3com 3CRWE554G72TU DoS protection prevents Xbox Live connection

FightingChance · 05-04-2006, 05:16 PM

I finally found out what was stopping me from signing into Xbox Live on a 360 - my 3com router's anti-DoS protection was hanging the signal during the handshake. Unfortunately, while I can deactivate the DoS protection, it also turns off the SPI firewall, which is neccesary to leave on for protection.

I am afforded several changeable variables with the DoS protection, however as I am versed in computer wizardry all this stuff escapes me, and I'm not sure what I can safely set it to (I'm not worried about DoS attacks, but I don't want to inhibit the functionality of the router, either.)

Here's a readout of what I can change:

DoS Detect Criteria
Total incomplete TCP/UDP sessions HIGH : 500 session
Total incomplete TCP/UDP sessions LOW : 400 session
Incomplete TCP/UDP sessions (per min) HIGH : 500 session
Incomplete TCP/UDP sessions (per min) LOW : 400 session
Maximum incomplete TCP/UDP sessions number from same host : 50 session
Incomplete TCP/UDP sessions detect sensitive time period : 500 msecs
Maximum half-open fragmentation packet number from same host : 150 packet
Half-open fragmentation detect sensitive time period : 30000 msecs
Flooding cracker block time : 75 secs

There is also a section for 'Connection Policy'; I'm not sure if any of these could have an effect but I might as well list them:

Connection Policy
Fragmentation half-open wait : 10 secs
TCP SYN wait : 30 secs
TCP FIN wait : 5 secs
TCP connection idle timeout : 3600 secs
UDP session idle timeout : 30 secs
H.323 data channel idle timeout : 180 secs

If anyone could assist I'd be very greatful; I don't feel like changing one thing at a time and re-trying Live to see what the magic combination is.

shaihulud · 05-04-2006, 06:31 PM

Did you leave everything at the default settings? What are you using to connect the XBox to the router? Are the logs of the router elaborate? If so can you enabled the SPI/DoS function, log the information, and then post it?

I am reading your router manual now. The difficulty is the fact that not all of the gateway devices handle the packet translation to be compatible with XBox Live. You can always DMZ the XBox or forward the applicable ports. I do know a Live compatible router with UPnP would make this easier and would actually be perfect.

At least place the XBox host in DMZ and have the SPI/DoS enabled, test the Live via dash, and report if it was functional. State every output given. It technically should be and with no real security issue for I do believe the information is sent SSL, or some form of VPN IIRC.

Enable UPnP and test Live again. However, do not have the XBox host DMZ'ed or with port forwarding. Do this with SPI/DoS enabled.

StarTraveller · 05-04-2006, 06:48 PM

Just a quick thought...

I read somewhere that XBOX Live! might have problems with certain implementations of Dynamic Fragmentation. I'm not really aware of what the technology does for you, but if you have the option to disable something with fragmentation in the description then that might be worth a shot (even if it's just a shot in the dark, hehe).

FightingChance · 05-04-2006, 07:18 PM

I tried putting the Xbox 360 in the DMZ but it made no difference; only disabling the SPI/DoS firewall allowed a connection. I haven't pulled any logs yet, I don't know why I didn't think of that.

When running the Xbox360's network connectivity, it fails on the 'Xbox Live' part of the connection test. Then if I re-run the test right afteword, it fails on the 'MTU' part. Once or twice it passes all the way but still refuses a connection. With SPI/DoS off it connects and runs all the tests fine.

I'll pull the logs and see what I can see.

Edit: I'd be happen to forward whatever ports I needed to to the Xbox; but does anyone know what those ports are?

shaihulud · 05-05-2006, 01:32 AM

What is you connection type? DSL perhaps? Odd to get an MTU message if you have cable. If DMZ didn't work then don't expect forwarding to work for you also. Have you tried UPnP enabled? It is disabled by default with your router.

Quote:

I read somewhere that XBOX Live! might have problems with certain implementations of Dynamic Fragmentation

This is for only the Ubicom based gateway devices. BTW, when I tested the DGL-4300 Dynamic Fragmentation it did not cause any issues for me.

FightingChance · 05-05-2006, 02:36 AM

uPNP is on. It's a cable modem.

I have the feeling one of those variables is timing out too quickly to allow the Live connection to finish handshaking/token handoff.

shaihulud · 05-05-2006, 11:47 AM

It is possible to think so, but the timeouts at default are all within spec for the protocol. This is what I would do. I Think if there is anything 3Com would at least know better. I would call and speak with them and XBox Live technical support.

I think you will find what I said before not all gateway devices process the packet header the same and therefore can NOT be compatible with certain services. At least you have found that it does work if the SPI/DoS is not enable.

