This project is read-only.

RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentication failure

May 4, 2010 at 7:06 PM
Edited May 4, 2010 at 7:10 PM

When our application connects to our VPN servers and encounters an authentication error when the username is correct but the password is wrong, DotRas throws a RasException several seconds after the connection attempt has cleaned itself up.  It appears that some VPN server implementations disconnect the PPP connection after the L2TP authentication fails and RAS senses the termination of the PPP connection and sends error 668 (NoConnection - Connection was dropped).  If the DotRas connection has already been closed or never completed, why should RasHelper.HangUp() throw a RasException when RAS issues ConnectionWasDropped (668) error?  We experimented with OR'ing the test for SUCCESS of the SafeNativeMethods.RasHangUp() return value with a test for NativeMethods,ERROR_NO_CONNECTION (after uncommenting it in NativeMethods.cs) to catch the RAS NoConnection error and that seems to handle that situation.  My question is, after the connection is closed, why should receiving a RAS NoConnection error not be just ignored instead of throwing a RasException?

 

May 4, 2010 at 8:13 PM

What's dialing the connection, the RasDialer component? If you have a stack trace that'd be most helpful as well.

May 4, 2010 at 8:40 PM

Hi, Jeff,

The DotRasDialer is dialing the connection. Attached is a stack trace.

Erich Einfalt

Windows Developer

Anonymizer, Inc.

Trusted / Proven / Secure

858-866-1360 / Direct

858-866-0164 / Fax

eeinfalt@anonymizerinc.com

www.anonymizer.com

Anonymizer, Inc. is the global leader in non-attribution solutions ensuring customers online privacy, identity protection, and secure access to open source intelligence.

From: jeff_winn [mailto:notifications@codeplex.com]
Sent: Tuesday, May 04, 2010 12:13 PM
To: Erich Einfalt
Subject: Re: RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentica... [DotRas:211551]

From: jeff_winn

What's dialing the connection, the RasDialer component? If you have a stack trace that'd be most helpful as well.

Read the full discussion online.

To add a post to this discussion, reply to this email (DotRas@discussions.codeplex.com)

To start a new discussion for this project, email DotRas@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com



NOTICE: This email message and all attachments transmitted with it are intended solely for the use of the addressees and may contain legally privileged, protected or confidential information. If you have received this message in error, please notify the sender immediately by email reply and please delete this message from your computer and destroy any copies.
May 4, 2010 at 9:27 PM

The discussions forum do not have access to attachments, it needs to be posted in the message.

May 4, 2010 at 9:31 PM

Hi, Jeff,

The DotRasDialer is dialing the connection. below is a stack trace.

DotRas.dll!DotRas.ThrowHelper.ThrowRasException(int errorCode = 668) Line 125 + 0x20 bytes                C#

DotRas.dll!DotRas.RasHelper.HangUp(DotRas.RasHandle handle = {DotRas.RasHandle}) Line 1502 + 0x8 bytes    C#

DotRas.dll!DotRas.RasDialer.Abort() Line 527 + 0xb bytes              C#

DotRas.dll!DotRas.RasDialer.RasDialCallback(int callbackId = 0, int subEntryId = 1, System.IntPtr dangerousHandle = 65536, int message = 52429, DotRas.RasConnectionState state = AuthNotify, int errorCode = 629, int extendedErrorCode = 0) Line 666 + 0x8 bytes C#

Erich Einfalt

Windows Developer

Anonymizer, Inc.

Trusted / Proven / Secure

858-866-1360 / Direct

858-866-0164 / Fax  

eeinfalt@anonymizerinc.com

www.anonymizer.com

Anonymizer, Inc. is the global leader in non-attribution solutions ensuring customers online privacy, identity protection, and secure access to open source intelligence.

From: jeff_winn [mailto:notifications@codeplex.com]
Sent: Tuesday, May 04, 2010 12:13 PM
To: Erich Einfalt
Subject: Re: RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentica... [DotRas:211551]

From: jeff_winn

What's dialing the connection, the RasDialer component? If you have a stack trace that'd be most helpful as well.

Read the full discussion online.

To add a post to this discussion, reply to this email (DotRas@discussions.codeplex.com)

To start a new discussion for this project, email DotRas@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

May 4, 2010 at 10:32 PM

What kind of VPN server are you using? I just tested that scenario on a Microsoft RRAS server and I received a 691 error code. When the Abort call was made, the connection was allowed to disconnect normally.

May 4, 2010 at 10:42 PM

Hi, Jeff,

Debian Linux servers running L2TPNS and OpenSwan.

Erich Einfalt

Windows Developer

Anonymizer, Inc.

Trusted / Proven / Secure

858-866-1360 / Direct

858-866-0164 / Fax  

eeinfalt@anonymizerinc.com

www.anonymizer.com

Anonymizer, Inc. is the global leader in non-attribution solutions ensuring customers online privacy, identity protection, and secure access to open source intelligence.

From: jeff_winn [mailto:notifications@codeplex.com]
Sent: Tuesday, May 04, 2010 2:33 PM
To: Erich Einfalt
Subject: Re: RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentica... [DotRas:211551]

From: jeff_winn

What kind of VPN server are you using? I just tested that scenario on a Microsoft RRAS server and I received a 691 error code. When the Abort call was made, the connection was allowed to disconnect normally.

Read the full discussion online.

To add a post to this discussion, reply to this email (DotRas@discussions.codeplex.com)

To start a new discussion for this project, email DotRas@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

May 4, 2010 at 11:11 PM

It figures Linux would be the problem. We have two options here:

  1. I can test my fix to the issue over here after I've installed Linux and got everything setup for it to work as a LNS server.
  2. I can check in the files and have you test it on your end, and you inform me of the success of the patch.

