NetApp Filer frequently disconnects from the ServerProtect for NetApp Scan Server

Product / Version includes:

ServerProtect for Network Appliance Filer5.8

Last updated: 2021/08/28

Solution ID: KA-0002501

Category: Configure , Troubleshoot

Summary

When using ServerProtect for Network Appliance, the registration of the filer is through the management console. However, errors similar to the following occur:

The registration appears to be successful on the management console. However, when invoking the "vscan" command on the NetApp Filer command line, the ServerProtect for NetApp Scan Server name appears and disappears after some time. Dropping the EICAR test file on the filer does not result to any detection on the part of the scan server.

Mon Oct 17 13:59:15 CDT [filer-name: vscan.server.connecting.successful:info]: CIFS: Vscan server \\SCANSERVER-NAME registered with the filer successfully.
			Mon Oct 17 13:59:20 CDT [filer-name: vscan.dropped.connection:warning]: CIFS: Virus scan server \\SCANSERVER-NAME (ip.address.of.scan-server) has disconnected from the filer.
			Mon Oct 17 13:59:45 CDT [filer-name: vscan.server.connecting.successful:info]: CIFS: Vscan server \\SCANSERVER-NAME registered with the filer successfully.
			Mon Oct 17 13:59:47 CDT [filer-name: vscan.dropped.connection:warning]: CIFS: Virus scan server \\SCANSERVER-NAME (ip.address.of.scan-server) has disconnected from the filer.

Running the "vscan" command indicates the ServerProtect for NetApp Scan Server name, but all of the scans indicate failure. Dropping the EICAR test file on the filer also does not result to any detection on the part of the scan server.

Mon Oct 17 10:15:20 CDT [filer-name: nbt.nbss.socketError:error]: NBT: Cannot connect to server ip.address.of.scan-server over NBSS socket for port 139. Error 0x23: Resource temporarily unavailable.
			Mon Oct 17 10:15:20 CDT [filer-name: cifs.server.infoMsg:info]: CIFS: Warning for server \\SCANSERVER-NAME: Could not make TCP connection.
			Mon Oct 17 10:15:44 CDT [filer-name: vscan.server.connecting.successful:info]: CIFS: Vscan server \\SCANSERVER-NAME registered with the filer successfully.
			Mon Oct 17 10:15:51 CDT [filer-name: cifs.server.infoMsg:info]: CIFS: Warning for server \\SCANSERVER-NAME: Could not make TCP connection.
			Mon Oct 17 10:15:51 CDT [filer-name: vscan.server.connectError:error]: CIFS: An attempt to connect to vscan server \\SCANSERVER-NAME failed [0xc000005e].
			Mon Oct 17 10:15:51 CDT [filer-name: vscan.dropped.connection:warning]: CIFS: Virus scan server \\SCANSERVER-NAME (ip.address.of.scan-server) has disconnected from the filer.
			Mon Oct 17 10:16:14 CDT [filer-name: vscan.server.connecting.successful:info]: CIFS: Vscan server \\SCANSERVER-NAME registered with the filer successfully.
			Mon Oct 17 10:16:25 CDT [filer-name: cifs.server.infoMsg:info]: CIFS: Warning for server \\SCANSERVER-NAME: Could not make TCP connection.
			Mon Oct 17 10:16:25 CDT [filer-name: vscan.server.connectError:error]: CIFS: An attempt to connect to vscan server \\SCANSERVER-NAME failed [0xc000005e].
			Mon Oct 17 10:16:25 CDT [filer-name: vscan.dropped.connection:warning]: CIFS: Virus scan server \\SCANSERVER-NAME (ip.address.of.scan-server) has disconnected from the filer.
			Mon Oct 17 10:16:44 CDT [filer-name: vscan.server.connecting.successful:info]: CIFS: Vscan server \\SCANSERVER-NAME registered with the filer successfully.

There are several factors and approaches to this issue. Below are the options to ensure the connectivity of the NetApp Filer to the scan server.

