VirtualBox

Ticket #6959 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

NAT regression from 3.1.8

Reported by: cprofitt Owned by:
Priority: major Component: network/NAT
Version: VirtualBox 3.2.4 Keywords:
Cc: Guest type: Windows
Host type: Linux

Description (last modified by frank) (diff)

After upgrading from 3.1.8 to 3.2.0 or 3.2.4 I encounter a regression in NAT. Details below:

Running 3.2.4: Computer is using NAT for networking

  1. I can authenticate to Active Directory if I do so immediately. If I allow the machine to sit at the login prompt for more than 60 seconds I get a message 'internal error'
  2. If I use the Microsoft DNS Management tool I can not access the DNS server and manage it
  3. If I launch Microsoft DHCP Management tool I can not access the DHCP server

Running 3.2.4: Computer is using Bridged for networking

  1. I can authenticate to Active Directory
  2. If I use the Microsoft DNS Management tool I can access the DNS server and manage it
  3. If I launch Microsoft DHCP Management tool I can access the DHCP server

Running 3.1.8 Computer is using NAT for networking

  1. I can authenticate to Active Directory
  2. If I use the Microsoft DNS Management tool I can access the DNS server and manage it
  3. If I launch Microsoft DHCP Management tool I can access the DHCP server

Attachments

VBox.log Download (70.3 KB) - added by cprofitt 4 years ago.
VBox.log file with NAT issues
file.pcap Download (29.4 KB) - added by cprofitt 4 years ago.
DNS Management Tool access denied
loginfail.pcap Download (30.3 KB) - added by cprofitt 4 years ago.

Change History

Changed 4 years ago by cprofitt

VBox.log file with NAT issues

comment:1 follow-up: ↓ 2 Changed 4 years ago by frank

  • Description modified (diff)

comment:2 in reply to: ↑ 1 ; follow-up: ↓ 3 Changed 4 years ago by cprofitt

Replying to frank: Frank: Is there any other data I can gather to pinpoint this issue?

comment:3 in reply to: ↑ 2 Changed 4 years ago by cprofitt

I did an ipconfig on the guest.

3.1.8 Windows IP Configuration

Host Name . . . . . . . . . . . . : Firefly-VM Primary Dns Suffix . . . . . . . : pcsd.monroe.edu Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pcsd.monroe.edu

monroe.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : pcsd.monroe.edu Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address. . . . . . . . . : 08-00-27-43-A9-F5 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.2.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.2 DHCP Server . . . . . . . . . . . : 10.0.2.2 DNS Servers . . . . . . . . . . . : 10.120.255.5

10.120.255.5

Lease Obtained. . . . . . . . . . : Friday, June 11, 2010 1:16:57 PM Lease Expires . . . . . . . . . . : Saturday, June 12, 2010 1:16:57 PM

3.2.4 Windows IP Configuration

Host Name . . . . . . . . . . . . : Firefly-VM Primary Dns Suffix . . . . . . . : pcsd.monroe.edu Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : pcsd.monroe.edu

monroe.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : pcsd.monroe.edu Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Desktop Adapter Physical Address. . . . . . . . . : 08-00-27-43-A9-F5 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.2.15 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.2.2 DHCP Server . . . . . . . . . . . : 10.0.2.2 DNS Servers . . . . . . . . . . . : 10.120.255.5

10.120.255.5

Lease Obtained. . . . . . . . . . : Friday, June 11, 2010 2:45:55 PM Lease Expires . . . . . . . . . . : Saturday, June 12, 2010 2:45:55 PM

comment:4 Changed 4 years ago by Hachiman

Could you please collect  pcap file of fail attempts? And other question. Are these tools distributed with Ms servers OSes or they are downloadable from somewhere?

comment:5 Changed 4 years ago by cprofitt

I will get the pcap file later today. The programs are part of the server management tools. You can download the versions I have  here.

comment:6 Changed 4 years ago by cprofitt

The pcap file was too large to capture all the login process and running the application. The file attached is just running the app.

Changed 4 years ago by cprofitt

DNS Management Tool access denied

comment:7 Changed 4 years ago by cprofitt

When I tried saving the machine state at the login and then starting it to capture just the login -- the login failed. The login apparently only works on initial boot.

