Installing security update MS05-019 or Windows Server 2003 Service Pack 1 may cause network connectivity between clients and servers to fail (898060)


The information in this article applies to:

  • Microsoft Windows Server 2003 SP1, when used with:
    • Microsoft Windows Server 2003, Standard Edition
    • Microsoft Windows Server 2003, Enterprise Edition
    • Microsoft Windows Server 2003, Datacenter Edition
    • Microsoft Windows Server 2003, Web Edition
    • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows XP Home Edition SP1
  • Microsoft Windows XP Home Edition SP2
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows XP Professional x64 Edition

SYMPTOMS

Network connectivity between clients and servers may fail. This failure occurs after the installation of either security update MS05-019 or Microsoft Windows Server 2003 Service Pack 1 (SP1). Any one or more of the following symptoms may occur:
  • Inability to connect to terminal servers or to file share access.
  • Failure of domain controller replication across WAN links.
  • Inability of Microsoft Exchange servers to connect to domain controllers.
  • Requests to a server that is running Microsoft Internet Information Services (IIS) may either time out or may become very slow.
These symptoms are more likely to occur in WAN and LAN scenarios. These scenarios typically exist where routers and data-link level protocols that have different Maximum Transmission Units (MTUs) are used over the network. In this scenario, the sending host can receive several Internet Control Message Protocol (ICMP) destination unreachable messages that have MTU updates for a destination. These symptoms are most likely to occur if the following conditions are true:
  • During the PathMTUDiscovery process, several routers on the route to the destination send MTU updates to the source host. One of the possible reasons for this could be that source and destination hosts are in different WAN segments. Additionally, these segments are connected through a tunnel with a small MTU.
  • Network load balancing, dynamic routing, or both are used. In this scenario, there are several possible routes to a destination that has MTUs that differ from the MTU of the sending subnet and that differ from each other. Therefore, changing the route of IP packets over time can produce several MTU updates for the destination address.
Note There may be some other similar scenarios where these symptoms occur. These scenarios can typically be diagnosed by sniffing the network traffic on either the source host side or on one of the intermediate network routers. If there are multiple ICMP destination unreachable messages sent over time for a destination, the source host that has the MS05-019 security update or Windows Server 2003 SP1 installed is likely to have this problem.

CAUSE

This problem occurs because the code incorrectly increments the number of host routes on the computer when the code modifies the MTU size of a host route. The maximum number of host routes is controlled by the registry value in MaxIcmpHostRoutes. The default number of host routes is 10,000. Because of the incorrect increment, the number of host routes eventually reaches the maximum value. After the maximum value is reached, the ICMP packets are ignored.

Note The default number of host routes was incorrectly listed as 1,000 in the original version of this article. The change to 10,000 reflects a correction, not a code change.

RESOLUTION

Security update information

To resolve this problem, install security update 913446 (security bulletin MS06-007). For more information about how to obtain and install security update 913446, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS06-007.mspx

Note Security update 913446 (security bulletin MS06-007) supersedes this hotfix (898060). For more information, click the following article number to view the article in the Microsoft Knowledge Base:

913446 MS06-007: Vulnerability in TCP/IP could allow denial of service

Security update 913446 also supersedes security update 893066 (security bulletin MS05-019). For more information about security update 893066, click the following article number to view the article in the Microsoft Knowledge Base:

893066 MS05-019: Vulnerabilities in TCP/IP could allow remote code execution and denial of service

Note Security update 893066 has been updated to correct this problem for the original release version of Windows Server 2003. If you deploy security update 913446, you do not have to deploy hotfix 898060 or security update 893066. Security update 893066 does not apply to Windows Server 2003 with Service Pack 1.

Hotfix information

Note This hotfix information is applicable only to x86-based versions, Itanium-based versions, and x64-based versions of Windows Server 2003 with Service Pack 1 and to x64-based versions of Windows XP Professional.

