Project declare up, but no reporting for me

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 118641056
RAC: 109758

Very nice troubleshooting

Very nice troubleshooting archae86. We now have a better picture on what may be happening. There are some things that are still a bit puzzling. Can you try the windows default ping again without the firewall (or a special rule for ping like for the boinc client). I would like to know if this standard ping still gets dropped somewhere on our end or if Kaspersky is tampering with this standard ping which leads to dropping.

AgentB
AgentB
Joined: 17 Mar 12
Posts: 915
Credit: 513211304
RAC: 0

RE: OK, you guys

Quote:

OK, you guys win.

No, we won. Your crunching at E@H is good news, for more reasons than credits - i learnt something quite basic that windows and linux pings are different.

Each time the security products misbehave, spooky action in the network stack follows.

I'd try adding and removing boinc or boinc servers to your exceptions list now to see if you can de-spook K.

AgentB
AgentB
Joined: 17 Mar 12
Posts: 915
Credit: 513211304
RAC: 0

RE: I would like to know

Quote:
I would like to know if this standard ping still gets dropped somewhere on our end or if Kaspersky is tampering with this standard ping which leads to dropping.

it is being dropped upstream, but only of data length = 32 or 33

This just happens to be Windows default length.

agentb@gluon:~/boinc$ ping -s 30 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 30(58) bytes of data.
38 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.4 ms
38 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.2 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 34.258/34.399/34.476/0.181 ms
agentb@gluon:~/boinc$ ping -s 32 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 32(60) bytes of data.
^C
--- 130.75.1.213 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6047ms

agentb@gluon:~/boinc$ ping -s 34 130.75.1.213
PING 130.75.1.213 (130.75.1.213) 34(62) bytes of data.
42 bytes from 130.75.1.213: icmp_seq=1 ttl=243 time=34.9 ms
42 bytes from 130.75.1.213: icmp_seq=2 ttl=243 time=34.1 ms
42 bytes from 130.75.1.213: icmp_seq=3 ttl=243 time=34.0 ms
^C
--- 130.75.1.213 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 34.056/34.388/34.947/0.425 ms

This result is repeated upstream at
gate-w1-0.netz.uni-hannover.de (130.75.1.213)

hth

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 118641056
RAC: 109758

Thanks. The ping issue seems

Thanks. The ping issue seems to be unrelated to the Kaspersky issue. Those particular sized ping packets seem to get dropped by the university router for security reasons.

To me it seems that Kaspersky is tampering with the outgoing traffic. The switch of the backend server on our end also included an OS upgrade which also has an updated network stack. It seems that the tampered packets are dropped because they are not RFC-compliant. Unfortunately we can't change this. So you have to exclude the boinc client in the Kaspersky firewall for now.

I think it would be helpful if you also contact Kaspersky and let them know that the "scan" they do on outgoing traffic is tampering with the packets which in this case (scheduler request) leads to a silent packet loss.

WolfK
WolfK
Joined: 25 May 08
Posts: 19
Credit: 31998740
RAC: 4658

Thank you for this workaround

Thank you for this workaround with the detailed description. I only had to translate it into german and follow step by step, yes, it works.

I hope that there will be another solution because its not always the best idea to switch off an alarm if its disturbing the work. Perhaps it might be possible to change the server url in some config - file so that there is no redirection needed, which Kaspersky might consider as a man-in-the-middle-attack or similar.

Christian Beer
Christian Beer
Joined: 9 Feb 05
Posts: 595
Credit: 118641056
RAC: 109758

RE: I hope that there will

Quote:
I hope that there will be another solution because its not always the best idea to switch off an alarm if its disturbing the work. Perhaps it might be possible to change the server url in some config - file so that there is no redirection needed, which Kaspersky might consider as a man-in-the-middle-attack or similar.


We deliberately changed the scheduler URL to this canonical form so we can use redirects. This is especially helpful when we need to change the server where the scheduler is running. A change of the URL is only recognized by the client if it can't reach it for several tries. During that time (which may be several days for some) there is no new work or reporting of computed results for the host. We want to avoid that so we have to use redirects to direct clients from the old URL to the new one.

Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.

Richard Haselgrove
Richard Haselgrove
Joined: 10 Dec 05
Posts: 2139
Credit: 2752977342
RAC: 1380192

RE: Our servers are sending

Quote:
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.


And from the early part of the exploration, we determined that only "Boinc client + redirect" was blocked: "browser + redirect" got through OK. That might be worth mentioning in any issue raised with Kaspersky.

Alex Plantema
Alex Plantema
Joined: 9 Feb 05
Posts: 16
Credit: 20362656
RAC: 0

I get the same error message

I get the same error message (no start tag) as I already mentioned in Backend upgrade scheduled for Wed Nov 18, but I use the Windows firewall, not Kaspersky's. The problem started with the site upgrade. I already have an exception in the firewall for communication between my computers. I extended it to the internet, without success.

AgentB
AgentB
Joined: 17 Mar 12
Posts: 915
Credit: 513211304
RAC: 0

RE: RE: Our servers are

Quote:
Quote:
Our servers are sending RFC-conform redirects that are used widely. If Kaspersky would block every redirect you wouldn't be able to surf the Internet. So we don't know what's so special about our redirect or scheduler request that Kaspersky blocks it. The only one to answer that is the company itself.

And from the early part of the exploration, we determined that only "Boinc client + redirect" was blocked: "browser + redirect" got through OK. That might be worth mentioning in any issue raised with Kaspersky.

"I think I have another clue Holmes"

The logs show boinc is doing a HTTP POST, not the usual HTTP GET / HTTP HEAD from a browser.

This w3.org specs regarding 301 redirects suggest - the user agent [boinc in this case] must not automatically redirect the request unless it can be confirmed by the user. Kapersky (acting as a proxy) has no way of getting that confirmation (from boinc), so drops the connection.

Edit: include the correct 1.1 w3 url

AgentB
AgentB
Joined: 17 Mar 12
Posts: 915
Credit: 513211304
RAC: 0

RE: I get the same error

Quote:
I get the same error message (no start tag) as I already mentioned in Backend upgrade scheduled for Wed Nov 18, but I use the Windows firewall, not Kaspersky's. The problem started with the site upgrade. I already have an exception in the firewall for communication between my computers. I extended it to the internet, without success.

I'm not the best with Windows Firewall and i'm not running a real Windows system so i can't even test this, (others may be along soon) but if you can try adding the program

C:\Program Files\BOINC\boinc.exe

to the "Allowed programs" this should show (boinc client) and allow it to the
internet. This may or may not work.

good luck.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.