One of my clients reported that they are seeing below error in SQL Server ERRORLOG. He noticed a strange error of the network packet.
2018-08-06 07:09:41.363 Logon Error: 17836, Severity: 20, State: 17.
2018-08-06 07:09:41.363 Logon Length specified in network packet payload did not match number of bytes read; the connection has been closed. Please contact the vendor of the client library. [CLIENT: xx.xx.xx.xx]
Based on my understanding the error message means that there is some process trying to connect at SQL port but it’s not a valid SQL related activity.
WORKAROUND/SOLUTION
You can easily reproduce this error by doing Telnet on SQL Server IP and Port locally on the SQL Server machine. This also means that if SQL receives an invalid packet/data on the port where SQL is listening and then SQL would say –
Hey! This is not a login request or a query request and I don’t know how to process it. Let me report it to ERRORLOG.
Here are few more causes based on my search on the internet:
- Network team doing Port Scanning
- Sometimes Antivirus programs do check the port.
- MSSQL server is under a DDoS
You may want to look at the error message and check the IP of the machine and see what that is.
Have you encountered such messages in ERRORLOG? What was the cause which you found? If its very frequent error, then you may want to restrict that IP.
Reference: Pinal Dave (https://blog.SQLAuthority.com)
5 Comments. Leave new
Hey Pinal,
I have encountered the same problem today when I do my usual checklist in the morning.
The root cause was vulnerability scans performed by Team security.
Just found your blog looking up what might be causing this which pointed me to figuring out it was security and their scanner setting it off, so thank you for saving me time!
This error annoys my to no end. It sends an email alert out, which happens when they do network scans with NESSUS. It’s a pointless scam trying to run an exploit for SQL 2000. Garbage. They won’t stop running it either. Just clogs up emails.
Hi Pinal,
Yes I see these error messages a lot with our security scans. How can I filter them (specific to the security scans)? any possibility?
Type “nslookup %ipaddress%” in the black box that appears on the screen, substituting %ipaddress% with the IP address for which you want to find the hostname. Find the line labeled “Name” underneath the line with the IP address you entered and record the value next to “Name” as the hostname of the computer.