EXPAND ALL

Make sure that the name resolution works both ways

On the Scan Server, make sure that the NetApp filer's name/FQDN can be resolved. This would rely on the input parameters done on the ServerProtect for NetApp management console. If you put in the name/FQDN, make sure that these can be resolved. You can use either "ping" or "nslookup" to test this out.
If you used the IP address of the NetApp filer instead, then you may choose to ignore this test. Make sure that the name resolution servers in your environment (DNS/WINS) are properly configured via the TCP/IP configuration of your Windows Operating System.
On the NetApp Filer, make sure that the Scan Server name/FQDN can be resolved. This can be done through the NetApp console via "ping". Make sure that the name resolution servers in your environment (DNS/WINS) are properly configured via the NetApp Filer. Consult the necessary documentation for specific steps on how to do this.
On all instances, you can override the name resolution problems by editing the HOSTS file of both the Scan Server and the NetApp Filer. This would ensure name resolution at all times. The entry could consist of both the name and FQDN of the servers.

For example:
10.20.1.30 my-scan-server.mydomain.net my-scan-server
10.20.1.40 my-filer.mydomain.net my-filer

Many of the connectivity issues are usually resolved by ensuring name resolution.

Ensure that authentication is working and that the named pipe NTAPVSRQ is accessible via RPC

The NetApp Antivirus Solution uses an authenticated CIFS connection and RPCs to communicate with the Scan Server.
The following pointers can be checked to ensure that there are no authentication issues between the NetApp Filer and the Scan Server:

The NetApp Filer and the Scan Server is joined in the same domain.
Ensure that the user name/password combination that is being configured in the ServerProtect for NetApp management console can successfully connect to the NetApp Filer.

Under normal situations, this step is automatically done during your scan server installation. However, it would be worthwhile to check. The named pipe NTAPVSRQ should be under the list of allowed NullSessionPipes.

On the Scan Server, click Start > Administrative Tools > Local Security Policy.
Expand Local Policies, click Security Options, and then scroll down.
Open Network access: Named Pipes that can be accessed anonymously and check if NTAPVSRQ exists. Otherwise, add it.
After adding the entry, restart the computer.

If your Scan Server is a Windows 2008 R2 or later, there have been changes in Windows R2 that may cause connectivity issue and may require you to change certain settings under Local Security Policy > Security Options:

Network access: Do not allow anonymous enumeration of SAM accounts - change it to Disabled
Network access: Let Everyone permissions apply to Anonymous users - change it to Enabled
Network access: Restrict anonymous access to Named Pipes and Shares - change it to Disabled

Always ensure that a reboot is done if there are any changes in the Security Options.

Change the behavior of the NetApp Filer for NBT (NetBIOS over TCP) connections on the NetApp Filer

The first two sections can generally solve most of the connectivity issues regarding the NetApp Filer and the Scan Server. This section is solely for the error "NBT: Cannot connect to server ip.address.of.scan-server over NBSS socket for port 139. Error 0x23: Resource temporarily unavailable."

There is an option in the NetApp Filer (cifs.netbios_over_tcp) that enables or disables the use of NetBIOS over TCP (port 139), which is the standard protocol used for CIFS prior to Windows 2000. This particular option corresponds to the "Enable NetBIOS over TCP" setting in the TCP/IP settings tab of the Windows host.

By default, it is enabled to ensure that earlier operating systems can connect to the NetApp Filer. Disabling this parameter enables direct-hosted SMB traffic, which uses port 445 (TCP/UDP) on the NetApp Filer to directly communicate with the Scan Server without requiring NetBIOS over TCP (NBT) protocol to work on a TCP/IP transport.

Also, this parameter change requires that you have a pure Microsoft Windows 2000 (or above) network. If you are not sure about this configuration, then make sure to consult the necessary documentation about how to enable/disable this feature and the effects on your environment.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

NetApp Filer frequently disconnects from the ServerProtect for NetApp Scan Server

Make sure that the name resolution works both ways

Ensure that authentication is working and that the named pipe NTAPVSRQ is accessible via RPC

Change the behavior of the NetApp Filer for NBT (NetBIOS over TCP) connections on the NetApp Filer

NetApp Filer frequently disconnects from the ServerProtect for NetApp Scan Server

Product / Version includes:

Summary

Make sure that the name resolution works both ways

Ensure that authentication is working and that the named pipe NTAPVSRQ is accessible via RPC

Change the behavior of the NetApp Filer for NBT (NetBIOS over TCP) connections on the NetApp Filer