Firewall messages ??

[robgul]

I've tried to Google this but ddn't get an answer that I understood - anyone know what all this means please?

My Internet connection from a Windows 10 PC (with latest updates) using Wifi connected to a BT Business Broadband Smart Hub - web etc seems OK BUT my email client (Time & Chaos Intellect) when checking/sending mail is giving intermittent error messages   "Error ...." and something that I'm not quick enough to read -  sometimes it does a correct mail check/send, sometimes it doesn't.  Email is being picked up/checked for/sent on an   xxxxx @btconnect.com   email address.    It's only started to err in the last 4 or 5 days.

Looking at the Hub's event log I seem to have some lines relating to Firewall - this is an extract of the text (with my IP address redacted and comment about more text and numbers in the entry) - the key words seeming to be Firewall Drop

:HTTP UserAdmin login from xxxxx successfully
20:18:41, 22 Oct.
:HTTP UserBasic login from xxxxx successfully
20:14:05, 22 Oct.
:FIREWALL --INPUT_DROP--IN=ppp1 OUT= MAC= SRC= MORE TEXT & NUMBERS
20:14:01, 22 Oct.
:FIREWALL --OUTPUT_DROP--IN= OUT=BR_LAN SRC=xxxxx MORE TEXT & NUMBERS
20:08:21, 22 Oct.
:FIREWALL --FORWARD_DROP--IN=ppp1 OUT=BR_LAN MAC= MORE TEXT & NUMBERS

One thing I haven't done (yet) is power-down and reboot the router.

Not mission-critical, but annoying .  and is there a major issue?

[Kim]

"INPUT-DROP" "OUTPUT-DROP" AND "FORWARD-DROP" are likely the names of the firewall rules generating those log messages

"IN=ppp1" means it's referring to something coming in from a PPP interface (probably DSL to the internet).
"OUT=BR_LAN" is something heading for the bridging interface (probably for the WiFi).

I assume "MORE TEXT & NUMBERS" is you redacting the information describing what's actually being dropped.

It's normal and ordinary for a firewall to block and log all sorts of random noise from the internet.  Any IP address will get random things trying to connect to it from time to time.  A combination of the harmless (things like ISP monitoring), accidental (something somewhere misconfigured to connect to your address), malicious (worms, spammers or human crackers trying to connect), responses to outgoing connections you've made (eg. ident requests).  Normally this stuff is only of interest when you're diagnosing some connection problem and need to check if the firewall is dropping things you don't want it to.

If it's dropping packets to/from your email provider, you have a useful clue.  If not, it's harmless.

[robgul]

"INPUT-DROP" "OUTPUT-DROP" AND "FORWARD-DROP" are likely the names of the firewall rules generating those log messages

"IN=ppp1" means it's referring to something coming in from a PPP interface (probably DSL to the internet).
"OUT=BR_LAN" is something heading for the bridging interface (probably for the WiFi).

I assume "MORE TEXT & NUMBERS" is you redacting the information describing what's actually being dropped.

It's normal and ordinary for a firewall to block and log all sorts of random noise from the internet.  Any IP address will get random things trying to connect to it from time to time.  A combination of the harmless (things like ISP monitoring), accidental (something somewhere misconfigured to connect to your address), malicious (worms, spammers or human crackers trying to connect), responses to outgoing connections you've made (eg. ident requests).  Normally this stuff is only of interest when you're diagnosing some connection problem and need to check if the firewall is dropping things you don't want it to.

Yep - the "More ... " is just redacting.

I've now seen and been able to read the error message when the mail check fails :   "Error - login failure the connection to the server is not active"  - that's pretty obvious - what I can't understand is why it's doing it, and intermittently.   Is it my broadband connection that's the problem - is it my email client - or is it at the BT end ... and how can I tell?   

My Hub is reporting that it's connected.   BT isn't showing any status issues with their mail servers.

[Kim]

That's ...not a very helpful error message.  Probably means something to the mail client authors.

If I were guessing, it could be that it was holding open a TCP connection to the server from the last time it did something, tried to re-use it (which is more efficient, as it doesn't have to re-authenticate), and failed.  Which could be caused by all sorts of things, including connections dropping or routers/firewalls expiring that connection from their state table because it hasn't been active for some amount of time.

[robgul]

That's ...not a very helpful error message.  Probably means something to the mail client authors.

