Inability to reach Microsoft sites from behind NAT firewall

Hello,

I've been trying to get my girlfriend's Windows XP Home laptop working
from behind my firewall computer, a Linux box which performs NATting
for all computers behind it. I've never operated a Windows computer,
and have no idea what has to be done, plus this version of Windows is
in Chinese only, and it takes me an impractically long time to walk
through menus labelled in Chinese.

It appears that she can reach all websites except those belonging to
Microsoft, and one Yahoo! site. Everything else works fine. Here are
my observations:

- she cannot reach hotmail, a message appears asking her to check her
Internet connection
- she could, for a while, see her hotmail messages through MSN
explorer, a program which seems to be included in the OS, but that
has stopped working also
- she cannot reach a "Windows update" server, it again claims that the
Internet connection is down
- she cannot reach the yahoo Taiwan site, but can reach other yahoo
sites such as yahoo Japan.
- she can, from Windows, reach every other site attempted, painlessly
- she can reach hotmail, yahoo, etc. from the Linux desktops behind
the firewall, it is only the Windows machine which has trouble

The troubles with hotmail are not occasional, they happen without
fail, every time an attempt is made to access from Windows XP. If she
directs Internet Explorer window at the yahoo Taiwan site, then goes
off to work on something else, she sometimes receives an incomplete
page after 7 or 8 hours.

These problems did not manifest when the laptop was in Taiwan, sharing
an Internet connection with another desktop machine there.

Since arriving in Canada and being configured (incorrectly?) for the
local network here, the laptop has never successfully connected to
those websites it cannot reach, so this isn't some progressive bitrot.

The Linux box is NATting a static IP number, cneufeld.ca. Surely it
is not an unusual setup to have a Windows machine hiding behind a
stateful NAT firewall.

I've done TCP dumps of good connections from Linux and broken
connections from Windows XP, both to login.passport.net, to try to see
what's going wrong.

Here's a sequence from the failed connection to http://login.passport.net
from the Windows XP laptop. Along the way, it picked up a redirection
in the URL, which appears to have been trying to set her specific
login details.


laptop opens a connection (#1) to login.passport.net, SYN, SYN-ACK, ACK
laptop pushes seq 425
login.passport.net pushes seq 424, ACKs the 425
login.passport.net pushes seq 438
login.passport.net sends FIN
laptop ACKs the 438
laptop ACKs the 439 (the FIN)
laptop sends FIN
laptop looks up login.passport.com
laptop opens a connection (#2) to login.passport.com, SYN, SYN-ACK, ACK
login.passport.net (connection #1) ACKs the laptop's FIN
laptop pushes seq 489 (INCLUDES get for /login.srf?lc=...")
login.passport.com pushes seq 366, ACKs the 489
login.passport.com pushes seq 1278
login.passport.com sends FIN
laptop ACKs the 1278
laptop ACKs the 1279 (the FIN)
laptop sends FIN
laptop opens a connection (#3) to login.passport.net, SYN, SYN-ACK, ACK
login.passport.com (connection #2) ACKs the laptop's FIN
laptop pushes seq 788 (INCLUDES redirector /uilogin.srf?id=...")
login.passport.net pushes seq 284, ACKs the 788
laptop ACKs the 284
--- Pause of 11 seconds
laptop sends a 77 byte UDP packet to port 3544 of baym-td1.msgr.hotmail.com
A 109 byte response from baum-td1.msgr.hotmail.com is delivered
--- Pause of 33 seconds
laptop sends a 77 byte UDP packet to port 3544 of baym-td1.msgr.hotmail.com
A 109 byte response from baum-td1.msgr.hotmail.com is delivered
--- Pause of 3 seconds
login.passport.net sends a RST to connection #3, sequence number 4664,
with ACK on 788

Total end-to-end time, 48 seconds.

The UDP packets appear to be periodic on the network, I don't think
they're part of the passport login sequence.


So, the sequence number on that RST packet shows that we lost almost 4
kilobytes of TCP data somewhere out in the world. It didn't bounce
off the firewall, that data never arrived back at the NAT box.

The successful authentication from Linux involves no UDP packets
(naturally), and no mysteriously vanished data.


I thought it might be some bad proxying setup, that some packets are
trying to go through the Taiwanese ISP, but the proxying settings
appear all to be blank, and proxying should hurt all sites equally,
not just those controlled by Microsoft.

It doesn't appear to be a fragmentation issue, I have seen an
oversized packet go through the network, saw the NAT box send back the
ICMP must-fragment error, and saw the laptop then reissue the data in
smaller packets.


My best theory right now, based on the never-delivered packets, is
that something in the TCP data exchanged is telling the passport
server on the third connection to route packets back to the NAT-ted IP
number through a specific Taiwanese ISP gateway machine, and the ISP
is discarding those packets because they don't live on its network.
No data is being sent from the laptop to any other Intenet hosts
during this interval, so it is not establishing any sort of tunneling
proxy with a remote ISP.


If somebody can offer me some suggestions, I would really appreciate
it, I've searched through a pile of microsoft.com help pages without
seeing anything which appears to explain or fix this problem. If you
can suggest menus to view in the configuration, please mention the
alphabetic shortcut key which invokes the button (the letter between
parentheses), since all of the buttons are labelled in Chinese
characters and the translation might not be exact, but I assume the
shortcut keys are consistent across locales.


--
Christopher Neufeld
Home page: http://www.cneufeld.ca/neufeld
"Don't edit reality for the sake of simplicity"