A supported hotfix is now available for download from the Microsoft Download Center.Microsoft Windows Server 2003, x86-based versions with Service Pack 1http://www.microsoft.com/downloads/details.aspx?FamilyId=A0245532-0ACE-4B85-85BF-758E936173DF&displaylang=enMicrosoft Windows Server 2003, Itanium-based versions with Service Pack 1http://www.microsoft.com/downloads/details.aspx?FamilyId=538F2EFC-215B-4907-AF17-22851A370F8C&displaylang=enMicrosoft Windows Server 2003, x64-based versionshttp://www.microsoft.com/downloads/details.aspx?FamilyId=BAAFE288-9BC5-479B-88E5-EB7E06EAD443&displaylang=enMicrosoft Windows XP, x64-based versionshttp://www.microsoft.com/downloads/details.aspx?FamilyId=E15C903D-8B6F-4B72-A8F3-BD58517AB156&displaylang=en

The hotfix corrects the network-connectivity problem that is described in this Microsoft Knowledge Base article. We recommend that you apply the hotfix to the systems that are experiencing this specific problem. You may also want to consider installing this hotfix to help prevent future connectivity problems similar to this one.

The updated hotfix for Windows Server 2003 Service Pack 1 (SP1) contains a change that addresses an issue that you experience only when you run Internet Security Systems (ISS) products.

File information

The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.Microsoft Windows Server 2003, x86-based versions with Service Pack 1
   Date         Time   Version         Size        File name  Platform  Folder
   --------------------------------------------------------------------------
   26-May-2005  01:06  5.2.3790.2453   333,312     Tcpip.sys  x86       SP1GDR
   26-May-2005  01:10  5.2.3790.2453   333,312     Tcpip.sys  x86       SP1QFE
Microsoft Windows Server 2003, Itanium-based versions with Service Pack 1
   Date         Time   Version         Size       File name  Platform  Folder
   --------------------------------------------------------------------------
   26-May-2005  02:17  5.2.3790.2453   1,116,160  Tcpip.sys  IA-64     SP1GDR
   26-May-2005  02:17  5.2.3790.2453   1,116,160  Tcpip.sys  IA-64     SP1QFE
Microsoft Windows Server 2003, x64-based versions
   Date         Time   Version         Size        File name  Platform  Folder
   --------------------------------------------------------------------------
   26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1GDR
   26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1QFE
Microsoft Windows XP, x64-based versions
   Date         Time   Version         Size        File name  Platform  Folder
   --------------------------------------------------------------------------
   26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1GDR
   26-May-2005  02:32  5.2.3790.2453   702,976     Tcpip.sys  x64       SP1QFE
Note The file information is the same for x64-based versions of Microsoft Windows Server 2003 and for x64-based versions of Microsoft Windows XP.

WORKAROUND

To work around this problem, set the default MTU size to the largest size that the routers can process. The actual MTU value that is required to work around this problem depends on the network configuration. However, an MTU value of 576 should help reduce the effect of the problem because routers on the Internet should be able to handle such packets without fragmentation. You must restart the computer for this registry change to take effect. For more information about how to change the MTU registry settings, click the following article numbers to view the articles in the Microsoft Knowledge Base:

120642 TCP/IP and NBT configuration parameters for Windows 2000 or Windows NT

314053 TCP/IP and NBT configuration parameters for Windows XP

Important Depending on the network configuration and typical networking applications used, setting a low default MTU value can cause the network performance to decrease.

MORE INFORMATION

The MTU parameter overrides the default Maximum Transmission Unit (MTU) for a network interface. The MTU is the maximum packet size in bytes that the transport transmits over the underlying network. The size includes the transport header. An IP datagram can span multiple packets. Values larger than the default value for the underlying network cause the transport to use the network default MTU. Values smaller than 68 cause the transport to use an MTU of 68.

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\ID for Adapter
Value Type: REG_DWORD Number
Valid Range: 68 to the MTU of the underlying network
Default: 0xFFFFFFFF

Note ID for Adapter is the network adapter to which TCP/IP is bound. To determine the relationship between an adapter ID and a network connection, view HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\ID for Adapter\Connection. The Name value in these keys provides the friendly name for a network connection that is used in the Network Connections folder. Values under these keys are specific to each adapter. Parameters that have a DHCP configured value and a statically configured value may not exist. Their existence depends on whether the computer or the adapter is DHCP configured and whether static override values are specified.

The following network trace illustrates the problem.
001  CLIENT  TRMSRV  TCP  Control Bits: ....S., len:    0, seq:1962957351-1962957352, ack:         0, win:65535, src: 1083  dst: 3389 
002  TRMSRV  CLIENT  TCP  Control Bits: .A..S., len:    0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389  dst: 1083 
003  TRMSRV  CLIENT  TCP  Control Bits: .A..S., len:    0, seq:3814299443-3814299444, ack:1962957352, win:17520, src: 3389  dst: 1083 
004  CLIENT  TRMSRV  TCP  Control Bits: .A...., len:    0, seq:1962957352-1962957352, ack:3814299444, win:65535, src: 1083  dst: 3389
005  CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:   39, seq:1962957352-1962957391, ack:3814299444, win:65535, src: 1083  dst: 3389 
006  TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:   11, seq:3814299444-3814299455, ack:1962957391, win:17481, src: 3389  dst: 1083 
007  CLIENT  TRMSRV  TCP  Control Bits: .A...., len:  280, seq:1962957391-1962957671, ack:3814299455, win:65524, src: 1083  dst: 3389 
008  TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299455-3814299455, ack:1962957671, win:17201, src: 3389  dst: 1083 
009  CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:  132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083  dst: 3389 
010  TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 
011  ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 009)
Inside 011: Notice the Next Hop MTU being smaller,and router requesting the sender to fragment the packet 10.ICMP: Destination Unreachable: 10.102.45.12  (See frame 009)
    ICMP: Packet Type = Destination Unreachable
    ICMP: Unreachable Code = Fragmentation Needed, DF Flag Set        <<<<
    ICMP: Checksum = 0x6FAA
    ICMP: Next Hop MTU = 320 (0x140)                                  <<<<
    ICMP: Data: Number of data bytes remaining = 28 (0x001C)
        ICMP: Description of original IP frame
        ICMP: (IP) Version = 4 (0x4)
        ICMP: (IP) Header Length = 20 (0x14)
        ICMP: (IP) Service Type = 64 (0x40)
            ICMP: (IP) Precedence = 0x40
            ICMP: (IP) Type of Service = 0x40
        ICMP: (IP) Total Length = 373 (0x175)
        ICMP: (IP) Identification = 10838 (0x2A56)
        ICMP: (IP) Flags Summary = 2 (0x2)
            ICMP: .......0 = Last fragment in datagram
            ICMP: ......1. = Cannot fragment datagram
        ICMP: (IP) Fragment Offset = 0 (0x0) bytes
        ICMP: (IP) Time to Live = 127 (0x7F)
        ICMP: (IP) Protocol = TCP - Transmission Control
        ICMP: (IP) Checksum = 0x8C1D
        ICMP: (IP) Source Address = 10.102.1.248
        ICMP: (IP) Destination Address = 10.102.45.12
        ICMP: (IP) Data: Number of data bytes remaining = 8 (0x0008)
012  CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:  132, seq:1962957671-1962957803, ack:3814299455, win:65524, src: 1083  dst: 3389 
013  TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299788-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083
014  TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 
TRMSRV ignores the ICMP packet 11, and resends the same packet 10 without fragmentation
015  ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 014)
016  TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 
017  ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 016)
018  TRMSRV  CLIENT  TCP  Control Bits: .AP..., len:  333, seq:3814299455-3814299788, ack:1962957803, win:17069, src: 3389  dst: 1083 
019  ROUTER  TRMSRV  ICMP  Destination Unreachable: 10.102.45.12  (See frame 017)
020  CLIENT  TRMSRV  TCP  Control Bits: .AP..., len:    9, seq:1962957803-1962957812, ack:3814299455, win:65524, src: 1083  dst: 3389 
021  CLIENT  TRMSRV  TCP  Control Bits: .A...F, len:    0, seq:1962957812-1962957813, ack:3814299455, win:65524, src: 1083  dst: 3389 
022  TRMSRV  CLIENT  TCP  Control Bits: .A...., len:    0, seq:3814299788-3814299788, ack:1962957813, win:17060, src: 3389  dst: 1083 
023  TRMSRV  CLIENT  TCP  Control Bits: .A.R.., len:    0, seq:3814299788-3814299788, ack:1962957813, win:    0, src: 3389  dst: 1083 
024  CLIENT  TRMSRV  TCP  Control Bits: .A...., len:    0, seq:1962957813-1962957813, ack:3814299455, win:65524, src: 1083  dst: 3389 
025  TRMSRV  CLIENT  TCP  Control Bits: ...R.., len:    0, seq:3814299455-3814299455, ack:3814299455, win:    0, src: 3389  dst: 1083 
Frames 14, 16, 18, are re-sends, and the connection leading to termination in frame 25.
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.
Modification Type:MajorLast Reviewed:10/10/2006
Keywords:kbQFE KBHotfixServer kbSecurity kbprb KB898060 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.