This article provides resolutions for the issue where UDP communication is blocked by the Windows Firewall rule in WSFC when the network connection is interrupted and then restored.
Applies to: Windows Server 2012 R2 Original KB number: 2701206
Symptoms
In Windows Server 2008 R2 environment, inbound UDP communication may be blocked when the connection to the network is interrupted and then restored. Inbound TCP and ICMP communications may also be blocked in this situation.
This problem occurs if the inbound UDP communication is enabled by Windows Firewall. One of the services that may be affected by this issue is Windows Server Failover Clustering (WSFC). Although Heartbeat Communication (UDP 3343) may be enabled by default, the communication may be blocked. When this issue occurs, the status of the communication in the Failover Cluster Manager is displayed as "Unreachable."
Note
You can refer the inbound UDP communication settings of Windows Firewall from the following rule: [Windows Firewall with Advanced Security] - [Inbound Rules]
Cause
This problem occurs because of an issue in Windows Firewall. The connection to the network is interrupted and then restored when Windows Firewall reloads the profile. In this case, an unintended rule may block the communications port that's required in the cluster.
Run the following netsh commands at an elevated command prompt:
netsh advfirewall firewall show rule "Failover Clusters (UDP-In)"
netsh advfirewall firewall set rule "Failover Clusters (UDP-In)" new enable=no
netsh advfirewall firewall show rule "Failover Clusters (UDP-In)"
Note
When you use this method, the Cluster service may stop. Therefore, if it's possible, you should stop the Cluster service before you start this method, and then restart the Cluster service after you complete the other steps.
When you use this method, the "Failover Clusters (UDP-in)" rule is also disabled.
The Cluster service enables node communication by setting the firewall port of UDP at startup.
Resolution 2: Use the Windows Firewall with Advanced Security add-in
Run the "Windows Firewall with Advanced Security" Microsoft Management Console add-in. To do this, follow these steps:
Click Start, type wf.msc in the Search programs and files box, and then click wf.msc under Programs.
Click Inbound Rules.
Locate and then select the Failover Clusters (UDP-In) rule.
Disable or delete the Failover Clusters (UDP-In) rule.
Note
When you use this method, the Cluster service may stop. Therefore, if it's possible, you should stop the Cluster service before you start this method, and then restart the Cluster service after you complete the other steps.
When you use this method, the "Failover Clusters (UDP-in)" rule is also disabled.
The Cluster service enables node communication by setting the firewall port of UDP at startup.
Resolution 3: Disable Network List Service
To disable the Network List Service service, follow these steps:
Click Start, type services in the Search programs and files box, and then press Enter.
In the Name column under Services (Local), right-click Network List Service, and then click Properties.
On the General tab, set the Startup type box to Disabled.
Click Apply > OK.
Restart the computer.
Note
Before you disable Network List Service, you should consider that this action makes the following changes:
By default, Windows Firewall will now select the Public profile. Therefore, rules that are set for the Domain or Private profiles must be added to the Public profile.
The Networking Sharing Center doesn't display profile types or the network connection status.
The network connection icon no longer appears on the Windows Taskbar.
The changes that occur after you disconnect Network List Service are limited to the display of network information. They don't affect system behavior.
Status
Microsoft has confirmed that this is a known issue in Windows Firewall.
There's a distinction between a Network firewall, and an endpoint (Windows, Linux,…) firewall. UDP can be blocked, by default, on many types of firewall, because it's (essentially) unsolicited network traffic.
(Although UDP is connectionless, the firewall tracks UDP datagrams in IP packets on a session basis; therefore if the UDP packet doesn't match an existing session, it is considered a new session and it counts as a connection toward the thresholds.)
The easiest way to fix this vulnerability is to restrict the access on this port to the local DNS server IP addresses. You can restrict access either using the vSphere Web Client or VMware PowerCLI.
Once the connection is established, the zone data will be sent by the server using the TCP 53 port. However, when the query has to be transferred from the client computer, it will be sent using the port 53 on UDP protocol.
All you have to do is type “netstat -a” on Command Prompt and hit the Enter button. This will populate a list of your active TCP connections. The port numbers will be shown after the IP address and the two are separated by a colon.
To monitor TCP and UDP traffic, you need to use tools that can capture and analyze the packets that are sent and received over the network. Some of the common tools are Wireshark, tcpdump, nmap, netstat, and iperf.
The main difference between TCP (transmission control protocol) and UDP (user datagram protocol) is that TCP is a connection-based protocol and UDP is connectionless. While TCP is more reliable, it transfers data more slowly. UDP is less reliable but works more quickly.
Step 1: Open the Control Panel Step 2: Click on Windows Firewall/ Windows Defender firewall Step 3: Navigate to advanced settings. Step 4:Right click on inbound rules and click on new rule. Step 6:Select port and press next Step 7:Specify the port 137 under specific local ports, select UDP and press next.
To monitor TCP and UDP traffic, you need to use tools that can capture and analyze the packets that are sent and received over the network. Some of the common tools are Wireshark, tcpdump, nmap, netstat, and iperf.
Click on Custom rule -> Next. You will reach Program Step -> Next. You will reach Protocol and Ports Step -> Next. When you get to the Scope stage, you must input the IP address of the website you want to block.
Windows Firewall can mandate secure connections by enforcing the SSL (Secure Sockets Layer) protocol. SSL is a cryptographic protocol that provides secure communication over a network, ensuring the confidentiality and integrity of data exchanged between a client and a server.
Address: 2865 Kasha Unions, West Corrinne, AK 05708-1071
Phone: +3512198379449
Job: Design Planner
Hobby: Graffiti, Foreign language learning, Gambling, Metalworking, Rowing, Sculling, Sewing
Introduction: My name is Dong Thiel, I am a brainy, happy, tasty, lively, splendid, talented, cooperative person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.