630 AM all network connections drop

March 3, 2009 at 05:56:18
Specs: Windows Server 2003 R2 64-bit
I have the server set to automatically restart at 330am every day to help keep the memory open. Starting yesterday, Monday, the internet connection both internally and externally (two seperate D-Link DFE-530TX+ network cards) stops. A restart fixes the problem, but what is happening?

I was told that it could be a service failing. Which service controls the network connections? I restarted the 'server' service which had 5 it restarted on its own and I restarted the 'rpc' service - nothing.

I also checked to see if the drivers we're out of date, but they haven't been updated since 2004 so I know I have the right ones.

Somebody told me of a new virus going around that shuts down networks? I haven't heard of this before - anybody else? I also have Panda Admin Secure running on the server and it hasn't detected anything.

Thanks for your time everyone!

See More: 630 AM all network connections drop

Report •

March 3, 2009 at 07:56:39
" the internet connection both internally and externally (two seperate D-Link DFE-530TX+ network cards) stops"

please explain this statement. are you routing thru your server for internet?

when did you start the daily reboots?
what other things do you have scheduled?

Report •

March 3, 2009 at 08:03:22
hey there

yes. i use rras and I route the internet through the server. i've been doing the daily reboots for almost a year now and i've never had any problems before.

At 1215AM synctoy runs and backs up everybodies files to the server.
at 213AM psshutdown.exe restarts the computer.

both of these have been running a very long time with no flaws :/

i believe I said RPC service up top, I meant RRAS service. thanks!

Report •

March 3, 2009 at 08:13:37
I also want to point this out. i was going through the system event log and noticed an error I haven't seen before. IPSec was the problem and it stated this error at 236AM:

The IPSec driver has entered Block mode. IPSec will discard all inbound and outbound TCP/IP network traffic that is not permitted by boot-time IPSec Policy exemptions. User Action: To restore full unsecured TCP/IP connectivity, disable the IPSec services, and then restart the computer. For detailed troubleshooting information, review the events in the Security event log.

Sure sounds like the cause?

it looks like this same event happened yesterday at the same time - and hasn't occurred since 1/11/09 which would make sense. that appears to be the first time it has happened. I will look into disabling it unless you note otherwise. Thanks again!

Report •

Related Solutions

March 3, 2009 at 08:49:42
its occurs becauseofthe following check whether the status of the following services..

which willget stooped by some virus.
services which willbe stooped are..


So Check the status o fthe services if u face this issue/..

since i have faced this Earlier inmy network @ every evening..

sometimes if u logged in to the administrator account of that PC u will get and DEP erro message on
W32 host services

if its the issue..

just put restart services on failures tab under correspong services @ services .msc

Report •

March 3, 2009 at 09:14:16
Could it be something to do with a DHCP lease maybe it is expiring and not being automatically renewed?

Report •

March 3, 2009 at 09:15:32
Are you doing a vpn from the internet to the rras server?

Not sure why you would be using ipsec if just using rras for routing.

You may want to review this;


Might want to run chkdsk /r to make sure you are not dealing with disk corruption. When was the last time you defragged the server?

Report •

March 3, 2009 at 10:14:39
Wow thanks for all your awesome replies.

@wanderer: I am doing a check disk but it'll have to wait until the server restarts since its NTFS. :/

We do not use a vpn but it it acts as a domain controller. I've never heard of IPSec so I don't believe it is in use - is there somewhere I can go to edit its policies or configure it to find out further info?

@andynet: I'm unsure about the DHCP leasing. I may be a server administrator, but I'm still trying to catch onto how the whole things works exactly. Where would I go to find out how long it is before the lease expires? Like I said before - we haven't had this kind of issue in months, in fact, we have never had this particular issue with the complete disabling of tcp/ip traffic.

@ramdas_MR: there doesn't seem to be a failures tab in server 2003 - atleast not on my service pack. Also, you said 'etc' after naming those three services - are there any others that would need to be restarted for an event like this? I have these three on my list already to restart in the mornings so we don't have to shut down the server (which takes about 45 minutes because it runs exchange :/ ). Also, we do run Panda Admin Secure and it hasn't found any viruses on the server so maybe it is missing something? Does anybody recommend a certain antivirus for a windows server?

Thanks again everybody!

Report •

March 3, 2009 at 12:28:54
Your server should be a dhcp server not a dhcp client. You can check this by looking at the tcp/ip properties of both nics. They should not be set to "obtain ip automatically"

ipsec is ip security which is an encryption of tcp/ip packets so they can't be read by anyone as they pass thru the internet/network.

You wouldn't have that error if you didn't have in enabled for some reason. Being a DC does not enable it

Panda is fine. Just keep it updated.

Report •

March 6, 2009 at 06:25:20
Your server should be a dhcp server not a dhcp client. You can check this by looking at the tcp/ip properties of both nics. They should not be set to "obtain ip automatically"

@wanderer - sorry I haven't replied sooner! This is what I have so far. After doing the reg fix from microsoft's website everything seemed to work for a few days until this morning. I was restarting services and got to IPSEC which was stopped (event viewer reported it stopping at 222AM.) When I pressed start I got this error message: "Only One Socket Allowed or Permitted." It wouldn't start, so I restarted the server. Actually, neither one of my network connections obtains automatically. The connection that pulls from the internet has a dedicated IP so it and the DNS settings are given. The connection that forwards internet to the other computers also has a given IP address of the local machine ( + it's DNS servers which are the same ( Does this mean that I'm required to use IPSec? Apparently we now know if IPSec is 'terminated' or 'disabled' then internet doesn't continue it's path to anybody? Thanks again!

Report •

Ask Question