timeout when connection should be immediately refused

Discussions related to using VirtualBox on Mac OS X hosts.
Post Reply
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

timeout when connection should be immediately refused

Post by reidpr »

Hi,

I'm having some odd behavior in my Debian Wheezy guest, Mac OS X host, VB 4.1.10.

Network connections that are immediately refused in the host instead time out in the guest. For example, in the host, "links http://google.com:9999" fails immediately with "connection refused", but in the guest, it becomes stuck in SYN_SENT (according to netstat) until it times out.

This is over a NAT network adapter, both the paravirtualized adapter type as well as one of the Intel ones.

It might have started when I upgraded to 4.1.10 a few days ago, but I'm not quite sure. I haven't tried downgrading to 4.1.8 yet.

Any ideas? Suggestions for diagnosing?

This problem makes web browsing a little annoying at times, since my institution uses DNS to redirect ad servers and such to a server that refuses HTTP. This confuses some web pages and makes them load slowly.

Thanks,

Reid
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

Re: timeout when connection should be immediately refused

Post by reidpr »

Hi,

I tried the following (not in this order):

- Rebooting the host.
- Downgrading to 4.1.8 and reinstalling the guest additions.
- The AMD FAST/III virtual adapter.
- Refreshing the MAC address.
- Turning off the 2nd network (a host-only network)
- --nataliasmode1 proxyonly
- --nataliasmode1 sameports

None of these fixed the problem.

Any help would be very much appreciated! Let me know what additional information would be helpful.

Thanks,

Reid
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: timeout when connection should be immediately refused

Post by mpack »

Why do you think this is a VirtualBox problem? It sounds like a networking configuration issue to me - or just crappy guest software. It sounds like the virtual NIC is sending and receiving data just fine.
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

Re: timeout when connection should be immediately refused

Post by reidpr »

Hi mpack,

I suspect VirtualBox because I trust the guest OS (Debian), because the guest network config is bog-standard, and because it's a very odd behavior. It seems more likely to me that something in the NAT or other parts of the VB networking are losing the RESET packet from the refused connection than the guest OS is doing so.

Why do you believe the virtual NIC is working fine? If we can rule out VB problems, that would be great. I don't see evidence so far that VB is working correctly, but you know more than me about it, so perhaps you could explain your reasoning.

Thanks,

Reid
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: timeout when connection should be immediately refused

Post by mpack »

reidpr wrote:Why do you believe the virtual NIC is working fine? If we can rule out VB problems, that would be great.
I say that because the virtual NIC seems to be sending and receiving Ethernet packets OK, and an Ethernet device doesn't know anything about internet protocols or connections. However with NAT networking there is a kind of TCP routing going on, so maybe I've got it wrong. I'll bow out and let someone with more network experience comment.
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

Re: timeout when connection should be immediately refused

Post by reidpr »

No worries. Thanks for your hard work on VB! It makes my daily work far, far easier.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: timeout when connection should be immediately refused

Post by mpack »

Well, uh, thanks - but I don't work on VB. This is a user forum, replies will mainly come from other users. There are sometimes devteam members on here (they'll have the "Oracle" caption beneath their name), but mainly it's just us enthusiasts.
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

Re: timeout when connection should be immediately refused

Post by reidpr »

OK, I learned more. Apparently NAT often has trouble with ICMP packets. My hypothesis is that the ICMP packet which carries the "connection refused" message is not being copied from the host to the guest.

There is a workaround, and that's to reject packets destined for the server in question before they leave the guest. For me, the following works:

Code: Select all

$ route add -host x.y.z.w reject
The resulting error is slightly different (network unreachable), but it works well enough for me.

In my particular case the connection isn't refused because the server itself is rejecting the connections (i.e., the host is reachable but the port is closed); rather, it's "destination unreachable". However, I think the closed-port case will work the same.
mpack
Site Moderator
Posts: 39156
Joined: 4. Sep 2008, 17:09
Primary OS: MS Windows 10
VBox Version: PUEL
Guest OSses: Mostly XP

Re: timeout when connection should be immediately refused

Post by mpack »

reidpr wrote:OK, I learned more. Apparently NAT often has trouble with ICMP packets.
Well, my knowledge of networking protocols is limited, but ICMP messages are usually sent out of band, isn't that right? Meaning that they are not sent as one-for-one replies to request messages. In that case a NAT VM would not receive these messages unless you configured port forwarding. I assume you also have the guest firewall configured correctly to accept ICMP messages - actually I'm not familiar with Debian Wheezy, but recent Windows versions have ICMP disabled by default for security reasons (DoS attacks, network address probes).
reidpr
Posts: 13
Joined: 16. Dec 2010, 22:00
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux

Re: timeout when connection should be immediately refused

Post by reidpr »

mpack wrote:Well, my knowledge of networking protocols is limited, but ICMP messages are usually sent out of band, isn't that right? Meaning that they are not sent as one-for-one replies to request messages. In that case a NAT VM would not receive these messages unless you configured port forwarding.
I don't quite understand the details either, but other NAT situations I have access to manage to make it work.
mpack wrote:I assume you also have the guest firewall configured correctly to accept ICMP messages - actually I'm not familiar with Debian Wheezy, but recent Windows versions have ICMP disabled by default for security reasons (DoS attacks, network address probes).
I think the filtering in this case is more subtle, e.g., reject pings but allow connection refused and such through. Outgoing connections hanging instead of failing immediately is pretty annoying, and there's no security benefit.
Post Reply