Enabling ECN capability on Windows 7 destroys Comodo Firewall [Solved CISv4]

“netsh int tcp set global ecn=enabled” in a command prompt on a W7 computer. See for yourself.

Both times I had ECN capable routers so be aware.

* Both 32 and 64-bit CPUs (multiple machines)
* Windows 7 Retail, both RTM and fully patched
* Comodo firewall ONLY running alone
* See above for symptoms and how to replicate
* Disabling ECN resolves it
* Firewall ONLY with any mode and any rules is affected
* All accounts are affected, but I was using Full administrator accounts.

What exactly does ECN do?

Used for traffic control purposes, both my home and university’s routers use it. It’s 2 of the bits in the TCP header, which is probably what is upsetting comodo (when they are set).

ECN also has its own control packets.

Please verify if you have set “Do protocol analysis” to active, if so please disable this.
It’ll probably kill the traffic because the TOSbyte is set.

No it’s not checked. Remember, everything in comodo is running at default settings. (Fragmented IP is disabled though)

Any luck?

Can’t replicate here and at home.

Can you tell a bit more about what fails if you set it to enabled?

Can you still ping your default gateway?
Can you resolve DNS to ip?

I suspect you need a router that is ECN enabled.

DNS resolves fine, the part it’s hosing is the TCP SYN SYN/ACK ACK sequence to the web server.

My assumption would be because the returning packets have the ECN flag set in the TCP header.

Got to build me a lab setup then to test this, ain’t going to change this on our production routers :wink:

I think I read that BSD based routers have it, and windows ICS(Internet Connection Sharing) boxes probably have it too.

I only assume that because they have the client part of it.

Edit: I think the D-Link DIR-655 has it.

Edit2: here’s the ECN test. http://www.microsoft.com/windows/using/tools/igd/default.mspx
needs to be run in IE.

Any progress?

Sorry haven’t had the time to test…

I would like to help out and test this issue so I performed that test using windows 7 with a Netgear WNDR3300 Rangmax Dual Band Wireless-N Router and I get a supported result for Traffic Congestion Test, I did this with CIS v3.14.130099.578, firewall set to custom policy mode, high alert level, both Block Fragmented IP datagrams and Do Protocol analysis enabled and over a wireless connection using the 802.11G channel. Here is the detailed result for the Traffic Congestion Test
Trying to load library nsi.dll
ECN is disabled
Turning on ECN for testing
Trying to connect to the test server www.microsoft.com
Successfully connected to the test server
Fetching the webpage /windows/using/tools/igd/StaticContent/igdprobedocs/ecn/test.txt from the test server
Received 28 bytes of content from the test server
Restoring the original ECN settings
Turning off ECN
Now what was supposed to happen to the firewall upon sending and/or receiving TCP packets with ECN bit set and what do you mean ‘destroys comodo firewall’? Does the tray icon have a red slash through it? Do you get an error message related to Comodo?

I tried to disable ECN, but my W7 does not allow me to do that. I am logged in as an admnistrator, but still netsh says that I need administrator access rights. Can anybody help?

try to run command-box with right mouse “Run as administrator” if you have UAC enabled…

I know what he means, web pages take WAY TOO LONG to load with ECN and Comodo firewall enabled. This is what I did, I enabled ECN via the command line, using the same firewall settings that I said I had in my previous post in this thread, and went to three different websites they were google.com, yahoo.com, and microsoft.com. They loaded really slow nevertheless they did load fine, just took forever to finish loading, then I disabled the firewall and went to those websites again and they loaded in a snap. Now I then re-enabled the firewall but with block fragmented ip datagrams and do protocol analysis disabled, same result going to those webpages, takes longer than normal to load. I have now set ECN to default witch is disabled and restored my original firewall settings and websites load fast. In conclusion there does seem to be issues with ECN capability enabled and comodo firewall.

I can try to reproduce… see if i have the same issue, but I"m running CISv4 Beta so maybe…

For those of you asking, by destroys I mean connections take 30secs or more to establish. Imagine that when browsing.

futuretech just reproduced it.

That would be “slows to a crawl” but not destroy, now i was looking in the wrong direction :wink:
Okay i will do some measurements to see how much delay it trows…