locked
Failure connecting with remote peer RRS feed

  • Question

  • (I've posted this in a WCF forum but, given I'm using the peer-to-peer technology, this forum may be a better place. I've also learned a bit more, which I'll add here.)

     

    I've taken the Chat sample for WCF and modified it to use PNRP (and not the custom resolver), changed the mesh URI slightly, and changed the implementation of IChat to do some extra tracing. The sample works well if both chat instances are on the same home network. They do not work if they are completely remote from one another. That is, one node is on one home network and another node is on a remote home network. By "work" I mean IOnlineStatus.Online is not called nor are remote IChat.Chat calls received.

     

    Remotely, I can resolve the home peer name in the Global_ cloud and I can also resolve a test registration (via netsh) on the home node. I can also ping (via netsh) the home node. Looking at the trace output in svctraceview.exe, I can see the remote node trying to connect to a local IPv4 address and a IPv6 address for the home node. I expect the attempt for the IPv4 address to fail. However, I am able to ping the IPv6 address. The exception details suggest the home host failed to respond in a timely manner.

     

    After returning "home" and reviewing the log for the home node, I see similar results. The home node sees the remote node, attempts to connect and fails. In both cases the IPv6 address appears to be a Teredo address.

     

    I'm at a loss as to what else to try. Isn't this a configuration that supposed to work? Both home networks are, I would assume, fairly standard.

     

    BTW, I am using Vista on both nodes.

     

    Thanks in advance,

    Ed

    Tuesday, October 9, 2007 6:57 PM

Answers

  • After considerable patience and suggestions from Shalini, it was determined it was a firewall issue.

     

    It is not enough for a firewall exception to exist. The firewall rule that is created by the popup notification must also enable "Allow edge traversal" on the advanced page for the rule's properties. A security hole in Teredo was plugged relatively recently.

     

    More information about the security issue can be found at http://www.securiteam.com/windowsntfocus/5VP0E0AM1K.html.

     

    I'd like to thank Shalini again.

     

    Ed

    Wednesday, October 17, 2007 3:59 AM

All replies

  • Hi Ed,

    I am not sure I understand your problem completly. Let's take one problem at a time.

    At first we need to findout is there is any issue with PNRP. Can you please register name in both machines in Global_ cloud and then try to resolve from each other?

     

    Thansk,

    Pritam

     

     

     

    Tuesday, October 9, 2007 8:59 PM
  • Sure thing, Pritam. I realize now my initial posting has a lot going on.

     

    First, I modifed the Chat sample from the WCF samples (TechnologySamples\Scenario\PeerChannel) with the following changes.

    1. I changed the URI for the service to "net.p2p://eb2TechChatMesh/ServiceModelSamples/Chat" from "net.p2p://chatMesh/ServiceModelSamples/Chat" in the original instance.cs.
    2. I build a NetPeerTcpBinding in code instead of a config file.
    3. My binding instance resolver mode is Pnrp.
    4. The IChat.Chat() implementation has been modified to send additional chats when a certain chat message is received from a specially named member.

    (While the following is not precise, the scenario should give you an idea of what I'm doing.) I run the executable on two machines, A and B, at my home. I can chat normally with myself. Though I have nothing interesting to say, the messages are displayed on the console as expected.

     

    I take machine B to a friend's house and start the chat program on machine A before I leave. Machine B never goes "online" (the chat program registers for IOnlineStatus.Online events). Any chat messages entered on B are not seen on A.

     

    To help debug the problem, I also explicitly registered a name on machine A in a command console running netsh, say 0.eb2techTest. Lastly, I enabled WCF tracing.

     

    At the friend's house on machine B and using netsh, I can resolve 0.eb2techchatmesh in the Global_ cloud. I see two IP addresses each for two nodes. I can also resolve the explicit registration 0.eb2techTest.

    1. netsh p2p pnrp peer resolve 0.eb2techchatmesh Global_ works on machine B.
    2. netsh p2p pnrp diag ping host {IPv6 address of machine A registration} Global_ works on machine B.
    3. netsh 2p2 pnrp peer resolve 0.eb2techTest Global_ works on machine B.

    So, I don't believe the problem is PNRP.

     

    If I examine the svclog for both A and B, I see EndpointNotFoundException exceptions in both logs. I get two sets, one for a net.tcp://{ipv4 address} and one for a net.tcp://{ipv6 address}. The TCP error code is 10060, which has text specifying the connected party did not respond in time or failed to respond.

     

    While I expect the IPv4 attempts to fail, I didn't expect the IPv6 attempts to also fail. It is my (admittedly limited) understanding that Teredo is supposed to make this happen. I'm guessing I could use port forwarding with a UPnP gateway and use a IPv4 address for NetPeerTcpBinding.ListenIPAddress but I'm trying to avoid that. I suspect that I'm missing something.

     

    I hope this detail helps.

     

    Thanks,

    Ed

     

    Tuesday, October 9, 2007 9:54 PM
  • Hi there Ed,

     

    Thanks for the detailed debugging information. Could you try a few more things for me:

     

    1. Check the firewall exceptions and make sure that your chat application is included in the exceptions list.

    Note: Since PNRP seems to be talking fine and the Global_ cloud state is Active (??True??), it looks like the exception for PNRP is already enabled in both firewalls.

     

    2. Could you perform an ipconfig /all on both your machines and see what addresses the IPv6 address in the trace file maps to ? It could be that one address is a teredo address (scenario: your machine A is behind a router/NAT at home) & the other one is a 6to4 address (scenario: Machine B is directly connected to the cable modem)

     

    3. If all looks in order, then could you try configuring the NetPeerTcpBinding in both instances to use the ListenIPAddress property configured to use the IPv6 address explicitly? Does it work then? Does a regular ping command (not through netsh pnrp) work fine?

     

    Let me know if this helps..else feel free to send me your trace files/ipconfig /all output and other diagnostics information you have at shalinij@microsoft.com and I can take a look..

     

    THanks,

    Shalini.

    Thursday, October 11, 2007 7:07 PM
  • After considerable patience and suggestions from Shalini, it was determined it was a firewall issue.

     

    It is not enough for a firewall exception to exist. The firewall rule that is created by the popup notification must also enable "Allow edge traversal" on the advanced page for the rule's properties. A security hole in Teredo was plugged relatively recently.

     

    More information about the security issue can be found at http://www.securiteam.com/windowsntfocus/5VP0E0AM1K.html.

     

    I'd like to thank Shalini again.

     

    Ed

    Wednesday, October 17, 2007 3:59 AM
  • Hi!
     
    I'm using the CustomPeerResolverChat sample for my application I modified it a bit in following manner:

    1. I included the bindings in the code instead of using config file.
    2. Changed it to a WPF browser application.
    3. Added one more service endpoint for Teredo IPv6 address.

    For IPv4 everything is working fine.

    When I access the service using IPv6 addresses it doesn't work and throws the following exception:

    System.ServiceModel.CommunicationException: The Peer resolver threw an exception.  Please refer to InnerException. ---> System.ServiceModel.EndpointNotFoundException: Could not connect to net.tcp://[2001:0000:4137:9E66:8000:3F3A:C45A:EBE2]:5000/peerResolverService. The connection attempt lasted for a time span of 00:00:00.9375000. TCP error code 10061: No connection could be made because the target machine actively refused it 2001:0:4137:9e66:8000:3f3a:c45a:ebe2:5000.  ---> System.Net.Sockets.SocketException: No connection could be made because the target machine actively refused it 2001:0:4137:9e66:8000:3f3a:c45a:ebe2:5000


    Service is not even accessible by a machine who is hosting the service i.e. client is being opened on the same machine who is hosting the service even in that case I'm getting above exception. But this thing works on a machine which is on Live IP.


    I tried a lot finding reason for the error but didn't got any success. I checked everything teredo is working fine, IPv6 addresses are getting pinged. I even tried running the PNRP sample again on which I was working earlier it is also working fine. I'm sure I didn't changed the code in any other manner. I tried on machines XP SP2, Server 2003 and Vista.


    IPCONFIG OUTPUT

    ------------------------------

    Ethernet adapter VMukti:

            Connection-specific DNS Suffix  . :
            IP Address. . . . . . . . . . . . : 192.168.1.100
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            IP Address. . . . . . . . . . . . : fe80::21c:c0ff:fe0b:5a46%4
            Default Gateway . . . . . . . . . : 192.168.1.1

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

            Connection-specific DNS Suffix  . :
            IP Address. . . . . . . . . . . . : 2001:0:4137:9e66:8000:fbcd:c45a:ebe2

            IP Address. . . . . . . . . . . . : fe80::ffff:ffff:fffd%5
            Default Gateway . . . . . . . . . : ::

    Tunnel adapter Automatic Tunneling Pseudo-Interface:

            Connection-specific DNS Suffix  . :
            IP Address. . . . . . . . . . . . : fe80::5efe:192.168.1.100%2
            Default Gateway . . . . . . . . . :

    netsh interface ipv6 show teredo OUTPUT
    -------------------------------------------------------------
    Teredo Parameters
    ---------------------------------------------
    Type                    : client
    Server Name             : default
    Client Refresh Interval : default
    Client Port             : default
    State                   : qualified
    Type                    : teredo client
    Network                 : unmanaged
    NAT                     : cone

    Please help me in this matter why WCF service is not accessible using Teredo IPv6 address.

    Friday, February 22, 2008 9:49 AM
  • Hey all.

    I know this is an old thread but I ran into this issue today. Enabling Edge Traversal in Vista firewall fixed the issue to allow netPeerTcpBinding to go over the internet.

    Question though. Can this be somehow set to be enabled when windows firewall prompts a user to allow/deny? Problem is you hit allow and it still doesn't work.

    If people are developing p2p  discovery with this, it defeats the whole purpose if you have to tell users how to enable Edge Traversal in windows firewall. Not a friendly situation at all.

    If I could configure my app that when the allow/disallow dialog appears that I require the Edge Traversal option that would be perfect.

    Also with NETCF4 coming, is there any expectations to include netPeerTcpBinding? WCF in NETCF is very limited in its capabilities but being large in mobile development myself and the company I work for it would be great to have mobile devices on par with our desktop counter parts with netPeerTcpBinding support or else we would have to go another route.

    Any info would be greatly appreciated!
    Thanks!
    Sunday, March 15, 2009 3:46 AM
  • Anyone tried on XP?
    Wednesday, November 3, 2010 9:46 PM