winxp cannot login into domain

hamburger · May 15, 2007, 6:54am

disable the network monitor in CF

jasper2408 · May 15, 2007, 12:37pm

On rule #3 change the Destination IP address to 10.2.194.10 and on rule #4 change the Source IP address to 10.2.194.10.
Add a new rule to the very bottom of the Network Monitor rules list as you are not protected from inbound traffic. Make sure this rule is the very last rule in the list.

BLOCK-check the check box
IP
IN/OUT
Source IP: ANY
Destination IP: ANY
Source Port: ANY
Destination Port: ANY

Go to Security>Advanced>Advanced Attack Detection and Prevention>Configure>Misc. Tab and uncheck “Block Fragmented IP Datagrams” and "Do protocol analysis

Ok try the 3 things that I listed above and when you post again include your log and a screenshot of the Network Monitor rules again.

I have one question: Do you have any software installed that is monitoring routers or parts of the network?

Hang in there you cleaned part of the log out.

jasper

jasper2408 · May 15, 2007, 12:46pm

Midori:

Hello. I’m having same issue, but symptoms are different. When I installed CF my WinXP was rendered unable to connect to domain. Completely, even if I enable all traffic or set security to “Allow all”. Uninstalling CF makes all work again. Pretty weird to me. MS has nice tool to diagnose domain problems called NLtest. Here is my investigation. First I tried to find domain controller:

C:>nltest /dsgetdc:mydomainhere
DC: \dc1.mydomainhere
Address: \192.168.10.9
Dom Guid: 629eeeeb-7c30-4876-be6e-9c827bf5e5c3
Dom Name: mydomainhere
Forest Name: mydomainhere
Dc Site Name: mydomainhere70
Our Site Name: mydomainhere70
Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE
The command completed successfully

Ok, no problem here. Next I tried get my personal domain record:

C:\nltest /user:MyNameHere
User: MyNameHere
Rid: 0x3eb
Version: 0x10002
LastLogon: 8624fda8 01c58eb8 = 7/22/2005 16:26:02
PasswordLastSet: ae61725a 01c539fa = 4/5/2005 20:15:28
AccountExpires: ffffffff 7fffffff = 5/11/650 1170:14:41
LastBadPasswordTime: e8b721f0 01c73dfb = 1/22/2007 12:04:15
PrimaryGroupId: 0x201
UserAccountControl: 0x210
CountryCode: 0x0
CodePage: 0x0
BadPasswordCount: 0x1
LogonCount: 0x10
AdminCount: 0x1
SecurityDescriptor: 80140001 0000009c 000000ac 00000014 00000044 00300002 000000
02 0014c002 01050044 00000101 01000000 00000000 0014c002 000f07ff 00000101 05000
000 00000007 00580002 00000003 00240000 00020044 00000501 05000000 00000015 6dec
d52f 0374dad1 28a68b82 000003eb 00180000 000f07ff 00000201 05000000 00000020 000
00220 00140000 0002035b 00000101 01000000 00000000 00000201 05000000 00000020 00
000220 00000201 05000000 00000020 00000220
AccountName:
Groups: 00000201 00000007
LmOwfPassword: fb820c9c 5c7e7e09 5a87069e b3213ad7
NtOwfPassword: 18092333 999e8775 dfcd5b60 fd5766e1
NtPasswordHistory: 00010001
LmPasswordHistory: 00010001
The command completed successfully

All looks fine (^^). Now I test if domain is able to log me in:

C:\nltest /whowill:mydomainhere* MyNameHere
Cannot write netlogon mailslot: 2102
Didn’t receive a response for mail message 0 (\MAILSLOT\NET\GETDC569)
Can’t stop response thread (TIMEOUT)
The command completed successfully

Oops. Something is really wrong. I hope you can tell me why does it happen (all traffic is enabled now) and how to fix it. I love CF and I tired of stupid admins spoiling my PC with unwanted software.

Hi Midori and welcome to the forum,

Could you please start a new thread with your questions as it will make both sets of problems easier to keep track of and someone will be glad to help you. It also helps users to find solutions easier when they can see a thread that fits the problems they are having.

thanks,

jasper

hamburger · May 15, 2007, 11:38pm

actually, i don’t think allow all traffic' is the same as disable network monitor’.
i supposed they would do the same…but they didn’t.
i tried myself.

hamburger · May 15, 2007, 11:42pm

jasper, yes, this time, my win box can connect to the domain server. :BNC :BNC :BNC
would you please provide me some details or analysis on my issue?
u’ll be appreciated. :■■■■

hamburger · May 15, 2007, 11:53pm

jasper,

i noticed that you asked me to put two separated rules for the traffic from and to the ip address 10.2.194.11 (and 10.2.194.10). can i merge them to one rule, say In/Out option?

as i understand, 10.2.194.11 is the domain server. 10.2.194.10 could be a backup domain server (balance the traffic). what does 10.2.194.25 do? you (or LM) asked me to put this in the rule list.

instead of having special rules for those particular servers, can i set up a rule to enable all traffic within the local network? will it do the same (allow me to connect to the domain server)? is it safe?

jasper2408 · May 16, 2007, 1:12am

Good to hear that hamburger.

You can get rid of rules 3 and 4 and either leave rules 1 and 2 and change the IP addresses to a range that includes the network IP addresses, if you know what that range is for sure OR make it one rule that in IN/OUT. I like the 2 separate rules so I can see it easier but either way will work just fine.

There is something else we need to test. I had you uncheck some checkboxes at the location below in my last post:

3. Go to Security>Advanced>Advanced Attack Detection and Prevention>Configure>Misc. Tab and uncheck “Block Fragmented IP Datagrams” and "Do protocol analysis

What I need you to do is to go back there and check the “Do protocol analysis” checkbox and see if it still works. Something is sending fragmented packets to your machine and I had you uncheck it to try and get you up and running. You really need this part working if possible as it is a big part of your protection. So if you could test that part to see what happens and post back the results that would be great. Leave the fragmented packets checked for now.

What we did was just go to each log entry that was being blocked and wrote a rule for it.

I don’t know what the 10.2.194.25 address is connected to so you might want to find out from the admin why that address is sending packets to you. It is sending you packets on port 712. It could be a network monitoring program on some machine possibly.

jasper

hamburger · May 16, 2007, 5:09am

as soon as i checked that option, i’m blocked away from the domain server…

hamburger · May 16, 2007, 5:26am

unchecked the analysis option and checked the ‘fragmented ip packet’ option, my win box can connect to domain server without any problem. is this a bug of CF?

jasper2408 · May 16, 2007, 12:36pm

I was hoping that the protocol analysis would work. That part is what checks all of the packets that come in. Without it you basically don’t have much protection. You can get by with the fragmented packets unchecked.

Both 10.2.194.10 and 10.2.194.11 are sending these types of packets for some reason. I don’t know your network but it could be CFP doesn’t recognize the protocol. If it was a bad NIC or switch then everybody would be having trouble connecting to the network without the firewall.

You could use a packet sniffer such as WireShark to see what is really going on but I would talk to your network admin first.

jasper

Little_Mac · May 16, 2007, 2:58pm

I didn’t notice if Jasper responded to this question specifically, so I thought I’d weigh in on it.

I would advise against it. If you enable all traffic within the LAN, that means any other computer on the LAN would have free access to your machine. That might not be an issue, but let’s say for example that one of those machines has been remotely accessed and controlled… then someone else completely has free access to your machine… Not the scenario I’d like, myself.

As Jasper has advised, I agree that you need to talk to your network admin to find out about the fragmented/malformed packets, and what the IP’s are. You may want to be prepared to mention that CFP is a true Stateful Packet Inspection (SPI) firewall; not all actually are (the level of checking that CFP performs is normally reserved for hardware firewalls, such as in a router).

LM