[SOLVED] ajax client (over web) on windows does not work but on linux does

[empe]

Hi there in the forum,

I run into an strange problem. I set up Zimbra and all worked fine on the local net. Cause me to have a DynDNS account I can access the web front end on my local server from the office. Additionally to Zimbra I set up SquirrelMail to get access to my emails. This works fine for me. But I wanted to use the glory ajax gui too. When I try so doing it with windows (IE or FireFox) the login screen never appears on my client. The browser does load the HTML page and some JS but never finishes (waited abouzt an hour). The very strange thing is, that when I try the same with linux (as client OS with FireFox) it's done very well (using the same internet connection and router). My first thought was that there must be an implementation issue on the IP stack on windows but I cannot check this (because I don't know how to).
Going to give You my configuration here, cause seems to be a bit tricky.
Having an Intel Dual Core Machine with ubuntu 7.04 feisty fawn server (amd64) setup with xen 3.1 (on 2.6.20-100-generic-amd64 kernel from a backport due to sata problems with 2.6.19) on Dom0. The box has 4GB of RAM 2GB dedicated to the DomU where Zimbra is installed. Another DomU has a firewall installed. There are two NICs in the system. One is connected to a router and one to the local network. I didn't work out how to set up the box so only the firewall sees the physical interfaces so I use the bridged virtual interface to do the job. Only the firewall sees the two bridges the other boxes only see the bridge used for the local net. So all traffic has to go through the firewall (shorewall 3.2.6).
The router is a LinkSys WRT54GS-DE (I need the WLAN from this box). The uplink is connected to a DSL-Modem (with firewall). There are some ports forwarded fromthe DSL-Modem to the LinkSys and from there to the (outside) NIC of the firewall. The firewall itself forwards the traffic to Zimbra box (on the other DomU). Some Ports are forwarded to another DomU having SquirrelMail installed which itself uses zimbra smtp and imap feature.
Want to give You a small pcture of my setup - it's easier to understand than thousands of (non native english - sorry about this) words.
Any suggestions?

Thanks a lot,
Michael

[jholder]

This is the best post ever. Love the pic.

So, as long as you have your http port forwarded, there shouldn't be an issue.

Can you check Firefox's error console to see if there's an error?

Also, try appending ?dev=1 to the URL and see if it loads.

[empe]

Hi jholder,

thank You for Your reply. The http port is forwarded three times. From the DSL Modem to the LinkSys to the firewall and finally to the zimbra box. The MTU of all interfaces is 1500 (there was an issue if they differ I think).
The firefox error console only show a css warning, so it's fine. But it lasts about 30 seconds till this message appears (ok I have to go through a very slow DSL outbound connection (about 128 kBit/s) but should be quicker I think).
?dev=1 does not make any difference (what's the difference to the URL without that parameter?).

I think its an firewall issue. Maybe I made some mistakes with the configuration of shorewall which only appear in windows - shurely there are some differences on TCP/IP and one of them is hitting me now
Another thing that points me to that assumption is squirrelmail being very slow in comparison to my old box (which was replaced by the new xen box) although the new (virtual) box has double RAM and a bit more powerful CPU.

One thing I could try is connecting the zimbra box to the other virtual bridge of zimbra (not shown in the picture) which is connected to the physical interface shown on the left. This network segment can directly be reached from the LinkSys, so I can jump over my possibly misconfigured firewall. I will post the result of that when I tried this. I cannot do so now cause my wife needs the box from the local net right now.

Will be back soon. Thanks so far!
Michael

[phoenix]

One problem you may encounter is that your Dom0 (or any other DomU connected to the bridge on eth0) has problems with internet access after getting your Firewall running in the DomU.

This probably is the NIC causing the problem, you can check the by doing 'tcpdump -nvvi eth0' in your Dom0 and then initiating some traffic, you can run a 'traceroute microsoft.com' and see what output tcpdump gives, if there's any error about 'bad chksum' then you need to modify your NIC driver. The problem is caused by checksum offloading in the NIC driver and you can check it with the following commands:

Code:

    ethtool -k eth0  -- display driver setting, you should see something like this:

    tx-checksumming: on

If that's the case, disable it with:

Code:

    ethtool -K eth0 tx off

You'll probably need to disable it in all the DomUs you have running.

See if that's your problem.

[/edit]Why do you have the Linksys and Shorewall running? You don't need both as one firewall will do and two may cause you problems.

[empe]

Hi phoenix,

thank You so much - You've got it!
Now the details... A tcpdump on the physical nic connected to the LinkSys (peth1 on by box) showed lots of udp checksum errors. So I switched tx checksumming off as You recommended. I did so on the Dom0, firewall, and zimbra box aswell. What I do not understand is the fact that turning off the recognition of real problems (assuming tx checksum errors are problems) does solve the problem Anyway - You are the expert and everything seems to be fine for now
Is there a possibility to do so at boot time. May be /etc/network/options or so?

