UDP communication is blocked by the Windows Firewall rule in WSFC when the network connection is interrupted and then restored

Symptoms
In Windows Server 2008 R2 environment, inbound UDP communication may be blocked when the connection to the network is interrupted and then restored. Inbound TCP and ICMP communications may also be blocked in this situation.

This problem occurs if the inbound UDP communication is enabled by Windows Firewall. One of the services that may be affected by this issue is Windows Server Failover Clustering (WSFC). Although Heartbeat Communication (UDP 3343) may be enabled by default, the communication may be blocked. When this issue occurs, the status of the communication in the Failover Cluster Manager is displayed as "Unreachable."

Note You can refer the inbound UDP communication settings of Windows Firewall from the following rule:

[Windows Firewall with Advanced Security] - [Inbound Rules]
Cause
This problem occurs because of an issue in Windows Firewall. The connection to the network is interrupted and then restored when Windows Firewall reloads the profile. In this case, an unintended rule may block the communications port that is required in the cluster.
Resolution
To resolve this issue, use one of the following methods.

Method 1: Use the netsh command

Run the following netsh commands at an elevated command prompt:

netsh advfirewall firewall show rule "Failover Clusters (UDP-In)"
netsh advfirewall firewall set rule "Failover Clusters (UDP-In)" new enable=no
netsh advfirewall firewall show rule "Failover Clusters (UDP-In)"
Notes

  • When you use this method, the Cluster service may stop. Therefore, if it is possible, you should stop the Cluster service before you start this method, and then restart the Cluster service after you complete the other steps.
  • When you use this method, the “Failover Clusters (UDP-in)” rule is also disabled.
  • The Cluster service enables node communication by setting the firewall port of UDP at startup.

Method 2: Use the "Windows Firewall with Advanced Security" add-in

Run the "Windows Firewall with Advanced Security" Microsoft Management Console add-in. To do this, follow these steps:

  1. Click Start, type wf.msc in the Search programs and files box, and then click wf.msc under Programs.
  2. Click Inbound Rules.
  3. Locate and then select the Failover Clusters (UDP-In) rule.
  4. Disable or delete the Failover Clusters (UDP-In) rule.
Notes

  • When you use this method, the Cluster service may stop. Therefore, if it is possible, you should stop the Cluster service before you start this method, and then restart the Cluster service after you complete the other steps.
  • When you use this method, the “Failover Clusters (UDP-in)” rule is also disabled.
  • The Cluster service enables node communication by setting the firewall port of UDP at startup.

Method 3: Disable Network List Service

To disable the Network List Service service, follow these steps:

  1. Click Start, type services in the Search programs and files box, and then press Enter.
  2. In the Name column under Services (Local), right-click Network List Service, and then click Properties.
  3. On the General tab, set the Startup type box to Disabled.
  4. Click Apply, and then click OK.
  5. Restart the computer.

Note Before you disable Network List Service, you should consider that this action makes the following changes:

  • By default, Windows Firewall will now select the Public profile. Therefore, rules that are set for the Domain or Private profiles must be added to the Public profile.
  • The Networking Sharing Center does not display profile types or the network connection status.
  • The network connection icon no longer appears on the Windows Taskbar.
The changes that occur after you disconnect Network List Service are limited to the display of network information. They do not affect system behavior.
Status
Microsoft has confirmed that this is a known issue in Windows Firewall.
Properties

Article ID: 2701206 - Last Review: 09/09/2015 17:02:00 - Revision: 16.0

Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter without Hyper-V, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise without Hyper-V, Windows Server 2008 R2 for Itanium-Based Systems, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard without Hyper-V

  • kbexpertiseinter kbprb kbsurveynew KB2701206
Feedback