|
|
|
Desktop Heap Issue and Reflection for Secure IT
Technical Note 2279
Last Reviewed 21-Mar-2008
Applies To
Reflection for Secure IT Windows Server version 6.1 or higher
Summary
Technical Note 2279
Last Reviewed 21-Mar-2008
Applies To
Reflection for Secure IT Windows Server version 6.1 or higher
Summary
This technical note identifies the symptoms you may see when the number of connections that can be made to a Windows server reaches its limit. Relevant error messages and event ids are also listed.
Background
There are a limited number of connections that can be made to a Windows server, and this limit may be less than you would expect. The limit is due to desktop heap allocation on Windows operating systems.
Managing System Resources
On servers with multiple simultaneous ssh sessions, the memory available for Windows desktop heaps can become exhausted, and processes that require these resources will not be able to start. These include non-interactive processes such as services, scheduled tasks, and scripts.
The server starts a child process for every sftp session, scp transfer, terminal session, and exec request. Every session with one or more active child process uses desktop heap, the non-interactive Windows resource.
Resolving Desktop Heap Issues
To avoid exhausting the memory available for desktop heaps, you can use the "Maximum number of connections" setting (on the General pane) to limit the number of possible connections. It is also possible to increase your system's capacity for non-interactive desktop heaps by decreasing the size of each heap. For details, refer to the Microsoft Knowledge Base.
Note: Beginning in Reflection for Secure IT Windows Server 7.0, Attachmate has set the default value for the server setting “Maximum number of connections” to 60. The optimum value for this setting will vary from server to server depending on the use of individual servers. The number of sessions attained on 64-bit Windows servers may reach 100.
Symptoms from the Client Side
Your users may experience different symptoms as a result of exhausted desktop heap resources.
Immediate Disconnect
Users will connect, authenticate, and immediately be disconnected. Often users will report that they cannot connect to the server. The problem occurs after authentication; a client debug log will show the connection, successful authentication, successful pty request, successful shell request, and then a disconnect.
Cannot Make Additional Connections
Some users will report they cannot make additional connections. For example, they may have three working sessions and not be able to establish a fourth session. Or, they may report that after disconnecting an existing connection they can reconnect. However, once reconnected they can no longer make additional connections.
Sample Error Messages
There are a variety of messages that may be generated when desktop heap resource limits are encountered, depending on the client application being used to connect to the server. However, "disconnect" or "unable to connect" messages are not specific to desktop heap issues only. Looking at the server event viewer, server debug logs, and client debug logs may be necessary to identify the exact problem. It is best practice to use all three information sources for troubleshooting.
For the Reflection for Secure IT Windows Client, sample error messages vary by version:
Version 7.0:
Reflection Secure Shell Error
Connection Failed. (10054) An existing connection was forcibly closed by the remote host.
Version 6.1:
Reflection - Unable to connect to host.
For the Reflection for Secure IT FTP / SFTP Windows Client, sample error messages vary by version:
Version 7.0: Reflection FTP Client:
A Secure Shell error occurred while trying to make a connection. (10054) An existing connection was forcibly closed by the remote host.
Version 6.1: Reflection SFTP Client:
A Secure Shell error occurred while trying to make a connection.
In the SSH command line utility, you may see the following:
Version 7.0:
C:\Documents and Settings\Administrator>ssh administrator@hostfatal: ssh_exchange_identification error: read: An existing connection was forcibly closed by the remote host.Connection Failure.C:\Documents and Settings\Administrator>Version 6.1.3:
C:\Documents and Settings\Administrator>ssh administrator@hostfatal: ssh_exchange_identification error: read: Invalid argumentConnection Failure.C:\Documents and Settings\Administrator>For the Reflection for Secure IT UNIX Client and some Windows command line utilities, users may see "authentication successful" or "connection closed" and no Windows prompt displayed.
Connections to the Reflection for Secure IT 7.0 Windows Server running on Windows 2000 servers may not result in any error messages; the client connection may just hang after entering a password.
In addition to the error messages above, client and server debug logs are likely to include exit status 128 or exit code 128. See the example in Review Server and Client Debug Logs.
Troubleshooting Desktop Heap Issues
It is important to gather a detailed description of the user's experience and the product behavior when troubleshooting desktop heap issues. To assist you with troubleshooting, you may be asked to provide a detailed problem description, debug logs, event ids, and screen shots.
If your users experience the symptoms described above and see one of the error messages displayed, use the following tools to help troubleshoot the problem.
Use the Event Viewer
Depending on the Reflection for Secure IT Windows Server version, the following EventID may display in the Event Viewer:
Version 7.0 on a Windows 2003 server:
EventID: 244 - Failed to create a desktop due to desktop heap exhaustion
Version 6.1.3:
EventID 243 – Failed to allocate desktop heap
Note that the absence of these events is not conclusive since the servers might not be configured correctly to record these events. Or in the case of Windows 2000 servers, the events are sometimes not recorded.
Try having several users disconnect. The same several users should be able to reconnect, but an additional user should not be able to connect.
Review Server and Client Debug Logs
The following server log sample suggests a desktop heap issue. Notice the user's profile is loaded and cmd.exe is being executed and at that point, the process is terminated.
.\SessionContext.cpp:SessionContext::Revert(510) Starts....000000013989 2008-01-03 17:12:36.019 4852 SK-RSSW7\ADMINISTRATOR:[Trace] .\SessionContext.cpp:SessionContext::LoadProfileIfNotYetLoaded(1732) User's profile successfully loaded000000013990 2008-01-03 17:12:36.019 4852 SK-RSSW7\ADMINISTRATOR:[Trace] .\SessionContext.cpp:SessionContext::Impersonate(471) Starts....000000013991 2008-01-03 17:12:36.050 4852 SK-RSSW7\ADMINISTRATOR:[Info] .\sshd.cpp:WindowsSessionServer::HandleRequest(4363) Session server 84: Executing command 'toterm cmd:"C:\WINDOWS\System32\cmd.exe"' in working directory 'C:\Documents and Settings\Administrator'.000000013992 2008-01-03 17:12:36.128 3880 SK-RSSW7\ADMINISTRATOR:[Trace] .\sshd.cpp:WindowsServerManager::OnKeepAlive(7412) Sending keep-alive packet to client000000013993 2008-01-03 17:12:36.144 4852 SK-RSSW7\ADMINISTRATOR:[Trace] .\SessionContext.cpp:SessionContext::SetPassword(385) Starts....000000013994 2008-01-03 17:12:36.144 4852 Administrator:[Trace] .\sshd.cpp:WindowsSessionServer::HandleRequest(4443) End.000000013995 2008-01-03 17:12:36.175 4852 SK-RSSW7\ADMINISTRATOR:[Trace] .\sshd.cpp:WindowsSessionServer::HandleProcessExit(4671) Session server 84: Process terminated with exit code 128, reporting exit code to remoteUse Microsoft's Desktop Heap Monitor
You can also use Microsoft’s Desktop Heap Monitor to help troubleshoot desktop heap issues. Download version 8.1 of the utility from Microsoft:
