WinGate Forums

[EMC_Group]

Here are a couple of bugs we have encountered in the wingate NAT.

We are using Wingate 6.0.4 on Windows XP Pro with an ADSL connection to the internet. The wingate PC has two NIC’s, one for the LAN and one for the ADSL router. The Network Connections in wingate have been set up correctly with the LAN NIC set to internal usage and the WAN NIC set to external usage.

We have no problems accessing most sites but we have encountered a few exceptions. Both of the bugs here have been reproduced on multiple client machines. I also tried installing a new server machine with a fresh install of Windows and wingate, but the problems still occurred.


1) Using NAT transparent redirect to the WWW/FTP services causes downloads to stall and fail from some sites.

We have found that when downloading reasonably large files (>20M) from a few sites that the download will often stall and never complete. This occurs when using NAT with the transparent redirection to the WWW and FTP service.

Disabling the transparent redirection solves the problem. Unfortunately this also disables the virus scanning as well so it is not an acceptable solution. When the problem occurs I notice that the connection disappears from the gatekeeper status screen. The web browser download eventually fails with the error message "connection reset" or something similar.

Disabling virus scanning and caching has no effect, if transparent redirection is enabled then downloads will still stall. Note that this only happens on a few sites, although I have had it happen on download.com and even when using windows update. It is a very random event.

Downloading locally from the wingate machine (bypassing wingate entirely) also solves the problem, the downloads always complete.

Setting the web browser on the client machines to use SOCKS to connect to wingate avoids the bug. The download completes without problem. Note that transparent redirection is enabled on the SOCKS connection as well, but luckily it does not encounter the bug, The bug only manifests on NAT connections to wingate.

This is the solution we are now using as it still allows virus scanning to be performed. It is not convenient to make all client machines use SOCKS however (laptops for example) and some users still experience the problem occasionally.


2) Wingate prevents secure web pages from loading on some sites.

I suspect that this problem is also caused by the wingate NAT being active. We have encountered this problem when using the Inland Revenue (NZ) web site to enter data, after entering data into the page and clicking the save button the next web page fails to load.

The site is https://ir-file.ird.govt.nz

When directly connected to the internet (I connected a laptop to the ADSL router) the pages load without problem.

When I try to access the site from the wingate PC itself, the pages still fail to load. After I shut down the wingate server I can load the pages without problem (browser running on the wingate PC).

This is strange as wingate should have no affect on the browser running on the wingate PC itself! The browser does not have any proxy settings, it goes directly out through the ADSL router. Yet the wingate server is interfering with the traffic.

I have found no way to work around this problem and so the site cannot be used from our LAN. This is an important issue as it pertains to the running of the company. For now I have arranged alternative internet access (without wingate) for the affected user.

I would appreciate any feedback you have on the status of these bugs, are they known problems? Please note that I have spent a lot of time isolating and confirming these problems, even so far as installing a second machine with a fresh wingate and windows installation.

Thanks for any help

[jamesc]

Can you create a support ticket for this and also add your phone number?

http://support.qbik.com/index.php?_a=tickets&_m=submit

[Profcoll]

Please post the solution to this problem if there is one. We are having similar problems on secure sites.

Thanks.

Dan

[jamesc]

Acknowledged

[MattP]

Hi,

Regarding the first problem, downloading through the WWW proxy, do you have drip-feeding for large files turned on? It sounds like you don't. When downloading a large file while KAV scanning is enabled the client can look like nothing is happening, or can time out. What is actually happening is that WinGate is downloading the first 75% of the file so that it can begin scanning.

Turning on drip feeding sends little bits of the file through to the client so that the connection looks active and does not time out.

You can turn on drip feeding in the WWW proxy service on the plug-ins menu.

Regarding the second problem, who is your ISP? This sounds like a problem that we've been having with some ISPs and WinGate, where secure pages don't load. So far we have been unable to replicate the problem here.

[EMC_Group]

Sorry for the slow reply,

Hi,

Regarding the first problem, downloading through the WWW proxy, do you have drip-feeding for large files turned on?y service on the plug-ins menu.

Yes, drip feeding has always been on through all the tests. Also note that turning off the anti-virus in the plug-ins page of the WWW proxy has no effect, the downloads still stall. Turning off Caching also has no effect.

I tested it with caching off and antivirus off and the downloads still stall at random points. So the anti-virus is not part of the problem here. Also note that making the client go through SOCKS avoids the bug, it works fine even with both antivirus and caching both turned back on.

The omportant point is that the problem only occurs when using NAT on the client, using SOCKS avoids the problem. Switching off the transparent proxy in the sessions page of the WWW proxy solves the problem, it is the actual redirection process from NAT to WWW proxy that causes the bug to manifest. The redirection from SOCKS to WWW proxy does not have any problems.

I have switched some clients to SOCKS now, but I cannot do that with laptops that are used on the road. They must use NAT to connect.

Regarding the second problem, who is your ISP? This sounds like a problem that we've been having with some ISPs and WinGate, where secure pages don't load. So far we have been unable to replicate the problem here.

The ISP is xtra broadband. What I find strange is that I can download the pages fine by connecting a laptop to the broadband modem, I can even load the pages correctly on the wingate PC if I shut down the wingate server process first. As soon as the wingate server is started again on the wingate PC I get problems. The windows firewall is off and I also turned off the wingate firewall, the problem still occurs.

It seems to me that wingate should not be interferring with the data going to the broadband modem at all in this case. Remember I am using the IE browser on the wingate PC and connected directly to the internet, only the firewall should affect that and it is off.

Thanks for looking into this. I will create the support ticket as requested ASAP.

[jamesc]

Adrien and Genie investigated this onsite.

EMC_Groups first problem: " Using NAT transparent redirect to the WWW/FTP services causes downloads to stall and fail from some sites. "
Was solved by ticking "Allow recalculation of 0 TCP checksums"

EMC_Groups second problem: "Wingate prevents secure web pages from loading on some sites."
Was solved by unticking both "Use MSS checksand reductions" and "Analyse MSS"


The location for these options are found in:

(Windows) Start Menu
Programs
WinGate
Advanced Options
Protocol Handling



EMC_Group was using WinGate 6.0.4, XP Pro SP2

[EMC_Group]

Adrien and Genie investigated this onsite.

EMC_Groups first problem: " Using NAT transparent redirect to the WWW/FTP services causes downloads to stall and fail from some sites. "
Was solved by unticking "Allow recalculation of 0 TCP checksums"

Just a correction here: was solved by ticking (not unticking) "Allow recalculation of 0 TCP checksums"

[jamesc]

good man! now updated