What is the firmware you have? Some of the firmware are pertinent SPI fixes. Do you have the latest version installed? That is the last thing I would try http://www.3com.com/products/en_US/r...2TU&order=desc

FightingChance · 05-05-2006, 06:34 PM

Upping some of the thresholds for the DoS prevention parameters would seem to have worked; I was able to play some Ghost Recon on Live last night. (oddly, the Connection Test runs okay the first run, but if I re-run it too soon after the last one I get the MTU error. I suspect this problem is actually Xbox specific or immaterial to connecting and using Xbox Live.)

More testing is neccesary. If I'm satisfied that it works, I'll post the changes I made (though I did make two or three changes at a time, so most likely I've also changed some things unneccesarily.)

Danielson · 07-12-2007, 05:23 PM

I'm having the same issue with my 3Com Router.
I can connect with SPI enabled but get intermittent disconnections from XBOX Live!

I am going through these selectable options in turn to see if a single one has the answer.

Stateful Packet Inspection
Enable Packet Fragmentation
Enable TCP Connection
Enable UDP Session
Enable FTP Service
Enable H.323 Service
Enable TFTP Service

Danielson · 07-12-2007, 05:34 PM

No luck with that sorry. Although after a second look it seems quite obvious that disabling half of those wouldn't be good anyway

Will continue to try these settings now:

Connection Policy
Fragmentation half-open wait : 10 secs
TCP SYN wait : 30 secs
TCP FIN wait : 5 secs
TCP connection idle timeout : 3600 secs
UDP session idle timeout : 30 secs
H.323 data channel idle timeout : 180 secs

Danielson · 07-17-2007, 06:23 AM

Has anyone got any other ideas around this? Have tried altering other variables without success. Also Have latest firmware and logs unfortunately are pretty simple and don't inform of any drop/block etc.

shaihulud · 07-17-2007, 10:13 AM

I suspect that this router is not capable of doing the newer and more robust forms of translation and this is the problem. To only reinforce the issue, it is not XBox Live compatible and is a discontinued product. I hate to say it but I would invest in a better more robust router. Because, I do not think your problem can be resolved. This is mainly due to limited and lacking information. I do admit though, even if I had very thorough information, I think I am correct and my advice is on mark though. A newer router would benefit you greatly.

05-04-2006, 05:16 PM	#1
FightingChance Yes, I am better than you Join Date: Feb 2001 Location: Winter Park, FL Posts: 4,068	3com 3CRWE554G72TU DoS protection prevents Xbox Live connection I finally found out what was stopping me from signing into Xbox Live on a 360 - my 3com router's anti-DoS protection was hanging the signal during the handshake. Unfortunately, while I can deactivate the DoS protection, it also turns off the SPI firewall, which is neccesary to leave on for protection. I am afforded several changeable variables with the DoS protection, however as I am versed in computer wizardry all this stuff escapes me, and I'm not sure what I can safely set it to (I'm not worried about DoS attacks, but I don't want to inhibit the functionality of the router, either.) Here's a readout of what I can change: DoS Detect Criteria Total incomplete TCP/UDP sessions HIGH : 500 session Total incomplete TCP/UDP sessions LOW : 400 session Incomplete TCP/UDP sessions (per min) HIGH : 500 session Incomplete TCP/UDP sessions (per min) LOW : 400 session Maximum incomplete TCP/UDP sessions number from same host : 50 session Incomplete TCP/UDP sessions detect sensitive time period : 500 msecs Maximum half-open fragmentation packet number from same host : 150 packet Half-open fragmentation detect sensitive time period : 30000 msecs Flooding cracker block time : 75 secs There is also a section for 'Connection Policy'; I'm not sure if any of these could have an effect but I might as well list them: Connection Policy Fragmentation half-open wait : 10 secs TCP SYN wait : 30 secs TCP FIN wait : 5 secs TCP connection idle timeout : 3600 secs UDP session idle timeout : 30 secs H.323 data channel idle timeout : 180 secs If anyone could assist I'd be very greatful; I don't feel like changing one thing at a time and re-trying Live to see what the magic combination is.
(Offline)

05-04-2006, 06:31 PM	#2
shaihulud Registered User Join Date: Jan 2005 Posts: 1,239	Did you leave everything at the default settings? What are you using to connect the XBox to the router? Are the logs of the router elaborate? If so can you enabled the SPI/DoS function, log the information, and then post it? I am reading your router manual now. The difficulty is the fact that not all of the gateway devices handle the packet translation to be compatible with XBox Live. You can always DMZ the XBox or forward the applicable ports. I do know a Live compatible router with UPnP would make this easier and would actually be perfect. At least place the XBox host in DMZ and have the SPI/DoS enabled, test the Live via dash, and report if it was functional. State every output given. It technically should be and with no real security issue for I do believe the information is sent SSL, or some form of VPN IIRC. Enable UPnP and test Live again. However, do not have the XBox host DMZ'ed or with port forwarding. Do this with SPI/DoS enabled.
(Offline)

