VPN, SecureNat/Nat and Outlook clients not working after installing Windows Service Pack 2 in SBS 2003 Premium

[Today’s post comes to us courtesy of David Copeland, Justin Crosby, Mike Lieser and Damian Leibaschoff]

[EDIT] For an updated version of this post, please see http://blogs.technet.com/sbs/archive/2007/04/24/common-networking-issues-after-applying-windows-server-2003-sp2-on-sbs.aspx.

 

After installing Windows 2003 Service Pack 2 on SBS 2003 with ISA 2004 installed, you may experience the following problems:

-You can no longer successfully connect inbound using VPN (Clients get “Error 800: Unable to establish connection”).

-You cannot reliably connect to the Internet using SecureNat.

-Some Outlook clients will fail to connect to the Exchange server (even with ISA 2004 SP2 and KB930414 installed).

(We are still discussing and testing other symptoms that could be related, but if you are having networking issues after the service pack, consider the solution provided on this post. We will update this list as we find more factual information.)

There are several potential causes for these problems, but on this case, we will focus on a feature called Receive Side Scaling that is enabled by Windows Server 2003 SP2 (also enabled in the Microsoft Windows Server 2003 Scalable Networking Pack). Note that not all Network Cards will provide this feature, also keep in mind that this might affect SBS machines using RRAS for their NAT solution.

You cannot host Transmission Control Protocol (TCP) connections when Receive Side Scaling is enabled, you have Microsoft Windows Server 2003 with Service Pack 2 (SP2) and you use Network Address Translation (NAT) on the server. The TCP connections will be reset.

Update: The following KB explaining the behavior is now public:

KB 927695 “You cannot host TCP connections when Receive Side Scaling is enabled in Windows Server 2003 with Service Pack 2”  

You can disable this feature from the advanced properties of the network card under the network interface properties or you can perform the registry changes provided below.

You can disable the RSS support from the TCP/IP stack by doing the following:

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To work around this problem, disable Receive Side Scaling when the computer is configured as an Internet Connection Sharing gateway. To do this, follow these steps:

1. Click Start, click Run, type regedit , and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

3. On the Edit menu, point to New, click DWORD Value, and then type EnableRSS .

4. Double-click EnableRSS, type 0 , and then click OK.

5. Exit Registry Editor.

If you are still experiencing problems (like slow file copying), you should also disable Offloading support:

1. Click Start, click Run, type regedit, and then click OK.

2. Locate and then click the following registry subkey:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters

3. In the right pane, make sure that the DisableTaskOffload registry entry exists. If this entry does not exist, follow these steps to add the entry:

a. On the Edit menu, point to New, and then click DWORD Value, and then type DisableTaskOffload .

4. Double-Click DisableTaskOffload, type 1, and then click OK. 

5. Exit Registry Editor.

(Reboot to make both changes effective)

Update 2:

We have seen several situations where even after completing the steps above, VPN would still not work. On those cases, updating the NIC drivers to the latest version resolved the problem. So, make sure you have the latest version for your Network Card drivers. Most manufacturers have released updated drivers very recently.

Regards,

The SBS Bloggers team