) Fragment Offset = 0 (0x0) bytes
ICMP: (IP) Time to Live = 127 (0x7F)
ICMP: (IP) Protocol = TCP - Transmission Control
ICMP: (IP) Checksum = 0x8C1D
ICMP: (IP) Source Address = 10.102.1.248
ICMP: (IP) Destination Address = 10.102.45.12
ICMP: (IP) Data: Number of data bytes remaining = 8 (0x0008)
012 CLIENT TRMSRV TCP Control Bits: .AP..., len: 132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083 dst: 3389
013 TRMSRV CLIENT TCP Control Bits: .A...., len: 0, seq:3814299788-3814299788, ack:1962957803, win:17069, src: 3389 dst: 1083
014 TRMSRV CLIENT TCP Control Bits: .AP..., len: 333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389 dst: 1083
TRMSRV ignores the ICMP packet 11, and resends the same packet 10 without fragmentation
015 ROUTER TRMSRV ICMP Destination Unreachable: 10.102.45.12 (See frame 014)
016 TRMSRV CLIENT TCP Control Bits: .AP..., len: 333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389 dst: 1083
017 ROUTER TRMSRV ICMP Destination Unreachable: 10.102.45.12 (See frame 016)
018 TRMSRV CLIENT TCP Control Bits: .AP..., len: 333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389 dst: 1083
019 ROUTER TRMSRV ICMP Destination Unreachable: 10.102.45.12 (See frame 017)
020 CLIENT TRMSRV TCP Control Bits: .AP..., len: 9, seq:1962957803-1962957812, ack:3814299455, win:65524, src: 1083 dst: 3389
021 CLIENT TRMSRV TCP Control Bits: .A...F, len: 0, seq:1962957812-1962957813, ack:3814299455, win:65524, src: 1083 dst: 3389
022 TRMSRV CLIENT TCP Control Bits: .A...., len: 0, seq:3814299788-3814299788, ack:1962957813, win:17060, src: 3389 dst: 1083
023 TRMSRV CLIENT TCP Control Bits: .A.R.., len: 0, seq:3814299788-3814299788, ack:1962957813, win: 0, src: 3389 dst: 1083
024 CLIENT TRMSRV TCP Control Bits: .A...., len: 0, seq:1962957813-1962957813, ack:3814299455, win:65524, src: 1083 dst: 3389
025 TRMSRV CLIENT TCP Control Bits: ...R.., len: 0, seq:3814299455-3814299455, ack:3814299455, win: 0, src: 3389 dst: 1083
Frames 14, 16, 18, are re-sends, and the connection leading to termination in frame 25.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
REFERENCES
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
900926 Recommended TCP/IP settings for WAN links with a MTU size of less than 576
Keywords: kbqfe kbsecurity kbprb atdownload kbwinserv2003sp2fix KB898060
