Why are applications not seeing SYN/ACK on the Windows guest?

Discussions about using Windows guests in VirtualBox.
Post Reply
merakim
Posts: 3
Joined: 17. May 2022, 20:00

Why are applications not seeing SYN/ACK on the Windows guest?

Post by merakim »

I have a Windows guest, and when I try to access a website on the same subnet (using curl, telnet, or a browser), I get a timeout. Here's the interesting part: when I run Wireshark on the Windows guest, I find that a SYN/ACK is actually coming back from the server that I'm trying to reach, but my Windows guest never sends an ACK in response. It re-transmits its SYN as if no SYN/ACK were received:
Wireshark screenshot: windows guest ignores syn/ack
Wireshark screenshot: windows guest ignores syn/ack
windows-guest-ignores-synack.png (45.33 KiB) Viewed 1882 times
The guest has a single network adapter; it's a Bridged Adapter with Promiscuous Mode set to Allow All. If I curl my target server with the wrong destination port (curl 172.19.0.3:8887), I immediately get a 'Connection refused'. (And when I try to access a website outside of the subnet, I get 'curl: (7) Failed to connect to 74.6.143.26 port 80: Network unreachable'.) I'm rather out of my depth here.

I have Windows Defender Firewall turned off.

Having a look at my ip config with netsh shows:

Code: Select all

Configuration for interface "Ethernet"
    DHCP enabled:                         Yes
    IP Address:                           172.19.235.111
    Subnet Prefix:                        172.19.0.0/16 (mask 255.255.0.0)
    InterfaceMetric:                      25
    Statically Configured DNS Servers:    8.8.8.8
    Register with which suffix:           Primary only
    WINS servers configured through DHCP: None

Configuration for interface "Loopback Pseudo-Interface 1"
    DHCP enabled:                         No
    IP Address:                           127.0.0.1
    Subnet Prefix:                        127.0.0.0/8 (mask 255.0.0.0)
    InterfaceMetric:                      75
    Statically Configured DNS Servers:    None
    Register with which suffix:           Primary only
    Statically Configured WINS Servers:   None
I am running VirtualBox 6.1.32_Ubuntur149290. My guest is Microsoft Windows 10 Enterprise Evaluation 10.0.17763 N/A Build 17763. My host is Ubuntu 20.04.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Why are applications not seeing SYN/ACK on the Windows guest?

Post by fth0 »

The Wireshark screenshot doesn't show the MAC addresses of the Ethernet frames, and in combination with the promiscuous mode being enabled it's not clear to me if the received packets are meant for this VM. Therefore, a few questions came to mind:

Did you check the Ethernet MAC addresses of all TCP packets?

Are the MAC and IP addresses of this VM unique, or do you have a clone of the VM?

Why did you enable Promiscuous Mode?

Do you capture the same packets when Promiscuous Mode is set to Deny?

In general, I'd expect the missing TCP ACK to be automatically sent by a Windows network functionality as part of the TCP 3-Way Handshake. In consequence, the problem should be located outside of the curl program.
merakim
Posts: 3
Joined: 17. May 2022, 20:00

Re: Why are applications not seeing SYN/ACK on the Windows guest?

Post by merakim »

Thanks for the follow-up, fth0.
Did you check the Ethernet MAC addresses of all TCP packets?
Yes. TMI: The mac address of my toy server (at 172.19.0.3) is 02:42:ac:13:00:03. VirtualBox shows that the mac address of my Windows guest is 080027E6E559. These two addresses are the only ones used for the TCP packets that I captured. Here's some expanded capture info from Wireshark, showing the two mac addresses for a SYN and the following SYN/ACK:

Code: Select all

14:51:12.063233 08:00:27:e6:e5:59 (oui Unknown) > 02:42:ac:13:00:03 (oui Unknown), ethertype IPv4 (0x0800), length 66: 172.19.235.111.49681 > 172.19.0.3.8888: Flags [S], seq 533207700, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
14:51:12.063320 02:42:ac:13:00:03 (oui Unknown) > 08:00:27:e6:e5:59 (oui Unknown), ethertype IPv4 (0x0800), length 66: 172.19.0.3.8888 > 172.19.235.111.49681: Flags [S.], seq 3717184946, ack 533207701, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 7], length 0
Are the MAC and IP addresses of this VM unique, or do you have a clone of the VM?
In fact I do have a clone of this VM, and the clone has the same mac address. However, the clone has not been running during any of my tests. I've never run more than one VM at a time. None of the other devices on the subnet has a matching mac address.
Why did you enable Promiscuous Mode?
I thought there might be relevant network activity which the VM was ignoring and that promiscuous mode might make it apparent to me. I guess that it doesn't make a difference here because I've just set it to 'Deny' and repeated the experiment with the same results.
Do you capture the same packets when Promiscuous Mode is set to Deny?
Yes.
In general, I'd expect the missing TCP ACK to be automatically sent by a Windows network functionality as part of the TCP 3-Way Handshake. In consequence, the problem should be located outside of the curl program.
100%. I'm flummoxed.
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Why are applications not seeing SYN/ACK on the Windows guest?

Post by fth0 »

Then I'd suspect the (obsolete) Windows guest OS or some so-called security software installed within it.

If you'd provide a complete Wireshark capture (not a screenshot) of a connection attempt right after a new VM start, I'd take a look at the timing.
merakim
Posts: 3
Joined: 17. May 2022, 20:00

Re: Why are applications not seeing SYN/ACK on the Windows guest?

Post by merakim »

If you'd provide a complete Wireshark capture (not a screenshot) of a connection attempt right after a new VM start, I'd take a look at the timing.
Thanks very much, fth0! Here's my Wireshark capture file as a pcap! (The forum wouldn't let me upload a .pcap, so I've gzipped it.)
Attachments
curl.pcap.gz
(332 Bytes) Downloaded 3 times
fth0
Volunteer
Posts: 5668
Joined: 14. Feb 2019, 03:06
Primary OS: Mac OS X other
VBox Version: PUEL
Guest OSses: Linux, Windows 10, ...
Location: Germany

Re: Why are applications not seeing SYN/ACK on the Windows guest?

Post by fth0 »

The TCP client repeats the TCP SYN packet with the "old" exponential backoff timing (after 3, 6, 12, ... seconds), whereas the TCP server repeats the TCP SYN/ACK packet with the "new" exponential backoff timing (after 1, 2, 4, ... seconds). But this shouldn't pose any problem, since the Internet is also full of obsolete TCP implementations. TCP RTTs of ~100 us exhibit that the TCP server is very close. The IP Identification field shows again that the TCP client is an obsolete implementation. There are a few more minor differences here and there, but nothing unusual or hinting to the problem.

Perhaps you should create another VM with a more current guest OS ...
Post Reply