Changed 4 years ago by cprofitt

comment:8 Changed 4 years ago by cprofitt

The initial bootup and login are too large - 508.1 KB - to attach. Not sure how I can get you that information.

comment:9 follow-up: ↓ 10 Changed 4 years ago by cprofitt

I just tried the login by itself and it is 450.2 KB -- So I can not even get that to you.

comment:10 in reply to: ↑ 9 Changed 4 years ago by Hachiman

Replying to cprofitt:

I just tried the login by itself and it is 450.2 KB -- So I can not even get that to you.

delivery instructions has been delivered.

comment:11 Changed 4 years ago by Hachiman

And could you please provide some map, which ip filter out?

comment:12 follow-up: ↓ 13 Changed 4 years ago by cprofitt

Hachiman -- you want the IP of the guest?

comment:13 in reply to: ↑ 12 Changed 4 years ago by Hachiman

Replying to cprofitt:

Hachiman -- you want the IP of the guest?

No I'd like to know the server's IP to know which traffic I should investigate. There're several destinations in pcap files, that why i'm asking.

comment:14 follow-up: ↓ 15 Changed 4 years ago by cprofitt

10.120.255.5

comment:15 in reply to: ↑ 14 ; follow-up: ↓ 16 Changed 4 years ago by Hachiman

Replying to cprofitt:

10.120.255.5

Could you please try  build?

comment:16 in reply to: ↑ 15 Changed 4 years ago by Hachiman

Replying to Hachiman:

Replying to cprofitt:

10.120.255.5

Could you please try  build?

or even better with 3.2.6 b2?

comment:17 Changed 4 years ago by cprofitt

Do you have the link to the beta 2

comment:18 follow-up: ↓ 19 Changed 4 years ago by cprofitt

I found the link thanks to help on IRC. The 3.2.6 b2 version still had the same regression.

comment:19 in reply to: ↑ 18 Changed 4 years ago by Hachiman

Replying to cprofitt:

I found the link thanks to help on IRC. The 3.2.6 b2 version still had the same regression.

Regarding loginfail.pcap: There're authentication sequences between guest and pointed server: Kerberos and DCERPC. First one looks suspicious, but not invalid or broken: there're sequence of AS and TGS, every first AS-REQ and TGS-REQ are rejected with KRB5KRB_AP_ERR_SKEW (Clock skew too great), but every second is accepted by server. DCERPC looks fine at least no errors are pointed in protocol's headers/bodies. As soon as repeated requests contains the same information, and they're accepted by server and thus it shouldn't lead to login fail.

BTW: what the link which solves your problem? Could you please post it on ticket, probably it will give some hint to me?

comment:20 follow-up: ↓ 21 Changed 4 years ago by cprofitt

link:  http://forums.virtualbox.org/viewtopic.php?f=15&t=32277

I actually thought about issues with time skew and the client machine has the same time (measured in minutes). The link did not solve the problems, merely told me where to download 3.2.6b.

comment:21 in reply to: ↑ 20 Changed 4 years ago by Hachiman

Replying to cprofitt:

link:  http://forums.virtualbox.org/viewtopic.php?f=15&t=32277

I actually thought about issues with time skew and the client machine has the same time (measured in minutes). The link did not solve the problems, merely told me where to download 3.2.6b.

Probably Kerberos isn't a reason, because finally all requests are satisfied by kerberos server (on second attempt). Could you please try the same login operation with bridged networking and attach guest trace for it (just login).

comment:22 Changed 4 years ago by cprofitt

I am bogged down today -- and off tomorrow -- will try to do this Wednesday.

comment:23 follow-up: ↓ 24 Changed 4 years ago by cprofitt

I tried again to get the file small enough -- but no dice -- is there another way to get it to you?

comment:24 in reply to: ↑ 23 Changed 4 years ago by Hachiman

Replying to cprofitt:

I tried again to get the file small enough -- but no dice -- is there another way to get it to you?

you can send it to me via mail [vasily _dot_ levchenko _at_ Sun _dot_ COM].

comment:25 follow-up: ↓ 26 Changed 4 years ago by cprofitt

Sent an email with two captures -- 3.2.6 both with NAT and Bridged -- the startup process up to the login.

comment:26 in reply to: ↑ 25 Changed 4 years ago by Hachiman

Replying to cprofitt:

Sent an email with two captures -- 3.2.6 both with NAT and Bridged -- the startup process up to the login.

Thank you, will take a look later today.

comment:27 Changed 3 years ago by frank

Still relevant with VBox 4.0.4?

comment:28 Changed 3 years ago by cprofitt

No, the problem has been resolved.

comment:29 Changed 3 years ago by frank

  • Status changed from new to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use