Quote:

Originally Posted by phoenix

Why do you have the Linksys and Shorewall running? You don't need both as one firewall will do and two may cause you problems.

I intend to install a Windows box in an DomU which will have virtual ro disks. This one will be the box where user can connect to (via remote desktop) for browsing the web. The clients then will nomore be able using the web directly. Just a way for protecting the local net. This dmz windows will only have access to a samba share with an on demand virus scanner for transfering files to local pcs. Yes I am crazy but I don't like reinstalling windows on machines getting slower and slower in just a couple of weeks. I am pretty shure You will agree, do You?

So again, thank You very much for the solution of that problem.
Michael

[phoenix]

Quote:

Originally Posted by empe

Hi phoenix,

thank You so much - You've got it!
Now the details... A tcpdump on the physical nic connected to the LinkSys (peth1 on by box) showed lots of udp checksum errors. So I switched tx checksumming off as You recommended. I did so on the Dom0, firewall, and zimbra box aswell. What I do not understand is the fact that turning off the recognition of real problems (assuming tx checksum errors are problems) does solve the problem Anyway - You are the expert and everything seems to be fine for now

These aren't real checksum errors, it's a problem with Checksum Offloading to your NIC (by any chance is yours an Intel NIC?) and when you disble the offloading it will still be handled by the NIC driver. So, in summary, it's not a real checksum problem it's a bug.

I encountered this problem when I moved my server to Xen and installed the Endian Firewall plus Zimbra and a couple of other DomUs to my Xen server. I did a lot of searching on the xen mailing lists and google, the problem seems to be moderately well known (not very well described) but I couldn't find a definitive answer to where the problem lay. I think the general conclusion is that it's in the Bridge Utils that xen uses (also some comments that it may be a problem with the NIC driver).

What was odd was the fact that my set-up is a two NIC server with one connected to the DSL service and one for the LAN (including the DomUs on the bridge), some servers could get out and some couldn't and some servers would work one minute and not the next. It drove me crazy for about two weeks until I stumbled on the fix, as I said I couldn't find out where the problem was and after searching for a while I just stuck the fix in and left it at that.

Quote:

Originally Posted by empe

Is there a possibility to do so at boot time. May be /etc/network/options or so?

I've added that command to /etc/rc.d/rc.local - I use CentOS5 (RHEL5 rebuild) servers so your location for that command may vary.

Quote:

Originally Posted by empe

I intend to install a Windows box in an DomU which will have virtual ro disks. This one will be the box where user can connect to (via remote desktop) for browsing the web. The clients then will nomore be able using the web directly. Just a way for protecting the local net. This dmz windows will only have access to a samba share with an on demand virus scanner for transfering files to local pcs. Yes I am crazy but I don't like reinstalling windows on machines getting slower and slower in just a couple of weeks. I am pretty shure You will agree, do You?

I still think you could achieve the same set-up via the firewall in in your DomU without the need for the Linksys, it would also mean your firewall would handle all the port forwarding (if needed) and not be limited by that feature on the Linksys which only has a limited number of ports you can forward (plus I don't like two firewalls, but that's just me).

Quote:

Originally Posted by empe

So again, thank You very much for the solution of that problem.
Michael

You're welcome, glad it worked.

[empe]

Quote:

Originally Posted by phoenix

by any chance is yours an Intel NIC?

I had too much problems with Intel NICs so this time I decided to go back to very cheap ones (Realtec onboard and D-Link with a Realtec chip). lspci shows

Code:

03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8111/8168B PCI Express Gigabit Ethernet controller (rev 01)
04:03.0 Ethernet controller: D-Link System Inc DGE-528T Gigabit Ethernet Adapter (rev 10)

I didn't have the problems You had with your xen box. Would drive me crazy. So I already thought about reinstalling the whole machine with vmware. But I don't known, wether this would be a simpler solution. with less problems. Finally problems are gone know and I don't like to invest so much time.

Quote:

Originally Posted by phoenix

I still think you could achieve the same set-up via the firewall in in your DomU without the need for the Linksys, it would also mean your firewall would handle all the port forwarding (if needed) and not be limited by that feature on the Linksys which only has a limited number of ports you can forward (plus I don't like two firewalls, but that's just me).

I want the WLAN NIC beeing treated as traffic coming from the web. So it seems easier to me having the WLAN NIC connected to the NIC on the xen which is directly connected to the firewall. Next step will be eliminating the DSL modem and using the LinkSys like in former times. Because I do need a DSL modem I also have two firewalls - the LinkSys (also being the DSL modem in future) and the DomU firewall. Till some weeks I needed the additional DSL modem because I simply hadn't my provider account information - it was only set up in that box - shame on me. The simple solution for that was using this box and cascading the LinkSys. Shame on me, yes

[empe]

Found a solution for that on xen sources lists archive.