05-04-2006, 06:48 PM	#3
StarTraveller Retired Modder Join Date: Apr 2001 Location: Cloud Nine Posts: 6,468	Just a quick thought... I read somewhere that XBOX Live! might have problems with certain implementations of Dynamic Fragmentation. I'm not really aware of what the technology does for you, but if you have the option to disable something with fragmentation in the description then that might be worth a shot (even if it's just a shot in the dark, hehe). __________________ StarTraveller.net - see Computers for current setup! Well, it used to be current... Right now, my primary computer is a ThinkPad T43p 2668-H7U upgraded to 2 GB RAM Motto: If it is worth doing then it is worth doing right! Caution: The light at the end of a tunnel may be an oncoming train...
(Offline)

05-04-2006, 07:18 PM	#4
FightingChance Yes, I am better than you Join Date: Feb 2001 Location: Winter Park, FL Posts: 4,068	I tried putting the Xbox 360 in the DMZ but it made no difference; only disabling the SPI/DoS firewall allowed a connection. I haven't pulled any logs yet, I don't know why I didn't think of that. When running the Xbox360's network connectivity, it fails on the 'Xbox Live' part of the connection test. Then if I re-run the test right afteword, it fails on the 'MTU' part. Once or twice it passes all the way but still refuses a connection. With SPI/DoS off it connects and runs all the tests fine. I'll pull the logs and see what I can see. Edit: I'd be happen to forward whatever ports I needed to to the Xbox; but does anyone know what those ports are?
(Offline)

05-05-2006, 02:36 AM	#6
FightingChance Yes, I am better than you Join Date: Feb 2001 Location: Winter Park, FL Posts: 4,068	uPNP is on. It's a cable modem. I have the feeling one of those variables is timing out too quickly to allow the Live connection to finish handshaking/token handoff.
(Offline)

05-05-2006, 11:47 AM	#7
shaihulud Registered User Join Date: Jan 2005 Posts: 1,239	It is possible to think so, but the timeouts at default are all within spec for the protocol. This is what I would do. I Think if there is anything 3Com would at least know better. I would call and speak with them and XBox Live technical support. I think you will find what I said before not all gateway devices process the packet header the same and therefore can NOT be compatible with certain services. At least you have found that it does work if the SPI/DoS is not enable. What is the firmware you have? Some of the firmware are pertinent SPI fixes. Do you have the latest version installed? That is the last thing I would try http://www.3com.com/products/en_US/r...2TU&order=desc
(Offline)

05-05-2006, 06:34 PM	#8
FightingChance Yes, I am better than you Join Date: Feb 2001 Location: Winter Park, FL Posts: 4,068	Upping some of the thresholds for the DoS prevention parameters would seem to have worked; I was able to play some Ghost Recon on Live last night. (oddly, the Connection Test runs okay the first run, but if I re-run it too soon after the last one I get the MTU error. I suspect this problem is actually Xbox specific or immaterial to connecting and using Xbox Live.) More testing is neccesary. If I'm satisfied that it works, I'll post the changes I made (though I did make two or three changes at a time, so most likely I've also changed some things unneccesarily.)
(Offline)

07-12-2007, 05:23 PM	#9
Danielson Registered User Join Date: Jul 2007 Posts: 3	I'm having the same issue with my 3Com Router. I can connect with SPI enabled but get intermittent disconnections from XBOX Live! I am going through these selectable options in turn to see if a single one has the answer. Stateful Packet Inspection Enable Packet Fragmentation Enable TCP Connection Enable UDP Session Enable FTP Service Enable H.323 Service Enable TFTP Service
(Offline)

07-12-2007, 05:34 PM	#10
Danielson Registered User Join Date: Jul 2007 Posts: 3	No luck with that sorry. Although after a second look it seems quite obvious that disabling half of those wouldn't be good anyway Will continue to try these settings now: Connection Policy Fragmentation half-open wait : 10 secs TCP SYN wait : 30 secs TCP FIN wait : 5 secs TCP connection idle timeout : 3600 secs UDP session idle timeout : 30 secs H.323 data channel idle timeout : 180 secs
(Offline)

07-17-2007, 06:23 AM	#11
Danielson Registered User Join Date: Jul 2007 Posts: 3	Has anyone got any other ideas around this? Have tried altering other variables without success. Also Have latest firmware and logs unfortunately are pretty simple and don't inform of any drop/block etc.
(Offline)

07-17-2007, 10:13 AM	#12
shaihulud Registered User Join Date: Jan 2005 Posts: 1,239	I suspect that this router is not capable of doing the newer and more robust forms of translation and this is the problem. To only reinforce the issue, it is not XBox Live compatible and is a discontinued product. I hate to say it but I would invest in a better more robust router. Because, I do not think your problem can be resolved. This is mainly due to limited and lacking information. I do admit though, even if I had very thorough information, I think I am correct and my advice is on mark though. A newer router would benefit you greatly.
(Offline)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode