Server side Steelhead is not joined to domain. There are also no specific in-path rules configured for port 445 (SMB traffic) on that basis.
Getting error: SMB2 parser not being created: connection blacklisted for SMB2 || No specific in-path rules configured for port 445 (SMB traffic)
Description
Issue
The SMB traffic is trying to optimize but since this SFE is not (1) joined to any domain and (2) no SMB 2/3 signing is enabled, hence that is the reason this traffic is not able to optimize and it is getting blacklisted in this SFE. You must enable SMB2 and join the domain before enabling SMB2 signing.
###LOGS from SFE###
Dec 29 14:26:28 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163284 {207.130.22.118:60039 207.130.142.48:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:34 NA-HCM-RB2AiN sport[5104]: [smbmux_cfe.NOTICE] 34163425 {207.130.142.178:63957 207.130.40.10:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:35 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163467 {170.108.65.50:61412 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:41 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163639 {207.130.22.118:60059 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:27:13 NA-HCM-RB2AiN sport[5104]: [smb2cfe.ERR] 34164370 {207.130.142.118:63690 207.130.40.10:445} SteelHead signing needs to be active to optimize SMB 3.1.1+ connections. Signature verification might fail on the client
Dec 29 14:27:13 NA-HCM-RB2AiN sport[5104]: [smb2cfe.WARN] 34164370 {207.130.142.118:63690 207.130.40.10:445} Adding blacklist entry for pair Client ip: 207.130.142.118 Server ip: 207.130.40.10. Reason: SteelHead signing is not configured or is down, Signature verification might fail on the client
Dec 29 14:27:37 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34164914 {207.130.50.2:57256 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
/mnt/support/data/sysdump$ show -d
*****************************************************
Hostname : NA-HCM-RB2AiN - running on: Physical Box
Sysdump@ :2024-12-29 18:13:53 Etc/UTC
*****************************************************
************************************************
RiOS Version: rbt_sh 9.9.3a
status: 0 (1=in domain 0=Not in domain)
Replication user: Not configured
DNS Server List:
DNS Domain List:
Defined DCs:
DCs currently being used:
************************************************
Current configuration from sysdump:
no protocol smb2 signing ntlm-bypass enable
no protocol mapi encrypted ntlm-bypass enable
protocol smb2 signing native-krb downgrade enable
###LOGS from SFE###
Dec 29 14:26:28 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163284 {207.130.22.118:60039 207.130.142.48:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:34 NA-HCM-RB2AiN sport[5104]: [smbmux_cfe.NOTICE] 34163425 {207.130.142.178:63957 207.130.40.10:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:35 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163467 {170.108.65.50:61412 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:26:41 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34163639 {207.130.22.118:60059 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
Dec 29 14:27:13 NA-HCM-RB2AiN sport[5104]: [smb2cfe.ERR] 34164370 {207.130.142.118:63690 207.130.40.10:445} SteelHead signing needs to be active to optimize SMB 3.1.1+ connections. Signature verification might fail on the client
Dec 29 14:27:13 NA-HCM-RB2AiN sport[5104]: [smb2cfe.WARN] 34164370 {207.130.142.118:63690 207.130.40.10:445} Adding blacklist entry for pair Client ip: 207.130.142.118 Server ip: 207.130.40.10. Reason: SteelHead signing is not configured or is down, Signature verification might fail on the client
Dec 29 14:27:37 NA-HCM-RB2AiN sport[5104]: [smbmux_sfe.NOTICE] 34164914 {207.130.50.2:57256 207.130.142.49:445} SMB2 parser not being created: connection blacklisted for SMB2.
/mnt/support/data/sysdump$ show -d
*****************************************************
Hostname : NA-HCM-RB2AiN - running on: Physical Box
Sysdump@ :2024-12-29 18:13:53 Etc/UTC
*****************************************************
************************************************
RiOS Version: rbt_sh 9.9.3a
status: 0 (1=in domain 0=Not in domain)
Replication user: Not configured
DNS Server List:
DNS Domain List:
Defined DCs:
DCs currently being used:
************************************************
Current configuration from sysdump:
no protocol smb2 signing ntlm-bypass enable
no protocol mapi encrypted ntlm-bypass enable
protocol smb2 signing native-krb downgrade enable
Solution
If customer is not looking forward to configuring any Domain join to optimize the port 445 or SMB traffic then proceed with the below changes on this SFE:
* If NTLM-based traffic exists on their network, below commands need to be configured in the SteelHead to bypass it. These commands are recommended from the server-side SteelHead and it requires a service restart.
protocol smb2 signing ntlm-bypass enable */Enables the pass through of NTLM connections during SMB2 signing.
protocol mapi encrypted ntlm-bypass enable */Enables the bypass of NTLM-authenticated encrypted MAPI traffic.
no protocol smb2 signing native-krb downgrade enable */You must enable SMB2 and join the domain before enabling SMB2 signing. This command disables an SMB2 signing downgrade after an end-to-end Kerberos failure.
* Any connection using NTLM authentication will go in bypass mode from the application layer and marked with a red-triangle from current connection report as an indication latency optimization was not performed (S35726).
* If NTLM-based traffic exists on their network, below commands need to be configured in the SteelHead to bypass it. These commands are recommended from the server-side SteelHead and it requires a service restart.
protocol smb2 signing ntlm-bypass enable */Enables the pass through of NTLM connections during SMB2 signing.
protocol mapi encrypted ntlm-bypass enable */Enables the bypass of NTLM-authenticated encrypted MAPI traffic.
no protocol smb2 signing native-krb downgrade enable */You must enable SMB2 and join the domain before enabling SMB2 signing. This command disables an SMB2 signing downgrade after an end-to-end Kerberos failure.
* Any connection using NTLM authentication will go in bypass mode from the application layer and marked with a red-triangle from current connection report as an indication latency optimization was not performed (S35726).
Environment
SteelHead Appliance
Related Bugs
Attachments
Related Files
NOTICE: Riverbed® product names have changed. Please refer to the Product List for a complete list of product names.
Can't find an answer? Create a case