- This topic has 6 replies, 2 voices, and was last updated 12 years, 2 months ago by
.
-
Posts
-
Hi
I install WinpkFilter 3.0 on Windows 2008 r2 64bit. Windows HyperV successfully but when I install WinpkFilter 3.0 on Windows 2008 64bit (32bit & 64bit) bases on Xen VPS i lost my RDP connection to server even after restart. i still can ping the server. server have 1GB ram.I can give you root access to server but i need to reimage server after it stop responding to remote desktop.
The step that reproduce the issue
1) reimage Xen VPS server (Windows 2008 64 and 32 available)
2) download and run WinpkFilter 3.0 from http://www.ntkernel.com/downloads/winpkflt_rtl.zip
3 ) RDP stop working forever
Can it be fixed?Hmm, looks strange, however I had not tested WinpkFilter in XEN VM before. SO several questions:
1) Do you have VLAN enabled interfaces in Windows 2008?
2) Can you check is RDP connection established but dropped or not even established (you can check this using network snifer)? If ping works but another protocol fails it can be MTU (packet size issue), as ICMP packets are very small by default.
3) Can be the system be accessed by any other protocol/port besides RDP?
4) Do you use any WinpkFilter application on the system or just the default driver installation stops the RDP?1) Do you have VLAN enabled interfaces in Windows 2008?
I don’t know about VLAN. Virtual LAN? perhaps virtual machine have Virtual LAN.2) Can you check is RDP connection established but dropped or not even established (you can check this using network snifer)? If ping works but another protocol fails it can be MTU (packet size issue), as ICMP packets are very small by default.
Unfortunately When RDP fail i does have any access to server3) Can be the system be accessed by any other protocol/port besides RDP?
Actually I didn’t test it. as soon as I install WinPKFilter i loose my server. I just check PING.4) Do you use any WinpkFilter application on the system or just the default driver installation stops the RDP?
I just install the driver nothing else.Additional info:
I test WinPKFilter in HYPER-V, it work. so I create an application with WinPKFilter, the issue raised when I found my server does not response after some time (maybe 1 to 48 hour). First I thought it was my application fault. so I add some filter to WinPKFilter with SetPacketFilterTable and ENSURE that it does not redirect RDP. but still that happen same. my hyper-V server just have 500 MB ram, so I thought it may because of memory usage, so I order another VPS based on XEN with 1GB ram and I lost VPS each time after I just Install your driver. the rest i report you before.I have a dedicated server (not virtual) with 2GB ram, I have not such issue over it just maybe 1 time thats happen but I don’t sure.
I think WinPKFilter have a error in driver and very hard to find it. I trying to remove the WinPKFilter from my project (still didn’t find any working solution). the project that I told you before about it.
Now I have VPS and control panel in vpsland.com. it is useless for me. I can give you its panel and VPS root access to you so you can do ANYTHING on it. atleast it always stop RDP immediately after you install WinPKFitler.
Also this forum never notify your reply. I should test it time to time myself. I check “Notify me when a reply is posted” too.
RegardsI couldn’t find any other way, so I really need a filter driver. I wait a news from you.
* Did you find the issue in Xen?
* Do you have plan to solve it?
* Do you have any implementation of WinPKFilter with WFP Callout Drivers? I think it would be more simpler and less bug such as this sample:
http://msdn.microsoft.com/en-us/library/windows/hardware/ff571070(v=vs.85).aspx
* Do you have a tool to removed the need of Microsoft signing for Windows 2008 64 bit drivers ?
RegardsPlease note that internally WinpkFilter driver uses a limited buffer pool used for all packet related operations. So, an example, if you set a network interface into the tunnel mode and won’t read filtered packets from the driver then the number of queued packets grows up to the buffer limit and as soon as the limit is reached the network operations are blocked for all network interfaces (network freeze). So if you expirience the network freeze it is more likely to be a bug in your application. There are many WinpkFilter based applications on the market, and if it would be a kind of hidden bug then you won’t be the only one who expirience this.
By the way, what kind of driver you have installed on your server? NDIS IM or NDIS LWF? Both drivers can be used on WIndows 7, but they are different by architecture. So if you try another one there could be a difference in behaviour. However, if this is application bug then most probably the behaviour would be just the same.
Hi
1) Sorry but I didn’t understand your reply about Xen. I didn’t run any application on server, server just immediately stop responding after I install WinPKFilter. The network driver info is- Name: Xen Net Device Driver
- Provider: Xen GPL PV Driver Developers
- Driver Date: 3/12/2010
- Driver Version: 0.11.0213
- Service Provider: vpsland.com
2) About application failure:
- Why you don’t provide option to bypass packets when the buffer is full?
- Why you don’t provide WinPKFilter to close application capture event handle when it detect application does not response or does not process packets it specific time?
- Is WinPKFilter report it to a log file when such issue happen? How we can find the original reason of such issue?
Regards
I’ll take a look at Xen as soon as I have time for this. Xen does not seem to be an easy thing to setup and configure. The behavoiur you have reported looks very strange. What WinpkFilter version have you installed on that system? Has the instalaltion went smooth? Network blocking may happen if driver is installed but not loaded (because of signature problems) in x64 Windows. Have you lost the connection immediatly after driver installation? Was you able to reconnect before rebooting? After the reboot? There is a chance that during the installation process the network was already blocked (driver started installing) but Windows still needed some sort of interactive confirmations from you, so the installation has not completed succesfully causing the network getting down.
Why you don’t provide option to bypass packets when the buffer is full?
This is done to prevent packets to bypass filtering. Most of WinpkFilter applications can’t afford passing unfiltered packets. However, this can be done in custom driver build.
Why you don’t provide WinPKFilter to close application capture event handle when it detect application does not response or does not process packets it specific time?
Same reasons as above. Application can be not getting CPU time for some period, but it does not mean that security has to be broken and filtering should be dropped. Filtering is turned off if and driver is reset to default state only if all user mode WinpkFilter clients are terminated.
Is WinPKFilter report it to a log file when such issue happen? How we can find the original reason of such issue?
I don’t see much sense in logging such an event as it does not really provide an information what has happened. Check your code for reading packets from the driver. This is the only way.
- You must be logged in to reply to this topic.