On Sun, Nov 26, 2006 at 09:19:25PM -0600, Reverend Deuce wrote: > (This is very long email because it's a very complicated problem... > I've included some tcpdump logs below to assist...) >
<SNIP> > Here are some tcpdumps from the master FW during connection attempts > with a browser: > > > > Opera 9: > > 20:40:45.824144 my.workstation.ip.49370 > remote.server.ip.80: S > 1215871830:1215871830(0) win 8192 <mss 1380,nop,wscale > 8,nop,nop,sackOK> (DF) > 20:40:45.824646 207.218.64.33.80 > my.workstation.ip.49370: S > 2582857930:2582857930(0) ack 1215871831 win 64240 <mss 1460,nop,wscale > 0,nop,nop,sackOK> > 20:40:45.878361 my.workstation.ip.49370 > 207.218.64.33.80: . ack 1 win 260 > (DF) > 20:40:45.904597 my.workstation.ip.49370 > 207.218.64.33.80: P > 1:384(383) ack 1 win 260 (DF) > 20:40:46.058234 207.218.64.33.80 > my.workstation.ip.49370: . ack 384 > win 63857 (DF) > 20:40:46.061253 my.workstation.ip.49370 > 207.218.64.33.80: P > 1:384(383) ack 1 win 260 (DF) > 20:40:46.061726 207.218.64.33.80 > my.workstation.ip.49370: . ack 384 > win 63857 (DF) > (at this point, the connection is hung -- the Vista workstation > receives no further communcations -- it's like it just drops the > replies) > > > > Firefox: > > 20:38:25.197691 my.workstation.ip.49357 > remote.server.ip.80: S > 643900711:643900711(0) win 8192 <mss 1380,nop,wscale 8,nop,nop,sackOK> > (DF) > 20:38:25.198320 remote.server.ip.80 > my.workstation.ip.49357: S > 852828096:852828096(0) ack 643900712 win 64240 <mss 1460,nop,wscale > 0,nop,nop,sackOK> > 20:38:25.244540 my.workstation.ip.49357 > remote.server.ip.80: . ack 1 > win 260 (DF) > 20:38:25.251037 my.workstation.ip.49357 > remote.server.ip.80: P > 1:403(402) ack 1 win 260 (DF) > 20:38:25.567602 my.workstation.ip.49357 > remote.server.ip.80: P > 1:403(402) ack 1 win 260 (DF) > 20:38:25.568042 remote.server.ip.80 > my.workstation.ip.49357: . ack > 403 win 63838 (DF) > (same deal -- it just seems to die right here) > > > > IE 7: > > 20:39:08.834465 my.workstation.ip.49358 > remote.server.ip.80: S > 4155969795:4155969795(0) win 8192 <mss 1380,nop,wscale > 2,nop,nop,sackOK> (DF) > 20:39:08.835095 remote.server.ip.80 > my.workstation.ip.49358: S > 3294485308:3294485308(0) ack 4155969796 win 64240 <mss 1460,nop,wscale > 0,nop,nop,sackOK> > 20:39:08.892057 my.workstation.ip.49358 > remote.server.ip.80: . ack 1 > win 16685 (DF) > 20:39:08.904548 my.workstation.ip.49358 > remote.server.ip.80: P > 1:472(471) ack 1 win 16685 (DF) > 20:39:08.907010 remote.server.ip.80 > my.workstation.ip.49358: . > 1:1381(1380) ack 472 win 63769 (DF) > 20:39:08.907135 remote.server.ip.80 > my.workstation.ip.49358: . > 1381:2761(1380) ack 472 win 63769 (DF) > 20:39:08.959016 my.workstation.ip.49358 > remote.server.ip.80: . ack > 2761 win 16685 (DF) > 20:39:08.959740 remote.server.ip.80 > my.workstation.ip.49358: . > 2761:4141(1380) ack 472 win 63769 (DF) > 20:39:08.959750 remote.server.ip.80 > my.workstation.ip.49358: . > 4141:5521(1380) ack 472 win 63769 (DF) > 20:39:08.959911 remote.server.ip.80 > my.workstation.ip.49358: . > 5521:6901(1380) ack 472 win 63769 (DF) > 20:39:09.010614 my.workstation.ip.49358 > remote.server.ip.80: . ack > 6901 win 16685 (DF) > 20:39:09.011323 remote.server.ip.80 > my.workstation.ip.49358: . > 6901:8281(1380) ack 472 win 63769 (DF) > 20:39:09.011333 remote.server.ip.80 > my.workstation.ip.49358: . > 8281:9661(1380) ack 472 win 63769 (DF) > 20:39:09.011447 remote.server.ip.80 > my.workstation.ip.49358: . > 9661:11041(1380) ack 472 win 63769 (DF) > 20:39:09.011571 remote.server.ip.80 > my.workstation.ip.49358: . > 11041:12421(1380) ack 472 win 63769 (DF) > 20:39:09.058459 my.workstation.ip.49358 > remote.server.ip.80: . ack > 9661 win 16685 (DF) > 20:39:09.059165 remote.server.ip.80 > my.workstation.ip.49358: . > 12421:13801(1380) ack 472 win 63769 (DF) > 20:39:09.059289 remote.server.ip.80 > my.workstation.ip.49358: P > 13801:15131(1330) ack 472 win 63769 (DF) > 20:39:09.064831 my.workstation.ip.49358 > remote.server.ip.80: . ack > 12421 win 16685 (DF) > 20:39:09.097561 my.workstation.ip.49359 > remote.server.ip.80: S > 3924198291:3924198291(0) win 8192 <mss 1380,nop,wscale > 2,nop,nop,sackOK> (DF) > 20:39:09.098564 remote.server.ip.80 > my.workstation.ip.49359: S > 4022470982:4022470982(0) ack 3924198292 win 64240 <mss 1460,nop,wscale > 0,nop,nop,sackOK> > (But IE 7 is just dandy! It loads the whole page and just keeps on > tickin, goddamnit!) > > > I should note that the only connections that seem to have trouble are > TCP connections. It seems that OpenVPN clients can traverse the > firewall without issue (our OpenVPN server sites behind the firewall). > Inbound DNS queries have no issues either. ICMP is good also, for the > hosts that have permission to ping. > > Again, I need to stress this -- I've NOT overlooked the obvious here. > Remember, the problem **only** happens in Vista. It has happened on > several desktops/workstations, both off-site from our office, inside a > VM, directly on hardware, etc. I've tried about a dozen configs so > far. This is not a "try swapping the RAM" situation. > > There are no strange VPNs, static routes, oddball topologies, etc. > It's very straightforward and a very predictable problem. It's driving > me up the wall! > > Can anybody help out? Both Firefox and Opera use a wscale of 8 whereas IE uses a wscale of 2. In my opinion this sounds like the typical problem where states are not created on the initial SYN packet. -- :wq Claudio
