Unusual SMB Behaviour

M K 1 Reputation point
2022-08-10T11:24:24.98+00:00

Hi all

We have windows 10 computers and windows server 2012 R2 as our file storage. We are running 21h2 baseline in our environment. All of this had been in place for about 2 months.

Since last Friday we are seeing large number of SRVSVC connections from users to our file server. This is causing the machines to crash until we kill those connections. Sometimes they will instantly come back and crash the machine. We might have to do it a few times before the machine becomes unusable. If we manage to connect to the machine and then close the outlook and word or other open files this will then close all of the sessions and make the machine usable again. This is not happening to everyone and is affecting 10-12 people a day at different times of the day. When looking at the network traffic we can see a lot of traffic on port 445, which is SMB traffic but with only outlook and maybe a file or two on the end-user machine this should not be causing them such issues.

This had started to happen, as mentioned earlier, randomly Friday last week with no other changes done to any policies or otherwise on the network, so there is nothing for us to rever to try and tackle it.

Restarting the server or the machine resolves the issue for a little while. That being said we cannot reboot the file server in the middle of the day.

Today we have had a few different users with the same issue on a 2016 file server.

Equally, we are seeing some users' session file count go through the roof with one user having 1051 files open simultaneously today. That user have not called to complain about the PC crashing and the slowness like other users but it could be related.

Honestly, we have no idea what could be causing this and how to track it down and then rever engineer the resolution for us.

Any and all advice and answers will be greatly appreciated.

Regards,
Marek

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,528 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,117 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,271 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,351 Reputation points
    2022-08-11T15:40:31.81+00:00

    Hi there,

    Did you notice any specific Event ID in the Event viewer? You can also use the Promon to identify the exact reason for the issue. Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry, and process/thread activity. https://learn.microsoft.com/en-us/sysinternals/downloads/procmon

    In general, SMB Multichannel relies on Windows Networking to figure out routing and creating address pairs. If you see different behavior on different servers, there's probably some minor difference in the configuration. It would be interesting to see the output of Get-SmbMultichannelConnection (and also Get-SmbMultichannelConnection -IncludeNotSelected | Select *) on both systems to dig deeper.

    The below thread discusses the same issue and you can try out some troubleshooting steps from this and see if that helps you to sort the Issue. https://social.technet.microsoft.com/Forums/windowsserver/en-US/de97b95b-da28-4cdc-94c8-67b1a4d680b3/smb-multichannel-strange-behaviour?forum=winserver8gen

    ----------------------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments