Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Uni-directional IP flow...very weird

  • Please log in to reply
3 replies to this topic

#1 Michael Gioia

Michael Gioia

  • Members
  • 3 posts
  • Local time:11:38 PM

Posted 19 November 2010 - 12:20 AM

So, its pretty basic.
Windows XP w/SP3.
I've noticed that I have TCP/IP connectivity to IP nodes, say I ping or try to access a CIFS share to a neighbor laptop (lets call him laptop B, i'm laptop A), works fine.
Then, if I try to do the reverse from Laptop B to Laptop A. No good.
No firewall on.
Even weirder....PCap capture actually shows no datagrams hitting the NIC. (Should they appear here even with a software firewall enabled ?. It might be a stupid question. I've never bothered to check. Just assumed it would land in a pcap capture Like an routing/switching ACL.

I might continue here....Something more devastating might be lurking here....In the process of trying to fix a different issue 'RASMAN did not start' event in Event Viewer, and the fact that my PPTP VPN's weren't working (there's a tie there with RRAS and DUN's), I re-installed all my WAN Miniports, and even went so far as doing a repair installation over the top of Windows (slip streamed with SP3).

Result is, PPTP VPN's still don't work. inbound IP connectivity still doesn't work. RASMAN event is fine now though, i.e. no hit in Event Viewer on startup.

The fact that datagrams aren't hitting the NIC (and I have to say, this also occurs with Wireless too, so its not an issue with a particular interface) at all, is really weird, based on what I can see in Wireshark.

I read a KB from Microsoft that under TCP/IP settings there is an Advanced option that talks about TCP/IP filtering. But this setting is on permit all.

I'm stumped ! And I consider myself pretty savvy around Desktop's/technology.....But there are always people smarter than me out there. :)

Edited by hamluis, 19 November 2010 - 10:31 AM.
Moved from XP forum to Networking ~ Hamluis.

BC AdBot (Login to Remove)


#2 Michael Gioia

Michael Gioia
  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:38 PM

Posted 20 November 2010 - 06:41 AM

I realised I didn't finish my sentence about mentioning the routing and switching ACL.....

I.e. Inbound ACL/Outbound ACL. Inbound ACL, means it's evoked, and then the logic passes to the interface what it should see.
Outbound ACL means the router/switch processes the packet first and then on exit path, via an interface, the ACL is evoked.
I'm beating around the bush here.....
But on inbound (back to firewall and my problem now) and its effect on what a pcap capture shows, maybe it won't show up, because the firewall is processing datagrams before they land on the interface and then, via this means, obviously they won't show up in the sniff. Or..would they land in the sniff regardless, and then apps/OS won't see them, i.e. firewall blocks CIFS/network share. pcap sniff might show the relevant TCP requests, but then the firewall will prevent the network share request.

I ask this, because Windows firewall is definitely off, and I THINK I uninstalled Symantec Client Security. But I don't trust it being gone.
Hence, maybe SCS is why I'm not seeing the relevant IP in the sniff ??....??

Apart from a firewall... I have no effing idea why on earth such a particular type of symptom in broken IP flow is occurring. Plus my WAN miniports are stuffed. Though, I can leverage something like Cisco VPN (IPsec), and that connects fine.

Hence, why I'm thinking its something lurking in Microsoft/OS. Or.... a virus ?
Spybot's resident process checking engine normally pops up with registry re-write requests by bad processes that may have landed on my PC, when a virus is present, and it never did this. So, that's why I'm inclined to think its not a virus.

#3 micksim


  • Members
  • 116 posts
  • Gender:Male
  • Location:Norwich, UK
  • Local time:02:38 PM

Posted 20 November 2010 - 08:12 AM

...and I THINK I uninstalled Symantec Client Security. But I don't trust it being gone.

You are right to not trust it being gone Michael.
Symantec products are so hard to remove, they've had to come up with specialist tools and procedures to 'totally' remove their products.

This is because, like you, many people have experienced all sorts of connectivity issues even after they thought they had removed the products but still had Symantec's left-overs.

Not sure if this is what may be affecting you, but I would make sure to shut down and removed all types of security from the machine prior to any further troubleshooting. This is just so that way you'll have a clean slate to start from.
I have spent hours and days trying to figure out how to sort out problems like this, and more times than not, it was all down to something as simple as this. Hopefully so will this issue be.

THIS LINK will help you remove Symantec. Remember that for as much as you may not like the idea of killing ALL you security(spybot etc etc), this is often necessary to get the connectivity fixed. After you've achieved this, then you may start putting back your security applications one-by-one, and be able to diagnose what's what and why.

Hope to have helped :thumbup2:

Edited by micksim, 20 November 2010 - 08:15 AM.

| A+ | Net+ | MCDST | MCITP |

"...if ever I have made any valuable discoveries, it has been owing more to patient attention than any other talent..." (1642-1727, Isaac Newton)

#4 Michael Gioia

Michael Gioia
  • Topic Starter

  • Members
  • 3 posts
  • Local time:11:38 PM

Posted 24 November 2010 - 06:31 PM

Note well.

3 months later. A lot of destruction to my OS. A lot of app uninstallation/tweaking/etc.

All this was solved by simply going into my Cisco VPN Application -> Options -> Unticking 'Stateful Firewall Always On'

I KNEW this was firewall related. And I KNEW that I did properly uninstall SCS. (No core services were running in my processes list).

Thanks micksim for your help anyway.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users