Forum Discussion
Azure ATP connection closed errors
- Engineering has researched the sampled capture ans managed to reproduce the issue.Sadly, this is not an easy fix, it's a specific traffic/rare traffic on top of SMB1 we were not aware of before and currently cannot parse.We have opened a bug for it.It is planned but in low priority for now as telemetry shows it happens rarely.We will update once we get it resolved so the fix can be verified.
Microsoftarchedmeerkat Can you verify TSO offload is disabled?
from elevated powershell, run:
Get-NetAdapterAdvancedProperty | Where-Object DisplayName -Match "^Large*"
Check it the feature is enabled, if it is, run:
Disable-NetAdapterLso -Name {name of adapter} \\ this will disable LSO for both IPv4 and IPv6.
Then verify the previous command again to make sure it was disabled.
Eli
EliOfek- Is there a way to enable Debug logging or extra logging on the ATP sensor? It appears to only be happening on one of the four sensors we have.
- EliOfek
archedmeerkat Hi, I am on-boarding internally the engineer who wrote most of the code for parsing this protocol...
For now I don't think raising the trace log will produce meaningful results.
But something that might help is if you are able to use netmon 3.4 to capture a cap file trace of this specific traffic (recording while we have at least one incident like this in the log)
in which case we can use it to repro the problem in our lab which will speed up the research considerably...
EliOfek- Can I use built in netsh commands to run the trace or will it have to be with netmon 3.4.
Do you want both ends or just from the AATP Sensor?
EliOfek- Commands returned that TSO offload is disabled on both on ipv4 and ipv6
