Hello,
Based on your description, this behavior is commonly observed after upgrading from Windows Server 2012 R2 to Windows Server 2016 because the newer TCP/IP and security stack handles Always On Availability Group traffic differently, especially regarding dynamic ports, NIC binding order, and cluster network validation. In Windows Server 2016, return traffic from the SQL listener may originate from a different interface, IP, or ephemeral port range than what the client firewall previously learned to trust, which can cause endpoint security products or local Windows Defender Firewall policies to classify the session as unsolicited traffic.
Even if the server-side firewall is disabled, the client still validates stateful inbound responses locally, so if asymmetric routing, dynamic RPC ports, or MultiSubnetFailover behavior changed after the migration, the workstation may require explicit trust rules. I recommend first validating whether the listener is now responding through a different subnet, NIC team, or load-balancing path compared to the previous 2012 R2 environment. Additionally, please confirm whether the SQL listener is using static ports only and whether the client endpoints have any third-party endpoint protection or advanced network inspection enabled, as these frequently interfere with AG listener traffic after OS upgrades.
From the Windows networking perspective, it would also be useful to capture simultaneous network traces from both client and cluster nodes using Wireshark or netsh trace to confirm whether the return packets are being dropped due to state mismatch or profile classification changes. We have also seen cases where the Windows Server 2016 upgrade resets RSS, Chimney Offload, or VMQ behavior, indirectly affecting how clients interpret the traffic flow.
At this stage, the issue does not appear to be a SQL Always On failure itself, but rather a client-side stateful inspection or traffic classification issue triggered by changes introduced during the operating system upgrade.
If you find this explanation helpful, please consider clicking “Accept Answer”
Jason