Issue with communicating with the One Click Support server (ZeroWindow problem)

Basically this is the same as what I reported in this thread but with a better title and more specifics in an attempt to get someone's attention who can look into this.

 

 

If I try to use One Click Support it simply times out.  I traced the problem to being unable to connect to the One Click Support Symantec server, https://tificocs.symantec.com/

 

Using a packet sniffer I'm seeing all kinds of weird stuff when One Click Support tries to connect to that server.

 

First off the server doesn't respond for 19 seconds after ACKing the client's initial "application data" packet.  This results in the client issuing a RST.

 

Second on the second try, when the client starts sends a bunch of application data to the server, the server ACKS it all and then sends one duplicate ACK.  At this point it starts sending out ZeroWindow notifications which means that it can no longer except packets from the client.  Shortly later it sends an "ENCRYPTED ALERT" packet and then a RST to disconnect.  This process then repeats and the One Click Support client gives up.

 

It does the every single time I try to use OSC.  I have no idea why, but it would seem to indicate a server problem. 

 

What's strange is that I can connect to https://tificocs.symantec.com/ using my web browser at work and receive a web page that contains the word "Forbidden", but when I try to do so from home the server immediately closes the connection without returning any data at all.  I also tried a few SSL proxy servers and some return "Forbidden" and some simply show the connect being reset.

 

I'm not sure why it works for some people at not others or why I can connect to the web site from work and through some proxies, but not at home or through others, unless it is related to MTU or RWIN or something.

 

 

I have the packet dump of the entire connection attempt if someone at Symantec wants to get in touch with me.  I also have dumps of me going to https://tificocs.symantec.com/ via a proxy server and directly.

Message Edited by Morac on 09-10-2009 10:23 PM

Hi Morac,

 

What OS are you running? I am assuming you don't have any trouble connecting to any other internet sites? Also are you behind a hardware router or firewall?

 

Have you ever been able to run One Click Support successfully?

 

As for going to the OCS site manually, it will return the "403 Forbidden" error, as it is not meant to be accessed from outside of using the OCS client.

Message Edited by OscarL on 09-10-2009 07:31 PM

 

Thanks for responding.  I mentioned most of what you asked for in the other thread I linked to, but here's the answers:

 

  • I'm running Windows XP SP3, but it's not OS related (see below).
  • I have no problem connecting to any other internet sites (except https://tificocs.symantec.com/ see below for more info)
  • I am behind a router, but I've bypassed it for testing purposes and connected directly to my cable modem. I've also rebooted my modem.
  • I have yet to run One Click Support successfully under NIS 2010.  I have run it succesfully under NIS 2009 in the past, but the last time I did so was Aug 18, 2009 (it worked fine then).

 

More details:

 

I only have NIS 2010 installed on my laptop, so to test things I use a web browser to see if the "403 Forbidden" error shows up when I go to the OCS site manaully in the browser.  If it shows up I know that the server responded.  If I see nothing or a "page could not be displayed" error I know something is wrong.

 

Here's what I've determined by testing to see if manually connecting to the OCS site displayed "Forbidden" or timed out:

  1. It's not my router since I've bypassed the router and connected my laptop directly to my cable modem.
  2. It's not my laptop since I don't get a response from the OCS site manually on another PC I have (without NIS on it), nor do I get a response with my PS3's web browser.
  3. Using various proxies around the country gets me different results ("403 Forbidden" versus "page could not be displayed" error) when manually connecting the the OCS site.  I don't know what the pattern is exactly, but I know I get "Forbidden" at my office, but a "page error" at home.  Unfortunately One Click Support can't be run through a SSL proxy.  The main difference here though is that in one case the server is returning an APPLICATION DATA SSL packet ("Forbidden") and in the other case it returns an ENCRYPTED ALERT SSL packet (no data). I haven't tried a public hot spot to see if that works.
  4. The server is returning some rather odd error packets, including DUP ACKs and ZeroWindow. The later in itself is indication of some kind of server problem.

 

The problem appears to affect some people, but not others.

 

People affected:

Me (at home)

Jimbo40

EsieB

csoyen (has screen shots of issue)

 

People not affected:

chatham

 

 

 

 Here's the last few packets when try to connect to the OCS server when running OCS in NIS 2010.  After the DUP ACK, the server seems to stop processing data and then simply closes the connection.:


No.     Time        Source                Destination           Protocol Info
224 59.078548   192.168.1.6           204.232.134.16        TCP      [TCP segment of a reassembled PDU]
225 59.078600   192.168.1.6           204.232.134.16        TCP      [TCP segment of a reassembled PDU]
226 59.078783   204.232.134.16        192.168.1.6           TCP      https > btpp2sectrans [ACK] Seq=123 Ack=40541 Win=6768 Len=0
227 59.089992   204.232.134.16        192.168.1.6           TCP      https > btpp2sectrans [ACK] Seq=123 Ack=43301 Win=4008 Len=0
228 59.115296   204.232.134.16        192.168.1.6           TCP      https > btpp2sectrans [ACK] Seq=123 Ack=46061 Win=1248 Len=0
229 59.302378   204.232.134.16        192.168.1.6           TCP      [TCP Dup ACK 228#1] https > btpp2sectrans [ACK] Seq=123 Ack=46061 Win=1248 Len=0
230 64.039600   192.168.1.6           204.232.134.16        TCP      [TCP segment of a reassembled PDU]
231 64.303352   204.232.134.16        192.168.1.6           TCP      [TCP ZeroWindow] https > btpp2sectrans [ACK] Seq=123 Ack=47309 Win=0 Len=0
234 65.146038   192.168.1.6           204.232.134.16        TCP      [TCP ZeroWindowProbe] btpp2sectrans > https [ACK] Seq=47309 Ack=123 Win=65413 Len=1
235 65.168531   204.232.134.16        192.168.1.6           TCP      [TCP ZeroWindowProbeAck] [TCP ZeroWindow] https > btpp2sectrans [ACK] Seq=123 Ack=47309 Win=0 Len=0
236 66.956667   192.168.1.6           204.232.134.16        TCP      [TCP ZeroWindowProbe] [TCP segment of a reassembled PDU]
237 66.978946   204.232.134.16        192.168.1.6           TCP      [TCP ZeroWindowProbeAck] [TCP ZeroWindow] https > btpp2sectrans [ACK] Seq=123 Ack=47309 Win=0 Len=0
240 70.577857   192.168.1.6           204.232.134.16        TCP      [TCP ZeroWindowProbe] [TCP segment of a reassembled PDU]
241 70.600318   204.232.134.16        192.168.1.6           TCP      [TCP ZeroWindowProbeAck] [TCP ZeroWindow] https > btpp2sectrans [ACK] Seq=123 Ack=47309 Win=0 Len=0
254 77.820027   192.168.1.6           204.232.134.16        TCP      [TCP ZeroWindowProbe] [TCP segment of a reassembled PDU]
255 77.848946   204.232.134.16        192.168.1.6           TCP      [TCP ZeroWindowProbeAck] [TCP ZeroWindow] https > btpp2sectrans [ACK] Seq=123 Ack=47309 Win=0 Len=0
267 88.754329   204.232.134.16        192.168.1.6           TLSv1    Encrypted Alert
268 88.754499   192.168.1.6           204.232.134.16        TCP      btpp2sectrans > https [ACK] Seq=47309 Ack=147 Win=65390 Len=0
269 88.754620   204.232.134.16        192.168.1.6           TCP      https > btpp2sectrans [RST, ACK] Seq=147 Ack=47309 Win=0 Len=0

I just want to clarify the connection to the OCS server isn't timing out, the server is simply closing the connection without sending a response. All signs on my end point to a server problem, which is why I'm confused that it works for some.

 

 

So far I've gotten three ISPs and three geographic locations where this is occuring:

 

Me: Southern NJ (Comcast)

EsieB: Greensboro, NC (Time Warner Cable)

Someone elsewhere:  MD (MediaCom)

 

I don't think it is geographically related though because my work connection goes through a gateway in Virginia and that works.

I have exactly the same issue.  My ISP is ATT in Northern California.  No other (known) NIS 2010 issues.

Just wanted to give an update on this issue. We are are working on it. We might need to ask one or more of you for more information as we troubleshoot.

 

Morac, I think you have a Private Message from the One Click Support team.

I have three pc’s that all have NIS 2010, and One Click fails on all three (it asks to release/renew the IP settings, then to repair the host file, then to release/renew the IP, etc on all three.)  I have no other NIS 2010 issues that I am aware of, so I don’t need One Click support right now.   But, I want to get One Click functional so that it is ready if and when I do have an issue and need assistance.  (All three PC’s go through the same router, two wirelessly and the other wired.)  My service provider is ATT DSL in Northern California.


OscarL wrote:

Just wanted to give an update on this issue. We are are working on it. We might need to ask one or more of you for more information as we troubleshoot.

 

Morac, I think you have a Private Message from the One Click Support team.


 

Yes I received a pm, thank you.  I responded with the data he requested.

 

 

Oh and for anyone who is wondering what I mean by "Forbidden" or "cannot display", here's two screen shots, one from work (left), one from home (right).  Yes they are using different version of IE (6 vs 8), but I can only work with what I'm given. :smileyhappy:

 

As far as I'm aware, IE 8 is capable of displaying HTTP 403 errors.  Also the "cannot display the webpage" is a generic error that IE 8 puts up if it can't display the web page.  It ranges from typing in an invalid address to the web server simply not responding.  Other browsers are more specific with their errors.  For example Google Chrome gives this error "Error 324 (net::ERR_EMPTY_RESPONSE): Unknown error."

 

norton_at_work.jpgnorton_home.jpg

I stumbled across a log file which apparently is part of One Click Support.  I found it in:

 

%USERPROFILE%\Local Settings\Application Data\Tific

 

There's two files in there:

 

client.log and  Cache\tificocs.symantec.com\log.txt

 

They contain a number of "Errors".

Would this relate to the Fix Now / One Click pop up I am getting now at intervals that it says it can't fix, that it's a 3039,1 error (and nothing comes if you search) and it's only offer is to help me wipe Norton off the PC with NRT and reinstall which I've declined.

 

It comes up periodically on both my and my wife's desktops on the same XP Pro SP3 computer with NIS 2010 on it just updated on line from NIS 2009 .... .11

 

Let me know if relates to what you are working on or interested in.

It would only relate if One Click actually fails to run.

 

The basic issue here is that One Click Support isn't working for some people, but everything else works fine.  If you can run One Click Support manually and it downloads and runs, then your problem isn't related.

 

It sounds like One Click is actually working on your machine since it's giving you a suggestion.

Experience has taught me that whether not something is related causally depends on knowing how a system is constructed and runs which I doubt either of us do – I’ve worked with Oscar_L before on a problem and he pinned it down quickly so I just feed him the data and let him decide … <s>

My One Click problem was gone this morning.  Good work Norton staff.

Thanks for the feedback – keep your fingers crossed <s>

It's working for me today as well. 

Thanks OscarL and the behind the scene guys. 

Thank you Morac for the information and your assistance.  This helped us identified a issue with a network port that prevented some users access to our server.  This issue has now been corrected, and appreciate everyones understanding and assistance.