Intermittent issues with SMB maybe NIC on windows 2019 server for tenable scanner.

Question

We are having an intermittent problem when using tenable.io and cannot pinpoint the issue. We have worked with tenable support trying to figure this issue out their response was and I quote "ones you get this working the scanning should work." Seems like they have never had this problem. The account we use to scan has the right access and is part of administrators. The troubleshooting links they sent me when tested:
EDIT

https://community.tenable.com/s/article/Troubleshooting-Credential-scanning-on-Windows

net use \x.x.x.x\ipc$ /user:username password

net use \x.x.x.x\admin$ /user:username password

reg query \x.x.x.x\hklm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

net use \x.x.x.x\ipc$ "" /user:""

^ this commands didn't complete it spat out "System Error 5 has occurred. Access is denied.", but from my understanding I do not want this command to work because then the share can be accessed anonymously. (Please correct me if I am wrong) This is running cmd in Admin mode too.
EDIT ^
Also they recommended I do a wbemtest which was successful.

Here is what we did outside of tenables troubleshooting recommendations. IPs .11 and .16 are both Server1.

1. Access is denied due to User Account Control (UAC)
   Going into this direction did not resolve the problem.
2. Next attempt, I moved Server1 from the "restricted server" OU in department to stay away from the CIS-CAT GPOs.
   Still could not get "net use \111.111.111.11" work.
3. Next I thought there was something wrong between Server1 and the COMPANY domain.

a) Check Azure hybrid domain-join, no problem there.

b) Remove Server1 from COMPANY domain but "net use \111.111.111.11" still didn't work.
THIS is what worked to get the scanning to run on one of our servers.

Go to "Control Panel-Network and Internet-Network and Sharing Center-change network adapter settings"
a) Add a new IP address to the only enabled network interface. I added 111.111.111.16 (in addition to 111.111.111.11 that was already configured.")
b) After that I checked, "net use \111.111.111.11" still didn't work but "net use \111.111.111.16" worked.
c) I removed "111.111.111.11" from tje IPV4 setting and replaced it with "111.111.111.16" and then added "111.111.111.11" as an additional IP address. Now both "net use \111.111.111.16" and "net use \111.111.111.11" worked.
d) I then removed "111.111.111.16" from the IPV4 settings and replaced it with "111.111.111.11" and then added "111.111.111.16" as an additional IP address. Both "net use \111.111.111.11" and "net use \111.111.111.16" still worked.
e) After that I rebooted the server and when the server came back up, unfortunately both "net use \111.111.111.11" and \net use \111.111.111.16" did not work.
f) I removed "111.111.111.16" from the IPV4 settings and then repeated the steps a) to d) and now both "net use \111.111.111.11" and "net use \111.111.111.16" worked.
We are using a Microsoft Network adapter multiplexor driver 10gb LACP trunk.

Please any ideas as to why this keeps happening? Could this be a SMB negotiation failure and how do I go about troubleshooting that, it is only happening on one of the servers in the subnet the rest are able to scan fine.

Answer 1

I have read your post several times and I am still lost as to your problem and environment.

It is not clear what 111.111.111.11 and 111.111.111.16 are. Is that Server1? Is that the server that you cannot scan? I have no idea what you are trying to accomplish with all of your comments on those 2 IP's.

Based on my experience, and I emphasize "my experience" because forum users like me do not have sufficient knowledge of everything you are doing and why. (Refer to your CIS-CAT comment.) I would suggest that you start by verifying that each server has only one IP address and that the name is properly registered in DNS and matches the domain name.

So if you "nslookup 111.111.111.11" it returns Server1.MyDomain.com (for example). I would also verify that "ping server1" and "ping server1.mydomain.com" also work. You may need to add mydomain.com to the DNS search suffix list on the NIC if the server name does not resolve.

I am going to assume that you are logged on to ScannerServer.mydomain.com with a mydomain.com userid. And that account is a member of the Administrators group on Server1. And Server1 is also a member of mydomain.com.

On Server1, verify that the Windows Firewall is configured to log dropped packets.

https://www.bing.com/search?q=windows+firewall+log+dropped+packets

On ScannerServer, open a Powershell prompt and run:

Test-NetConnection -ComputerName Server1 -CommonTCPPort SMB
net.exe view \\Server1
dir \\Server1\c$

If they fail, log on to Server1 and check the Security eventlog for logon or other failures. Check the firewall log for dropped packets.

Answer 2

Hi,

Thanks for posting in Q&A platform.

^ this command didn't complete it spat out "System Error 5 has occurred. Access is denied."

Could you please help to confirm which command didn't complete successfully?

Regarding of your issue, I assume that 111.111.111.11 is the IP address of the SMB server. Please correct me if my understanding was wrong. May I know if the SMB client can ping the SMB server 111.111.111.11 successfully?

What's the OS version of SMB client and server? If the SMB server and client are domain joined machine?

Best Regards,
Sunny

---

If the Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

" IPs .11 and .16 are both Server1."

Windows does not allow the use of two IP addresses on the same subnet on a single host. It will use one and not the other.

Why are you trying to put two different IP addresses from the same subnet onto a single host?