When Symantec Scan Engine 5.2.x or Protection Engine or 7.x is installed on Windows 2008 or 2012, the NetApp Filer continuously reports that Scan Engine has disconnected from the filer.  Typically this warning/error is logged once every 6 minutes in the Filer's syslog, or any time the Filer attempts to scan a file.  Soon after the disconnect warning, the Filer will log that Scan Engine has successfully registered with the Filer again.

Wed Oct 27 15:31:54 CDT [XXXXX: vscan.dropped.connection:warning]: CIFS: Virus scan server \\NTAPPXXXXX (xx.xx.xx.xx) has disconnected from the filer.
Wed Oct 27 15:37:25 CDT [XXXXXX: cifs.server.errorMsg:error]: CIFS: Error for server \\NTAPPXXXXX: SMB2 Session Setup Error No Trusted Logon Servers Available - STATUS_NO_LOGON_SERVERS.
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Wed Feb  9 23:05:23 EST [xxxxx: vscan.server.connecting.disconnect:info]: CIFS: Vscan server \\XXXXXXXX deregistered and will be removed from the list of available vscan servers.
Wed Feb  9 23:05:23 EST [xxxxx: cifs.server.infoMsg:info]: CIFS: Warning for server \\XXXXXXXXX: Connection terminated.
Wed Feb  9 23:05:23 EST [xxxxx: vscan.dropped.connection:warning]: CIFS: Virus scan server \\XXXXXXXX (10.10.10.10) has disconnected from the filer.
Wed Feb  9 23:05:34 EST [xxxxx: vscan.virus.created:ALERT]: CIFS: Possible Virus Detected - File ONTAP_ADMIN$\<file-path> may be infected. The filer received status message Internal server error and error code [0x5] from vscan (anti-virus) server 10.1.150.11.
Wed Feb  9 23:05:40 EST [xxxxx: vscan.server.connecting.successful:info]: CIFS: Vscan server \\XXXXXXXX registered with the filer successfully.
Wed Feb  9 23:05:59 EST [xxxxx: vscan.server.connecting.disconnect:info]: CIFS: Vscan

It is likely that this will be accompanied with Generic 6 Errors reported by Symantec AntiVirus for Network Attached Storage 5.2.  Check the Scan Engine log files to confirm. 

There is more than one known cause of this issue.

1 - The issue is caused by a feature in SMB 2.0.  Microsoft introduced an Authentication Expiration period in SMB2.  If scan requests occur after this ticket has expired, but before the scanner and Filer reconnect the request will fail.  The NetApp AV connector has not accounted for this Authentication Expiration period in SMB2 yet. Please note that newer version of the NetApp firmware work well with SMB 2.0 and Netapp version 8 cluster requires SMB 2.0.

2 - This issue has also been known to occur when the Windows firewall is not correctly configured to allow RPC communications from the Scan engine to the Netapp filer.

This issue is typically caused by the Scan Engine Server using SMB 2.0, or the SSE Server not allowing anonymous access for Named Pipes.

To allow anonymous access for Named Pipes on the Scan Engine Server,
1. Go to Local Security Policy > Local Policies > Security Options.
2. Under Policy, look for “Network access: Named Pipes that can be accessed anonymously”.
3. Under the Security Setting for this Policy make sure NTAPVSRQ is there, if not go ahead and add it.
4. Under the same policy list, look for “Network access: Let Everyone permissions apply to anonymous users”.
5. Change this policy from disabled to enabled.
6. Restart the Server.
Note, this is needed because the NetApp Filer uses the "anonymous" user through the NTAPVSRQ pipe.

The next part is only pertinent for Netapp in 7 mode.  If the netapp is not in 7 mode do not disable SMB 2.0.

To disable SMB 2.0 on the Scan Engine Server. Currently NetApp is working on a fix for their AV connector so that it does not run into this SMB2 Authentication Expiration timer.
1. Open command prompt on Windows Server
2. Type the following commands and hit enter after each:

sc config lanmanworkstation depend= bowser/mrxsmb10/nsi
sc config mrxsmb20 start= disabled

Note, this is needed because the NetApp Filers running OnTap versions prior to 7 do not support SMB 2.0.  If this is the specific issue you are running into you should see error in the NetApp Log file,

Additionally, if disabling SMB2 is not an option, we would suggest contacting NetApp for updates regarding support for SMB2 and their AV connector (Bug ID 470972). support.netapp.com/NOW/cgi-bin/bol

For information on how to configure RPC with the Windows Firewall, visit www.symantec.com/docs/TECH146058

Applies To

Windows 2008 and Windows 2012

Scan Engine 5.2.x

Protection Engine 7.x

SMB 2.0 enabled on the Scan Engine and Filer