adamt Posted September 2, 2011 Posted September 2, 2011 Dear all,I have one server environment which seems to be generating quite a lot of these events, mostly from Win2k3 SP2 machines:Event Type: WarningEvent Source: SrvEvent Category: NoneEvent ID: 2012Date: 27/08/2011Time: 07:05:25User: N/AComputer: WIN2K3WEBDescription:While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.Data:0000: 00040000 00540001 00000000 800007dc0010: 00000000 c0000184 00000000 000000000020: 00000000 00000000 0000097b I'm 99% sure this is down to some Riverbed CIFS devices, which are making it appear that a connection is still open for business when it has in fact already been closed at the remote end.Anyhow - I know that the c0000184 signified STATUS_INVALID_DEVICE_STATE, and I've worked out that 800007dc actually just means 'this is event ID 2012'.What I'm wondering about is what the 00040000 00540001, and the 0000097b mean. Sometimes, instead of 0000097b, it is 0000097a. This doesn't appear to be a Win32 error code, and it looks nothing like an HRESULT or NTSTATUS value.Any pointers on what these values mean?Thanks,Adam.
cluberti Posted September 10, 2011 Posted September 10, 2011 The eventcode for this error is c0000184 as per your output, which you've already seen. This generally means that the driver has responded to the requesting IRP that a send request has been made on a pre-existing request built that is either not ready to send, or has already passed a state that it can be in to send. Note the other codes don't actually mean anything useful in this particular instance, so you don't have to continue to bang your head against the wall for those.Generally you see 2012s due to antivirus software that contains a network filter driver, a bad network driver (or teaming software driver), or external acceleration hardware. Assuming you can reproduce this on other switch ports with other machines making the same sorts of requests for the same data, you can at least rule out the machines and software on them (hopefully you can do this - if not, you might want to consider it in troubleshooting). Next, assuming you have forced speed and duplex on the NICs in your servers or clients seeing these 2012s to match the switch ports, that generally rules out the cabling and the autosense fabric. That leaves switch backplane or WAN accelerators.
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now