Closed SteveSyfuhs closed 3 years ago
I couldn't figure out the best area label to add to this issue. If you have write-permissions please help me learn by adding exactly one area label.
Slightly more specific repro for Microsoft folk. Code effectively calls the repro above client.ConnectAsync(...)
.
dotnet tool install bruce -g
bruce.exe
bruce> kinit
TCP Connect failed
)You should see your username show up, otherwise try kinit user@your.corp.domain.com
replacing domain as appropriate.
Might be relevant for reproduction to know whether you are using WinPcap or Npcap.
Capture driver is npcap.
Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.
Tagging subscribers to this area: @dotnet/ncl See info in area-owners.md if you want to be subscribed.
@SteveSyfuhs any chance you can try this with 5.0 RC1?
.NET really just relay on OS functions so this is interesting. with "Doesn't appear to be a regression" I assume this fails also with 3.1? We have seen some odd behavior with VPN in the past - but not quite like this.
Can you please try same scenario when VPN is not involved @SteveSyfuhs? Also I assume other applications do work? (like browser or "openssl s_client -connect IP:port)
Also any log entries for Windows firewall - if it is enabled?
Tried .NET 5 RC1. Same behavior.
Also tried without VPN. This does work.
The symptoms:
TcpClient Connect fails when
TcpClient Connect succeeds when
The failure is consistently the timeout reported above. Wireshark does indicate something is going on. It can detect the DNS queries right before and observes something on the TCP level:
I can provide a full wireshark capture offline if you'd like.
Edit: also nothing logged by Firewall.
I could look at the capture but I'm afraid we will not see much there. From the trace it looks like SYN is going out but the server does not answer. If you can, could you do packet capture on the server @SteveSyfuhs ? (or any node behind the VPN) If you do not see the same SYN, that would probably point finger to the VPN client. Depending on how the VPN is implemented, it hooks to network stack at various levels and it "steals" packets and injects new one (with VPN encapsulation) (e.g. you should see encrypted traffic on your primary interface)
From .NET prospective the interesting question is if other applications have same problem or this behavior is specific to .NET. In the former case we can possibly involve Windows networking or open ticket for VPN. In the latter, we would need to investigate further - perhaps enabling Windows network tracing. So test with nc
, Netcat
, telnet
or openssl s_client
would be interesting.
I'll see if I can capture a trace on the far side of the VPN, but that may take a while since its currently production traffic.
I did verify that the TCP socket call Windows makes when doing the equivalent command as the Bruce kinit
call does succeed. However, that happens in LSA, so running as SYSTEM, so it doesn't entirely rule out firewall permission issues.
Telnet interestingly also reproduces the behavior on both the success and failure scenarios so I'm leaning towards this looking like it's more likely a Windows networking issue and not .NET itself. Any instructions on how to capture the networking traces?
You can start with https://community.progress.com/s/article/How-to-run-a-NETSH-Trace but this is really not area of my expertize so I don't know what to look for.
As I mentioned we have seen some off behavior in the past and that may point to 3rd party application - unless you use built-in L2TP (or similar)
Closing as there is nothing actionable at this moment. Feel free to reopen if there is more info / traces for us to look at.
Description
Might be environmental, but can't figure out what is special here aside from the remote target is on the other side of VPN. I can repro this with just a single call to
ConnectAsync(addr, port)
. I can share a more specific scenario and wireshark log offline.System.Net.Internals.SocketExceptionFactory.ExtendedSocketException: 'A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. remote-ip:80'
Configuration
Regression?
Doesn't appear to be a regression.
Other information