I had been receiving this DFSR error in the event logs for some time, and couldn’t find any real resolution on it. The exact text of the error is:
Error: 1726 (The remote procedure call failed.)
Connection ID: 3880BBEC-6FC1-45B9-8750-196A7C32C9D8
Replication Group ID: B8242CE2-F5EB-47DA-BA5B-1DD2F7EE3AB9
This would cause a break in replication which wasn’t desirable during production hours. The strange thing was, it occurred every 5 minutes like clockwork, for all our servers separated by VPN.
I eventually discovered it was a problem with our Sonicwall devices providing the VPN connection. There was a 5 minute timeout value for TCP connections, which was being enforced on the DFSR connections for some reason.
While not an ideal solution, we have worked around this error by setting the value to a sufficiently high number.
UPDATE Sept 2011: I realized that the majority of this post was describing the problem and not the solution, so I’ve updated with clear instructions on what I’ve done to resolve this.
To start I only created these rules on my hub firewall at our head office. Doing them on each branch office wasn’t necessary.
I created address objects for each of my DFS servers, and placed them into two groups – one for local (from the firewall’s perspective) and one for servers across a VPN link.
Then using the firewall rules matrix, I create two rules, one in each of the indicated sections:
The two rules I created look like this:
On the properties for each rule, on the Advanced tab, increase the TCP connection timeout to some large value:
This was necessary for my Sonicwall Pro 4060 running SonicOS Enhanced 4.0.0.2-51e. In a couple of days we are replacing this with an NSA 2400 on SonicOS 5.8.x, so I’ll disable these rules to see if the issue still occurs on new hardware.
Excellent!… This fixed my issue between a Sonicwall NSA240 and a TW210 (Remote Office) running DFS to replicate Data to our branh office!
Great post!
Wow! 3 or 4 months of endless and unsuccessful troubleshooting with ITservice companies and finally with microsoft, and now, you’re presenting the simple solutution!
Imagine a man smiling!
THANKS…
Excellent… This work great for us as well!
Just a clarification, this setting is located in the firewall access rules applied from LAN to VPN and VPN to LAN access lists for the specific site to site VPN policy(ies) involved – not the Default TCP time out found in the Firewall -> TCP Settings for the whole firewall.
Many thanks!
Thanks John for the comment. Your clarification prompted me to recognize I hadn’t done a good job of explaining the solution; something that bothers me a lot when searching for resolution to a problem.
I’ve gone and updated the post to more accurately reflect what I’ve done to solve the problem.
Tank you. This article helps me with my dfsr problem and sonicwall.
I just initiated the same fix to my own NSA2600 running SonicOS Enhanced 6.2.7.1-23n – glad to see some problems never go away.
I’m also running a PING on a Scheduled Task from one DC to another… Hopefully between these two fixes it’ll be interesting enough traffic to keep my S2Ses from deciding they’re done talking to each other.
Thank you!
Im using FortiGate firewall and cannot find where this setting is located. anyone can help on this?
many thanks!
This is un-tested and I’m not intimately familiar with FortiGates, but you could try the following:
– Configure DFSR to use a static RPC port for replication.
– Configure FortiGate to increase TCP timeout for that particular static port.
Do you happen to have updated instructions on how to do this ?
Sonicwall provides a KB article on increasing the tcp timeout that is relevant for current releases of SonicOS.
After I initially commented I appear to have clicked the -Notify me
when new comments are added- checkbox and from now on each time a comment is added I receive four emails with the same
comment. There has to be an easy method you can remove me from that service?
Thanks!
Sorry, I’ve tried to look for your subscription based on the email address that is recorded with the comment, but it doesn’t appear in the list of subscribed posts. Perhaps you have already found a way to remove this?