I've already started downloading the Debian network installer for a virtual box. Perhaps I can somehow automate starting those virtual boxes during the unit testing phase of the project to ensure it works on multiple servers. The integration tests could easily verify it works with specific servers assuming I can get the servers to start on my machine. I think I'll spend some time investigating this on my end.

Basically, the problem is with the abort mechanism that the RasDialer uses to clean up the connection if cancelled or an error occurs while dialing. Normally it would call HangUp if the connection handle was valid on the client side, which caused the error you're seeing. Instead, before calling HangUp internally I have changed it to verify the connection is still active prior to attempting to disconnect it. The same mechanism is used in the HangUp method to verify the connection has closed and cleaned up. Your server must be closing the connection on its end rather than letting the client handle it.

I don't want to simply hide the error you were seeing from HangUp because that effects the entire project. If you call HangUp on a connection that has already disconnected, it should tell you that and not silently fail.

May 5, 2010 at 6:26 AM

After spending most of this evening trying to get a Debian VPN server setup (I hate Linux more than I hate Apple products) I just decided to check in the files and have you test the results. I'm still trying to get it all configured on my build machine for integration testing with different VPN servers, but at this point it'd be easier to just have you test it. Just grab latest and run the make.bat file from a VS command prompt (you'll need .NET 4.0 and VS2010 installed).

Let me know what happens.

May 5, 2010 at 8:41 PM

Hi, Jeff,

Our app does not target .NET 4.0 but just to see if your fix works, I downloaded and installed .NET 4.0. In our shop, we are not using VS2010 (as your email required) so I tried it from VS2008 Command Prompt and the build failed with 182 errors, all were StyleCop issues regarding copyright text requirements.

Erich Einfalt

Windows Developer

Anonymizer, Inc.

Trusted / Proven / Secure

858-866-1360 / Direct

858-866-0164 / Fax  

eeinfalt@anonymizerinc.com

www.anonymizer.com

Anonymizer, Inc. is the global leader in non-attribution solutions ensuring customers online privacy, identity protection, and secure access to open source intelligence.

From: jeff_winn [mailto:notifications@codeplex.com]
Sent: Tuesday, May 04, 2010 10:27 PM
To: Erich Einfalt
Subject: Re: RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentica... [DotRas:211551]

From: jeff_winn

After spending most of this evening trying to get a Debian VPN server setup (I hate Linux more than I hate Apple products) I just decided to check in the files and have you test the results. I'm still trying to get it all configured on my build machine for integration testing with different VPN servers, but at this point it'd be easier to just have you test it. Just grab latest and run the make.bat file from a VS command prompt (you'll need .NET 4.0 and VS2010 installed).

Let me know what happens.

Read the full discussion online.

To add a post to this discussion, reply to this email (DotRas@discussions.codeplex.com)

To start a new discussion for this project, email DotRas@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

May 5, 2010 at 9:40 PM

Hi, Jeff,

Good news!  I replaced theentire DotRas csproj and all the source code in our app’s solution and rebuilt everything (after making the necessary changes to our source code for classes that interact with DotRas) and tested it against our bad password scenario and the app does not throw any exceptions after RAS generates error 629 (because the server terminated the connection during dialing) from a bad password.  Your changes for this issue are valid.  I looked at the changes in RasHelper and it makes better sense to me now.

As for setting up a Debian Linux server for testing, to quote a line from the robot Science Officer in the original ‘Alien’ – “Well, I can’t lie to you about your chances – but – you have my sympathies.”

Erich Einfalt

Windows Developer

Anonymizer, Inc.

Trusted / Proven / Secure

858-866-1360 / Direct

858-866-0164 / Fax  

eeinfalt@anonymizerinc.com

www.anonymizer.com

Anonymizer, Inc. is the global leader in non-attribution solutions ensuring customers online privacy, identity protection, and secure access to open source intelligence.

From: jeff_winn [mailto:notifications@codeplex.com]
Sent: Tuesday, May 04, 2010 10:27 PM
To: Erich Einfalt
Subject: Re: RAS error 668 (NoConnection - Connection was dropped) throws Ras Exception on Password authentica... [DotRas:211551]

From: jeff_winn

After spending most of this evening trying to get a Debian VPN server setup (I hate Linux more than I hate Apple products) I just decided to check in the files and have you test the results. I'm still trying to get it all configured on my build machine for integration testing with different VPN servers, but at this point it'd be easier to just have you test it. Just grab latest and run the make.bat file from a VS command prompt (you'll need .NET 4.0 and VS2010 installed).

Let me know what happens.

Read the full discussion online.

To add a post to this discussion, reply to this email (DotRas@discussions.codeplex.com)

To start a new discussion for this project, email DotRas@discussions.codeplex.com

You are receiving this email because you subscribed to this discussion on CodePlex. You can unsubscribe on CodePlex.com.

Please note: Images and attachments will be removed from emails. Any posts to this discussion will also be available online at CodePlex.com

May 5, 2010 at 9:46 PM

The project doesn't target .NET 4.0 either, it just uses Visual Studio 2010, MSBuild 4.0, and still targets the 2.0 framework for maximum compatibility. Also, I managed to get the Debian VPN server working on a virtual machine and my proposed fix did take care of the root issue. Basically the Debian server was dropping the connection rather than letting the client disconnect itself. So when the dialer attempted to close the connection, it would throw the error that the connection was already disconnected. I just added a check to the code to ensure the connection was still active (same check being done after hangup for cleanup) before attempting to disconnect.

You shouldn't have had any StyleCop errors unless you're using it on your team and have your own settings. You can always disconnect StyleCop from the project by removing the reference to StyleCop inside the DotRas.csproj file by using Notepad.