Windows Server 2016 disconnecting every hour

amazon ec2networkingwindows-server-2016

I have a Windows Server 2016 running a SQL Server and every hour I get several errors about connection problems.

I found out that the network adapter has Lease Obtained = 2:44 PM and has Lease Expires = 3:44 PM for example, that means that I had network issues at 2:44, 1:44, 12:44, … and I will have another one at 3:44 PM the next time it renews. The IP is fixed though in AWS. So while the server is set to DHCP, the IP should not change.

To be clear, the server disconnects for a (or a few) second only, then everything goes back to normal. Also, if I set the IP to Static IP, the problem doesn't happen anymore.

ipconfig /all:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : SQL02
   Primary Dns Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : us-east-1.ec2-utilities.amazonaws.com
                                       ec2.internal

Ethernet adapter Ethernet 2:

   Connection-specific DNS Suffix  . : ec2.internal
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 0A-4D-28-5B-73-E8
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4878:2803:afe:7ac0%16(Preferred)
   IPv4 Address. . . . . . . . . . . : 172.30.1.11(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Tuesday, July 16, 2019 2:44:48 PM
   Lease Expires . . . . . . . . . . : Tuesday, July 16, 2019 3:44:48 PM
   Default Gateway . . . . . . . . . : 172.30.1.1
   DHCP Server . . . . . . . . . . . : 172.30.1.1
   DHCPv6 IAID . . . . . . . . . . . : 252333352
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-A9-10-5C-0A-4D-28-5B-73-E8
   DNS Servers . . . . . . . . . . . : 172.30.0.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 3:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:34f1:8072:1c8d:304a:53e1:fef4(Preferred)
   Link-local IPv6 Address . . . . . : fe80::1c8d:304a:53e1:fef4%14(Preferred)
   Default Gateway . . . . . . . . . : ::
   DHCPv6 IAID . . . . . . . . . . . : 134217728
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-A9-10-5C-0A-4D-28-5B-73-E8
   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.ec2.internal:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ec2.internal
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No

I would appreciate if anyone can point me in the right direction of why this is happening and whether it's a Windows or an AWS issue.

UPDATE:

When the DHCP update happens, I get these events in the Event Viewer, in this order (all within 10 seconds):

  1. lphlpsvc: Isatap interface isatap.ec2.internal is no longer active.
  2. Time-Service: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
  3. Service Control Manager: The Network Setup Service service entered the running state.
  4. lphlpsvc: Isatap interface isatap.ec2.internal with address fe80::5efe:172.30.1.11 has been brought up.
  5. Time-Service: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).
  6. Time-Service: The time service is now synchronizing the system time with the time source time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).
  7. Time-Service: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).

Best Answer

I think I finally figured it out after 2 years!

I'm using IPSec to encrypt all the connections in the same subnet, and because the DHCP server is in the same network, the UDP connections the server (ie, the Windows Server/DHCP client) needs to make are encrypted while they shouldn't.

The new rule added to IPSec looks like this:

Mirrored: Yes
Source DNS Name: <My IP Address>
Source Address: <My IP Address>
Destionation DNS Name: <A specific IP Subnet>
Destionation Address: 172.30.1.0/24
Source Port: Any
Destination Port: Any
Protocol: UDP
Related Topic