Super weird network problem, genius help needed

Discussion in 'other software & services' started by Mrkvonic, Apr 8, 2010.

Thread Status:
Not open for further replies.
  1. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    OK guys, I have my weirdest problem yet, I'd appreciate any suggestions.

    About 2 weeks ago, one of the XP SP3 machines started doing something weird ...

    Randomly, once a day or once in two days, the browsers cannot connect to the Internet for about 1-2 minutes, then the problem is gone. No other machine on the network is affected, so it's not the router.

    Both FF, IE cannot connect, so not a browser issue either. The browsers simply try to load any which webpage being accessed and time out. Other programs and protocols work - ping, traceroute, p2p, ftp, etc. Router interface is also available. Seems limited to HTTP requests in some way. Not DNS related, because IP addresses don't work either, and resolution works for other programs.

    After a minute or two, it gets back to normal.

    Nothing strange in the process table or netstat. The machine is stable and works fine. No errors or strange behavior of any kind, save for this little quirk.

    The only thing that did seem weird was the WebClient service, used for WebDAV thingie, in the stopping state, but even when stopped, the problem manifests. So not this service either. But maybe this is a clue?

    Like I mentioned:

    Other hosts work, not a router issue.
    All browsers on the same machine affected, not a browser issue.
    Tried different nics in the box, so not a bad nic.

    Nothing has changed in the machine setup prior to the problem emerging, so I'm suspecting something with the tcpip stack. Any ideas what to check or how to debug this? Maybe Wireshark?

    Most importantly, did anyone see something like this?

    Regards,
    Mrk
     
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, that's what I've seen with proxy autodiscovery - proxy forced via DHCP/DNS + system policies when the proxy somehow decided it's going to take a rest :)

    If that's not your case, then a network traffic sniffer or at least some monitor that will watch what's the browser trying to do at that time seems like a good idea.
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    I'm not using a proxy, so I'll probably start sniffing ...
    Mrk
     
  4. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I'd say this is more of a local PC problem than a network problem.

    I'd download the latest NIC driver
    Uninstall current NIC
    Reboot...and install NIC using the latest driver
    Reboot, then run a TCP/Winsock repair utility
    http://www.snapfiles.com/reviews/WinSock_XP_Fix/winsockxpfix.html

    Also as mentioned above..probably be good to check that connection setup..ensure there's no proxy entered. Although that usually just causes a 10-15 second delay upon launch..not a 1-2 minute delay.
     
  5. renegade08

    renegade08 Registered Member

    Joined:
    Aug 26, 2008
    Posts:
    431
  6. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Nice utility, tnx. :cool:
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043
    I agree, I'd check the drivers.

    When I tried upgrading this machine to Win 7 x64, it was fine, except it could see the network adapter, so no network. If I shut the machine down completely, and brought it back it would work briefly.

    Weirdest part was once the adapter was down, restoring the XP image didn't bring it back. still had to completely power down.

    Finally downloaded latest mother board drives from Nvidia. Reinstall x64 Win 7. But since it couldn't see the adapter it didn't give the option to install the drivers. I powered down and came back up. In the few minutes the adapter was there, I was able to install the drivers.

    End of problem.

    Pete
     
  8. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,560
    Pete the problem that you described is caused from the bios.
    If you encounter it again enter in the bios settings and check if the nic is listed or it just "disappeared".

    Last year I had the same problem and the definite way to solve it was to clear the cmos and then reconfigure the bios.

    Panagiotis
     
  9. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Anything going on in Task Manager when this is happening?

    ie. antivirus updating, etc.
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Hi all,

    Thanks for the suggestions. I will try some few innocent tricks before going with Wireshark ...

    I'll try chkdisk.
    I'll try reboot/poweroff.
    I'll see if there are any nic updates, but this happens on two unrelated card, so I doubt this is the problem here.

    noway, I'm not running an anti-virus. And no change in the process table when this happens. netstat also shows no interesting activity. There are no half-open tcp connections, so I guess the problem is internal.

    Why do I always find these odd thingies?
    And why do I have the mental disorder to care about them :)

    Mrk
     
  11. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Flush your DNS and reset the Winsock and restart.

    To flush DNS go to start > run > cmd prompt

    ipconfig /flushdns should do the trick and you will get a message when its complete.

    To reset Winsock use the cmd prompt again and type this:

    netsh winsock reset

    Do both and then restart.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Before going with the idea of resetting the winsock, I used both netdiag, msinof32 and xpnetdiag, neither reported any issues. Using netdiag /test:winsock /v, again all is well. Checked devices, manually went through the registered winsock entries, the problem ain't there.

    It's something wicked.

    It even might be a weird hardware issue ...

    Reminds me a little of the wireless saga on T61, if this is the case, then I'm doomed and will never solve this :)

    Mrk
     
  13. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Resetting the Winsock wont cause any harm. It with either A) Fix the issue or B) not fix the issue and not make the issue any worse. If you do fix it thats one less thing to look into later. Its a major culprit in most internet page time outs.
     
  14. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    any more clues in event viewer logs, errors or warnings?
     
  15. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,043

    Hi Panagiotis

    In this case it was driver issue. I'd restore the XP image, and once I turned the machine off after restore, no further problems. With the Win 7x64, once I downloaded, and installed the correct drivers, again the problem went way. Didn't need to touch the bios.

    Not really a surprise. This is a 64 bit ready machine, but was set up 2.5 years ago as a 32 bit machine.

    Pete
     
  16. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Well, resetting the winsock did not help, as I expected. Saw it again. Packet capture shows only SYNs going out from my machine and no replies, which comes as no surprise.

    The only other thing I can think of is ISP using some weird heuristic network analysis and then when identifying "malformed" packets, it honeytraps them, slowing down the traffic, but it only happens on one machine, whereas ISP sees the router address and not the internal ones, plus I doubt they have that ability and skill or need. After all, port 80.

    Mrk
     
  17. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well... here's a rather crazy idea, but I could confirm whether it's ISP or your internal stuff... so...

    - set up an internal webserver somewhere
    - set up an authoritative internal DNS server somewhere and do some Verisign-style wildcard records for TLDs there, pointing those to your webserver's IP
    - point your box to that DNS and have phun
    :D
     
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    OK, a small update. Seems I'm running out of connections :)

    Not just open and half-open, but total number of endpoints. That's what I've been able to ascertain using TCPView by Sysinternals. Having a 12MB internet has its down sides, it seems ...

    Well, I guess I'll just have to live with it. And throttle down the network utilization a little bit.

    Mrk
     
  19. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Some more info ...

    I found the Windows XP avoiding tcp/ip port exhaustion guide. It turns out the number of allowed ports and default time_wait are horrible. And to change them, the user has to make their own registry keys.

    For anyone interested:
    http://msdn.microsoft.com/en-us/library/aa560610(BTS.20).aspx

    So much more difficult than Linux sysctl ...

    Cheers,
    Mrk
     
  20. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Ah, yeah... the defaults are broken. I changed those on XP boxes so long time ago that I've completely forgotten about this.
     
  21. iravgupta

    iravgupta Registered Member

    Joined:
    Dec 17, 2009
    Posts:
    605
    OP, I am having the exact same issue since a few days. Can you share the security setup on the affected machine? Also, do u use uTorrent by any chance?
     
  22. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    I'm using both emule and utorrent. Security setup - lua :) But this is not a security issue but one of system network optimization.

    I have increased the number of half-open tcp connections to 100, but that does not matter, because trending the behavior, it's the time_wait that takes 80-90% of endpoints, so there's quite a bit of overhead. I will reduce the timeout to 30 seconds and follow and see what gives.

    Mrk
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,284
    Location:
    England
    tcp/ip port exhaustion... what ever will we have next to worry about :) :)
     
Loading...
Thread Status:
Not open for further replies.