VPN, SecureNat/Nat and Outlook clients not working after installing Windows Service Pack 2 in SBS 2003 Premium

VPN, SecureNat/Nat and Outlook clients not working after installing Windows Service Pack 2 in SBS 2003 Premium

  • Comments 17
  • Likes

[Today's post comes to us courtesy of David Copeland, Justin Crosby, Mike Lieser and Damian Leibaschoff]

[EDIT] For an updated version of this post, please see http://blogs.technet.com/sbs/archive/2007/04/24/common-networking-issues-after-applying-windows-server-2003-sp2-on-sbs.aspx.


After installing Windows 2003 Service Pack 2 on SBS 2003 with ISA 2004 installed, you may experience the following problems:

-You can no longer successfully connect inbound using VPN (Clients get "Error 800: Unable to establish connection").

-You cannot reliably connect to the Internet using SecureNat.

-Some Outlook clients will fail to connect to the Exchange server (even with ISA 2004 SP2 and KB930414 installed).

(We are still discussing and testing other symptoms that could be related, but if you are having networking issues after the service pack, consider the solution provided on this post. We will update this list as we find more factual information.)

There are several potential causes for these problems, but on this case, we will focus on a feature called Receive Side Scaling that is enabled by Windows Server 2003 SP2 (also enabled in the Microsoft Windows Server 2003 Scalable Networking Pack). Note that not all Network Cards will provide this feature, also keep in mind that this might affect SBS machines using RRAS for their NAT solution.

You cannot host Transmission Control Protocol (TCP) connections when Receive Side Scaling is enabled, you have Microsoft Windows Server 2003 with Service Pack 2 (SP2) and you use Network Address Translation (NAT) on the server. The TCP connections will be reset.

Update: The following KB explaining the behavior is now public:

KB 927695 "You cannot host TCP connections when Receive Side Scaling is enabled in Windows Server 2003 with Service Pack 2"  

You can disable this feature from the advanced properties of the network card under the network interface properties or you can perform the registry changes provided below.

You can disable the RSS support from the TCP/IP stack by doing the following:

Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.
To work around this problem, disable Receive Side Scaling when the computer is configured as an Internet Connection Sharing gateway. To do this, follow these steps:

1. Click Start, click Run, type regedit , and then click OK.

2. Locate and then click the following registry subkey:


3. On the Edit menu, point to New, click DWORD Value, and then type EnableRSS .

4. Double-click EnableRSS, type 0 , and then click OK.

5. Exit Registry Editor.

If you are still experiencing problems (like slow file copying), you should also disable Offloading support:

1. Click Start, click Run, type regedit, and then click OK.

2. Locate and then click the following registry subkey:


3. In the right pane, make sure that the DisableTaskOffload registry entry exists. If this entry does not exist, follow these steps to add the entry:

a. On the Edit menu, point to New, and then click DWORD Value, and then type DisableTaskOffload .

4. Double-Click DisableTaskOffload, type 1, and then click OK. 

5. Exit Registry Editor.

(Reboot to make both changes effective)

Update 2:

We have seen several situations where even after completing the steps above, VPN would still not work. On those cases, updating the NIC drivers to the latest version resolved the problem. So, make sure you have the latest version for your Network Card drivers. Most manufacturers have released updated drivers very recently.


The SBS Bloggers team

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Man you better be following the SBS blog today... Key posts out today with SP2 coverage (and yes SP2

  • Paul Scholda von eHouse hat ir dankenswerterweise folgende Informationen zum Thema SBS2003 und Windows

  • [updated 21th March 14:15] This is just a quick note to say that the release notes are WRONG (and will

  • The rpc filter blocks the data from the stations to be tranfered.

    If you do not need rpc publishing (I need...) you can just disable the filter under the configuration - add inns in the isa2004.

    Hayim Caspy



  • Hit this one at home - http://blogs.technet.com/sbs/archive/2007/03/20/help-and-support-service-missing-after-installing-windows-2003-service-pack-2.aspx

  • Das Windows Server 2003 SP2 ist ja nun schon ein paar Tage verfügbar. Inzwischen wurden auch einige Probleme

  • For what it's worth, I now have an official stance on Windows Serve 2003 SP2: Don't install it. At least

  • http://blogs.technet.com/cdnitmanagers/archive/2007/04/03/who-s-the-fairest-of-them-all.aspx You can

  • Det finns många saker kring SP2, eller effekter av SP2 på en SBS. Jag tror jag har tagit upp allt som...

  • I forgot to post this, but I had the issue again today so I was reminded! I posted on this thread back

  • 1 års jubileum! I april 2006 gikk smallbizserver.no på lufta. Etter mange år med ”jeg lurer på om jeg skal”. Når jeg tenker tilbake kan jeg fortsatt huske min første SBS Server 2000. Store forberedel ...

  • I tried to contact my office using VPN today, but it failed every time! I googled a bit and found solution for my VPN problem. After installing SP2 to SBS, VPN doesn't work anymore because SP2 installs some new network features that are not compatible

  • If the readme for SP2 was written like it should be it would be like this: Before you install Before

  • SBS Premium with ISA Server 2004 on Quad Core CPUs I hope Darren doesn't mind me stealing his entire