Jump to content

Srv Event ID 2012 (network errors)


Recommended Posts

Dear all,

I have one server environment which seems to be generating quite a lot of these events, mostly from Win2k3 SP2 machines:

Event Type:	Warning
Event Source: Srv
Event Category: None
Event ID: 2012
Date: 27/08/2011
Time: 07:05:25
User: N/A
Computer: WIN2K3WEB
While transmitting or receiving data, the server encountered a network error. Occassional errors are expected, but large amounts of these indicate a possible error in your network configuration. The error status code is contained within the returned data (formatted as Words) and may point you towards the problem.

0000: 00040000 00540001 00000000 800007dc
0010: 00000000 c0000184 00000000 00000000
0020: 00000000 00000000 0000097b

I'm 99% sure this is down to some Riverbed CIFS devices, which are making it appear that a connection is still open for business when it has in fact already been closed at the remote end.

Anyhow - I know that the c0000184 signified STATUS_INVALID_DEVICE_STATE, and I've worked out that 800007dc actually just means 'this is event ID 2012'.

What I'm wondering about is what the 00040000 00540001, and the 0000097b mean. Sometimes, instead of 0000097b, it is 0000097a. This doesn't appear to be a Win32 error code, and it looks nothing like an HRESULT or NTSTATUS value.

Any pointers on what these values mean?



Link to comment
Share on other sites

The eventcode for this error is c0000184 as per your output, which you've already seen. This generally means that the driver has responded to the requesting IRP that a send request has been made on a pre-existing request built that is either not ready to send, or has already passed a state that it can be in to send. Note the other codes don't actually mean anything useful in this particular instance, so you don't have to continue to bang your head against the wall for those.

Generally you see 2012s due to antivirus software that contains a network filter driver, a bad network driver (or teaming software driver), or external acceleration hardware. Assuming you can reproduce this on other switch ports with other machines making the same sorts of requests for the same data, you can at least rule out the machines and software on them (hopefully you can do this - if not, you might want to consider it in troubleshooting). Next, assuming you have forced speed and duplex on the NICs in your servers or clients seeing these 2012s to match the switch ports, that generally rules out the cabling and the autosense fabric. That leaves switch backplane or WAN accelerators.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Create New...