Re: Inability to reach Microsoft sites from behind NAT firewall (updated)

From: Ken Wickes [MSFT] (kenwic_at_online.microsoft.com)
Date: 10/19/04 

Date: Tue, 19 Oct 2004 14:29:33 -0700

Sounds like an MTU problem. Are you using PPPoE?

http://support.microsoft.com/?kbid=319661 

-- 
Ken Wickes [MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Christopher Neufeld" <neufeld@londo.cneufeld.ca> wrote in message 
news:MbadnY6Cyb5tj-3cRVn-sg@magma.ca...
> Hello,
>
> I've been trying to get my girlfriend's Windows XP Home laptop working
> from behind my firewall computer, a Linux box which performs NATting
> for all computers behind it.  I've never operated a Windows computer,
> and have no idea what has to be done, plus this version of Windows is
> in Chinese only, and it takes me an impractically long time to walk
> through menus labelled in Chinese.
>
> It appears that she can reach all websites except those belonging to
> Microsoft, and one Yahoo! site.  Everything else works fine.  Here are
> my observations:
>
> - she cannot reach hotmail, a message appears asking her to check her
>  Internet connection
> - she could, for a while, see her hotmail messages through MSN
>  explorer, a program which seems to be included in the OS, but that
>  has stopped working also
> - she cannot reach a "Windows update" server, it again claims that the
>  Internet connection is down
> - she cannot reach the yahoo Taiwan site tw.yahoo.com, but can reach other
>  yahoo sites such as yahoo Japan.
> - she can, from Windows, reach every other site attempted, painlessly
> - she can reach hotmail, yahoo, etc. from the Linux desktops behind
>  the firewall, it is only the Windows machine which has trouble
> - the problem is not with IE, she has the same difficulties using Mozilla
>  for Win32.
>
> The troubles with hotmail are not occasional, they happen without
> fail, every time an attempt is made to access from Windows XP.  If she
> directs Internet Explorer window at the yahoo Taiwan site, then goes
> off to work on something else, she sometimes receives an incomplete
> page after 7 or 8 hours.
>
> These problems did not manifest when the laptop was in Taiwan, sharing
> an Internet connection with another desktop machine there.
>
> Since arriving in Canada and being configured (incorrectly?) for the
> local network here, the laptop has never successfully connected to
> those websites it cannot reach, so this isn't some progressive bitrot.
>
> The Linux box is NATting a static IP number, cneufeld.ca.  Surely it
> is not an unusual setup to have a Windows machine hiding behind a
> stateful NAT firewall.
>
> I've done TCP dumps of good connections from Linux and broken
> connections from Windows XP, both to login.passport.net, to try to see
> what's going wrong.
>
> Here's a sequence from the failed connection to http://login.passport.net
> from the Windows XP laptop.  Along the way, it picked up a redirection
> in the URL, which appears to have been trying to set her specific
> login details.
>
>
> laptop opens a connection (#1) to login.passport.net, SYN, SYN-ACK, ACK
> laptop pushes seq 425
> login.passport.net pushes seq 424, ACKs the 425
> login.passport.net pushes seq 438
> login.passport.net sends FIN
> laptop ACKs the 438
> laptop ACKs the 439 (the FIN)
> laptop sends FIN
> laptop looks up login.passport.com
> laptop opens a connection (#2) to login.passport.com, SYN, SYN-ACK, ACK
> login.passport.net (connection #1) ACKs the laptop's FIN
> laptop pushes seq 489    (INCLUDES get for /login.srf?lc=...")
> login.passport.com pushes seq 366, ACKs the 489
> login.passport.com pushes seq 1278
> login.passport.com sends FIN
> laptop ACKs the 1278
> laptop ACKs the 1279 (the FIN)
> laptop sends FIN
> laptop opens a connection (#3) to login.passport.net, SYN, SYN-ACK, ACK
> login.passport.com (connection #2) ACKs the laptop's FIN
> laptop pushes seq 788   (INCLUDES redirector /uilogin.srf?id=...")
> login.passport.net pushes seq 284, ACKs the 788
> laptop ACKs the 284
> --- Pause of 11 seconds
> laptop sends a 77 byte UDP packet to port 3544 of 
> baym-td1.msgr.hotmail.com
> A 109 byte response from baum-td1.msgr.hotmail.com is delivered
> --- Pause of 33 seconds
> laptop sends a 77 byte UDP packet to port 3544 of 
> baym-td1.msgr.hotmail.com
> A 109 byte response from baum-td1.msgr.hotmail.com is delivered
> --- Pause of 3 seconds
> login.passport.net sends a RST to connection #3, sequence number 4664,
> with ACK on 788
>
> Total end-to-end time, 48 seconds.  The firewall logged no blocked packets
> during this interval.
>
> The UDP packets appear to be periodic on the network, I don't think
> they're part of the passport login sequence.
>
>
> So, the sequence number on that RST packet shows that we lost almost 4
> kilobytes of TCP data somewhere out in the world.  It didn't bounce
> off the firewall, that data never arrived back at the NAT box.
>
> The successful authentication from Linux involves no UDP packets
> (naturally), and no mysteriously vanished data.
>
>
> I thought it might be some bad proxying setup, that some packets are
> trying to go through the Taiwanese ISP, but the proxying settings
> appear all to be blank, and proxying should hurt all sites equally,
> not just those controlled by Microsoft.
>
> It doesn't appear to be a fragmentation issue, I have seen an
> oversized packet go through the network, saw the NAT box send back the
> ICMP must-fragment error, and saw the laptop then reissue the data in
> smaller packets.
>
>
> My best theory right now, based on the never-delivered packets, is
> that something in the TCP data exchanged is telling the passport
> server on the third connection to route packets back to the NAT-ted IP
> number through a specific Taiwanese ISP gateway machine, and the ISP
> is discarding those packets because they don't live on its network.
> No data is being sent from the laptop to any other Internet hosts
> during this interval, so it is not establishing any sort of tunnelling
> proxy with a remote ISP.
>
>
> If somebody can offer me some suggestions, I would really appreciate
> it, I've searched through a pile of microsoft.com help pages without
> seeing anything which appears to explain or fix this problem.  If you
> can suggest menus to view in the configuration, please mention the
> alphabetic shortcut key which invokes the button (the letter between
> parentheses), since all of the buttons are labelled in Chinese
> characters and the translation might not be exact, but I assume the
> shortcut keys are consistent across locales.
>
> -- 
> Christopher Neufeld                 neufeld@linuxcare.com
> Home page:  http://www.cneufeld.ca/neufeld
> "Don't edit reality for the sake of simplicity"
Loading