SChannel Errors on Windows Systems

SOLVED
jsphrcross
Here to help

SChannel Errors on Windows Systems

Hello

 

Trying to determine if anyone else is having issues with SChannel (event ID 36876) errors in Event Viewer -> Windows Logs -> System after upgrading MX router firmware to MX 17.10.4?  The errors occurs ~ every 10 seconds and randomly prevents some websites from opening.  Not all websites and a website that won't load will load later and then stop loading again.  Cannot find any errors within the Meraki logs.  It seems the issues are more predominant on MX84 routers.  It also seems to be preventing the Carbon Black clients from reporting back to the system servers.

 

I just rolled two MX84 routers back to firmware MX 17.10.2.  Over the past hour all websites are accessible and the SChannel errors have stopped.  Carbon Black has also started reporting again.  I do want to give it more time (overnight) to make sure it is resolved.  However I wanted to see if anyone else has experienced anything like this after upgrading to MX 17.10.4.

 

Thanks!!!

1 ACCEPTED SOLUTION
jsphrcross
Here to help

After ~ 3 hours on the phone with Meraki I have a "bandage" to resolve this until an update to fix it is released.  I was informed that Meraki is aware of the issue and is working on a solution.  No ETA as to when the actual fix will be known.  Meraki also stated that this is only affecting MX84's.  I suspect it may affect other models as well that the setting listed below is available on.

 

Solution:  Disable Web Cache and reboot router.

Security & SD-WAN -> SD-WAN & Traffic Shaping

 

Unfortunately a reboot is required for the change to take effect.

 

jsphrcross_0-1678471943202.png

I hope this helps anyone currently having the issue.

 

 

View solution in original post

6 REPLIES 6
PhilipDAth
Kind of a big deal
Kind of a big deal

I don't recall any issues when I was running on 17.10.4.

JGill
Building a reputation

We have 242 networks with duel MX84's at each site running 17.10.2, but none running 17.10.4. I just did a 30 day look back in Splunk to confirm no windows events Ids of 36876. 

 

We've started testing 18.106 in the lab and some guest controllers. Thanks for the heads up on 17.10.4, keep us posted.  I'll update if we see similar issues on 18.106. 

 

FYI, I am now seeing the issue on MX84's running 18.106.  It seems to take a few hours for it to rear its ugly head after an upgrade so my advice is to allow systems to run overnight to 24 hours on the upgraded firmware and then check your Windows systems for the SChannel issue.  The Schannel issue seems to show 100% of the time as the websites are sporadic.  Therefore that is what I would look for during your testing.

 

I have opened a ticket with Meraki and they have asked me to call in to do some tracing.  Planning on doing that shortly.

 

Here is another discussion we found today that talks about the websites.

 

https://community.meraki.com/t5/Security-SD-WAN/New-MX-18-106-Stable-Release-Candidate-multiple-reli...

 

More to come.

jsphrcross
Here to help

After ~ 3 hours on the phone with Meraki I have a "bandage" to resolve this until an update to fix it is released.  I was informed that Meraki is aware of the issue and is working on a solution.  No ETA as to when the actual fix will be known.  Meraki also stated that this is only affecting MX84's.  I suspect it may affect other models as well that the setting listed below is available on.

 

Solution:  Disable Web Cache and reboot router.

Security & SD-WAN -> SD-WAN & Traffic Shaping

 

Unfortunately a reboot is required for the change to take effect.

 

jsphrcross_0-1678471943202.png

I hope this helps anyone currently having the issue.

 

 

Ahh - that is pretty much deprecated.  Unless you have a really slow or high-latency Internet circuit - you'll probably find it faster with it turned off.

 

Meraki only recommends you consider using it with connections 20Mb/s or below.

https://documentation.meraki.com/MX/Firewall_and_Traffic_Shaping/SD-WAN_and_Traffic_Shaping#Web_cach... 

Agreed.  I am in the process of disabling it on all of our MX's that have it/have it enabled.  Bad thing is that in order for it to take affect, the router must be rebooted.  We don't want downtime during business hours and Meraki doesn't allow you to schedule a reboot.  😕

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels