I have a Windows Server 2016 running a SQL Server and every hour I get several errors about connection problems.
I found out that the network adapter has Lease Obtained = 2:44 PM
and has Lease Expires = 3:44 PM
for example, that means that I had network issues at 2:44, 1:44, 12:44, … and I will have another one at 3:44 PM the next time it renews. The IP is fixed though in AWS. So while the server is set to DHCP, the IP should not change.
To be clear, the server disconnects for a (or a few) second only, then everything goes back to normal. Also, if I set the IP to Static IP, the problem doesn't happen anymore.
ipconfig /all:
Windows IP Configuration
Host Name . . . . . . . . . . . . : SQL02
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : us-east-1.ec2-utilities.amazonaws.com
ec2.internal
Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix . : ec2.internal
Description . . . . . . . . . . . : Amazon Elastic Network Adapter
Physical Address. . . . . . . . . : 0A-4D-28-5B-73-E8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::4878:2803:afe:7ac0%16(Preferred)
IPv4 Address. . . . . . . . . . . : 172.30.1.11(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, July 16, 2019 2:44:48 PM
Lease Expires . . . . . . . . . . : Tuesday, July 16, 2019 3:44:48 PM
Default Gateway . . . . . . . . . : 172.30.1.1
DHCP Server . . . . . . . . . . . : 172.30.1.1
DHCPv6 IAID . . . . . . . . . . . : 252333352
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-A9-10-5C-0A-4D-28-5B-73-E8
DNS Servers . . . . . . . . . . . : 172.30.0.2
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter Local Area Connection* 3:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2001:0:34f1:8072:1c8d:304a:53e1:fef4(Preferred)
Link-local IPv6 Address . . . . . : fe80::1c8d:304a:53e1:fef4%14(Preferred)
Default Gateway . . . . . . . . . : ::
DHCPv6 IAID . . . . . . . . . . . : 134217728
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-A9-10-5C-0A-4D-28-5B-73-E8
NetBIOS over Tcpip. . . . . . . . : Disabled
Tunnel adapter isatap.ec2.internal:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : ec2.internal
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
I would appreciate if anyone can point me in the right direction of why this is happening and whether it's a Windows or an AWS issue.
UPDATE:
When the DHCP update happens, I get these events in the Event Viewer, in this order (all within 10 seconds):
- lphlpsvc: Isatap interface isatap.ec2.internal is no longer active.
- Time-Service: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x8'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
- Service Control Manager: The Network Setup Service service entered the running state.
- lphlpsvc: Isatap interface isatap.ec2.internal with address fe80::5efe:172.30.1.11 has been brought up.
- Time-Service: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).
- Time-Service: The time service is now synchronizing the system time with the time source time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).
- Time-Service: The time provider NtpClient is currently receiving valid time data from time.windows.com,0x8 (ntp.m|0x8|0.0.0.0:123->13.70.22.122:123).
Best Answer
I think I finally figured it out after 2 years!
I'm using IPSec to encrypt all the connections in the same subnet, and because the DHCP server is in the same network, the UDP connections the server (ie, the Windows Server/DHCP client) needs to make are encrypted while they shouldn't.
The new rule added to IPSec looks like this: