none
microsoft-ds connections ESTABLISHED remains open on SMB client RRS feed

  • Question

  • Hello,

    We have a server with Windows Server 2008 R2 which has installed a web application developed with .Net Framework 3.5.
    This web application creates documents into UNC remote path. The process to creates this documents is follows:

     - Create Document.
     - Save document to UNC path (File Server - 192.168.80.11)
     - Fill the document with database information.
     - Save  document to UNC path (File Server - 192.168.80.11)
     - Close document.

    We have detected that this procedure generates on the client side (IIS Server - 192.168.80.16) a lot of connections to 445 socket of the File Server.

    C:\>netstat -bano -p tcp |find ":445"
      TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
      TCP    192.168.80.16:55627    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:55806    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:55903    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:55907    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:56001    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:56186    192.168.80.11:445      ESTABLISHED     4
      TCP    192.168.80.16:56256    192.168.80.11:445      ESTABLISHED     4

    This behavior will be normal if It weren't for that the web server doesn't have any open document. We have seen that the 445/TCP (microsoft-ds) connections with the File Server forever remains open associated at SYSTEM proces (PID: 4).

    In other hand, If I inspect the File Server sessions, we can check that It exists as same sessions in File Server as 445/TCP connections in Web  Server.

    Sessions in File Server **************************************

    C:\>net session
    Computer               User name            Client Type       Opens Idle time
    -------------------------------------------------------------------------------
    \\192.168.80.16        Usuario                              1 00:05:05
    \\192.168.80.16        Usuario                              1 00:04:23
    \\192.168.80.16        Usuario                              1 00:03:24
    \\192.168.80.16        Usuario                              1 00:05:36
    The command completed successfully.
    ********************************************************

    We can see that the FileServer remains handlers at root directory where IIS Server creates the documents without any open document.

    C:\>net file
    ID         Path                                    User name            # Locks
    -------------------------------------------------------------------------------
    1073741843 C:\\                                    Usuario         0
    1006633231 C:\\                                    Usuario         0
    1006633636 C:\\                                    Usuario         0
    939525090  C:\\                                    Usuario         0
    The command completed successfully.


    After a few days, this behavior causes a slower performance because there are thousands connections in both servers. On IIS Server TCP connections and on File Server Sessions an handlers to document path.

    Finally, If I kill one 445/TCP connection of the IIS Server, I can see that the session and file handler on File Server dies.

    Thank you in advance.

    XaviN

    Wednesday, March 5, 2014 8:45 AM