Client drops network connection repeatedly

I have a PC client on our WS2003 network that often drops its connection
and crashes. (The PC itself doesn't actually crash but all the
applications accessing the network do) The DHCP log for the DHCP server
that it leases the address from shows a pattern of repeated renewals of
the lease before it should have expired.

I have started to capture network traffic to try to identify what the
problem is, however the one week's worth of logs that the DHCP server
records shows these entries recorded:

---------- Find in All Open Documents ----------
"H:\My
Documents\DhcpSrvLog-Wed.log"(106,41):11,08/29/07,12:23:39,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Fri.log"(76,41):11,08/31/07,09:35:14,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Fri.log"(77,41):11,08/31/07,09:35:17,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Fri.log"(115,41):11,08/31/07,17:55:55,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Fri.log"(116,41):11,08/31/07,17:55:58,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Mon.log"(76,41):11,09/03/07,08:58:40,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Mon.log"(77,41):11,09/03/07,08:58:42,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Mon.log"(96,41):11,09/03/07,09:38:46,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Mon.log"(97,41):11,09/03/07,09:38:49,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Thu.log"(122,41):11,08/30/07,12:59:35,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Thu.log"(123,41):11,08/30/07,12:59:38,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Tue.log"(61,41):11,08/28/07,08:19:34,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
"H:\My
Documents\DhcpSrvLog-Tue.log"(62,41):11,08/28/07,08:19:36,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,

As the lease period is three days I would have expected to only see a
couple of renewals in that period rather than the 13 entries recorded.
As you can see the renewals are often recorded multiple times in the
same day and there are no recorded instances of a lease being expired by
the DHCP server.

When the connection is dropped numerous errors are recorded and in the
system event log a typical entry reads:

Event Type: Warning
Event Source: MRxSmb
Event Category: None
Event ID: 50
Date: 3/09/2007
Time: 9:38:07
User: N/A
Computer: SYSTEMTECH1
Description:
{Delayed Write Failed} Windows was unable to save all the data for the
file \Device\LanmanRedirector. The data has been lost. This error may be
caused by a failure of your computer hardware or network connection.
Please try to save this file elsewhere.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Data:
0000: 04 00 04 00 02 00 56 00 ......V.
0008: 00 00 00 00 32 00 04 80 ....2..?
0010: 00 00 00 00 0c 02 00 c0 .......À
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........
0028: 0c 02 00 c0 ...À

In the last week the events of this type logged occurred at the
following times:

12 times on the 3rd September between 09:35 and 09:38.
10 times on the 31st August between 16:45 and 16:46
80 times on the 29th August between 20:12 and 21:18
Then previous days logged:
22 August (large number of times)
10 August
A large number of times occur if the computer is not restarted the first
time. If the computer is restarted then the event logs cease and as we
can see a new DHCP lease is issued at that time.

The question I suppose is what would cause the DHCP lease to be renewed
multiple times, unless it is normal for the lease to be renewed at each
startup.

I am looking in the logs to see if there are any other patterns for
other systems with multiple renewals.

The PC has been tried with three different network adapters all from
different manufacturers. I have only just started capturing traffic so
it will be some days before I can get enough. On the first try this
morning the packet sniffer crashed at 09:30 so no logs are held for the
connection loss that occurred at approximately 09:37.

Replacing the NIC is good. Now how about the network patch cable from the PC
to the wall jack? Does that fix anything? If not, try replacing the cable
from the patch panel to the switch? Work now? If not, check the logs on your
switch to see if that port is transmitting or receiving errors. Or perhaps
try another switch port or a different port on a different switch.

From what you are describing - it probably has something to do with the path
from the switch to the PC - assuming the PC OS and drivers are not causing
problems. Look at the switch port first, then start replacing cables.


"NZSchoolTech" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I have a PC client on our WS2003 network that often drops its connection
>and crashes. (The PC itself doesn't actually crash but all the applications
>accessing the network do) The DHCP log for the DHCP server that it leases
>the address from shows a pattern of repeated renewals of the lease before
>it should have expired.
>
> I have started to capture network traffic to try to identify what the
> problem is, however the one week's worth of logs that the DHCP server
> records shows these entries recorded:
>
> ---------- Find in All Open Documents ----------
> "H:\My
> Documents\DhcpSrvLog-Wed.log"(106,41):11,08/29/07,12:23:39,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Fri.log"(76,41):11,08/31/07,09:35:14,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Fri.log"(77,41):11,08/31/07,09:35:17,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Fri.log"(115,41):11,08/31/07,17:55:55,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Fri.log"(116,41):11,08/31/07,17:55:58,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Mon.log"(76,41):11,09/03/07,08:58:40,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Mon.log"(77,41):11,09/03/07,08:58:42,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Mon.log"(96,41):11,09/03/07,09:38:46,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Mon.log"(97,41):11,09/03/07,09:38:49,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Thu.log"(122,41):11,08/30/07,12:59:35,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Thu.log"(123,41):11,08/30/07,12:59:38,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Tue.log"(61,41):11,08/28/07,08:19:34,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
> "H:\My
> Documents\DhcpSrvLog-Tue.log"(62,41):11,08/28/07,08:19:36,Renew,192.168.1.29,systemtech1.hcs.loc al,00179A05F94A,
>
> As the lease period is three days I would have expected to only see a
> couple of renewals in that period rather than the 13 entries recorded. As
> you can see the renewals are often recorded multiple times in the same day
> and there are no recorded instances of a lease being expired by the DHCP
> server.
>
> When the connection is dropped numerous errors are recorded and in the
> system event log a typical entry reads:
>
> Event Type: Warning
> Event Source: MRxSmb
> Event Category: None
> Event ID: 50
> Date: 3/09/2007
> Time: 9:38:07
> User: N/A
> Computer: SYSTEMTECH1
> Description:
> {Delayed Write Failed} Windows was unable to save all the data for the
> file \Device\LanmanRedirector. The data has been lost. This error may be
> caused by a failure of your computer hardware or network connection.
> Please try to save this file elsewhere.
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> Data:
> 0000: 04 00 04 00 02 00 56 00 ......V.
> 0008: 00 00 00 00 32 00 04 80 ....2..?
> 0010: 00 00 00 00 0c 02 00 c0 .......À
> 0018: 00 00 00 00 00 00 00 00 ........
> 0020: 00 00 00 00 00 00 00 00 ........
> 0028: 0c 02 00 c0 ...À
>
> In the last week the events of this type logged occurred at the following
> times:
>
> 12 times on the 3rd September between 09:35 and 09:38.
> 10 times on the 31st August between 16:45 and 16:46
> 80 times on the 29th August between 20:12 and 21:18
> Then previous days logged:
> 22 August (large number of times)
> 10 August
> A large number of times occur if the computer is not restarted the first
> time. If the computer is restarted then the event logs cease and as we can
> see a new DHCP lease is issued at that time.
>
> The question I suppose is what would cause the DHCP lease to be renewed
> multiple times, unless it is normal for the lease to be renewed at each
> startup.
>
> I am looking in the logs to see if there are any other patterns for other
> systems with multiple renewals.
>
> The PC has been tried with three different network adapters all from
> different manufacturers. I have only just started capturing traffic so it
> will be some days before I can get enough. On the first try this morning
> the packet sniffer crashed at 09:30 so no logs are held for the connection
> loss that occurred at approximately 09:37.
>