If I were guessing, it could be that it was holding open a TCP connection to the server from the last time it did something, tried to re-use it (which is more efficient, as it doesn't have to re-authenticate), and failed.  Which could be caused by all sorts of things, including connections dropping or routers/firewalls expiring that connection from their state table because it hasn't been active for some amount of time.

I've had enough for today - I'll reboot the router in the morning and see what happens, or not - and send a query to the mail client vendor.

In theory my connection to BT should be 100% as I have the 4G dongle that kicks in instantly if the phone line fails ... allegedly!

Thanks

[Kim]

In theory my connection to BT should be 100% as I have the 4G dongle that kicks in instantly if the phone line fails ... allegedly!

Depending on how it's implemented, that's exactly the sort of thing that could cause an extant TCP socket to become unresponsive.

[robgul]

In theory my connection to BT should be 100% as I have the 4G dongle that kicks in instantly if the phone line fails ... allegedly!

Depending on how it's implemented, that's exactly the sort of thing that could cause an extant TCP socket to become unresponsive.

Dongle removed - still the intermittent connect failure . . .  .  yet to reboot the router.    Hub event log still showing quite a few Firewall messages - 18 entries in the space of 20 minutes.

I'll reboot the router and then the PC without the dongle and see what happens.   Given that the email client is the current version and nothing in the accounts/settings has been changed for some months it doesn't seem likely the issue is there.

[robgul]

In theory my connection to BT should be 100% as I have the 4G dongle that kicks in instantly if the phone line fails ... allegedly!

Depending on how it's implemented, that's exactly the sort of thing that could cause an extant TCP socket to become unresponsive.

Dongle removed - still the intermittent connect failure . . .  .  yet to reboot the router.    Hub event log still showing quite a few Firewall messages - 18 entries in the space of 20 minutes.

I'll reboot the router and then the PC without the dongle and see what happens.   Given that the email client is the current version and nothing in the accounts/settings has been changed for some months it doesn't seem likely the issue is there.

Router etc re-booted - still intermittent connection from the email client . . . frustrating - don't know what else to try.

I have also put the PC back on a cabled connection using a BT Powerline (that was giving some issues a few months ago which is why I was using the WiFi - another PC in the same room using the same Powerline has been 100%)

[Feanor]

Could also be a server side change where its dropping idle connections more quickly than it did, and the client is not handling that well.

Have you tried a different mail client?

[pcolbeck]

At this point I would run a sniffer to see exactly whats going on.

[robgul]

Could also be a server side change where its dropping idle connections more quickly than it did, and the client is not handling that well.

Have you tried a different mail client?

I've installed Thunderbird and that seems happy to connect every time

[robgul]

At this point I would run a sniffer to see exactly whats going on.

Not a clue what a sniffer is - but I can guess . . .  any recommendations? (Google throws up several)

[nuttycyclist]

wireshark

[robgul]

This the reply I received from the software vendor:

Since it comes and goes as an error, that makes it sound like something else that comes and goes on your computer.  Besides your hard drives going to sleep then waking up for power saving, many network chips also sleep and wake up for power saving too.  If you attempt to check for mail before things have completely "woken up", it could try to connect before a connection can actually be made.  You could consult the help for whatever type of network chip is in your computer to see how you can tweak their power saving settings to see if that gives you different results.

Outside of that, your firewall/antivirus software can also block connections, but they usually are solidly on or off, not intermittent.


What is inconsistent is that there appears to be no issue with web access or with the Thunderbird email client I installed to make comparisons.   No idea what to do with the "network chip" - PC is a Lenovo about 4 years old.

[pcolbeck]

wireshark

Indeed.

[Feanor]

Reading through the thread, I think there is enough evidence to point to the problem.

-Your mail client has issues reconnecting to the server after a period of inactivity
-Other clients do not ( Thunderbird )
-Webmail is not comparing apples with apples, but tells us that:
  The webmail server does not have problems connecting to the mail server.
  Your PC does not have issues connecting to other Internet services, eg HTTP, using a modern browser

This all points to your mail client not handling network disconnections gracefully.

Back In The Day, when a network was a few machines connected with a co-axial cable, things were easier.
A client could open a connection, and assume it was stable forever.

Things move on.
The modern network environment is very different.
Busy servers will disconnect idle clients after a short period.
Battery-powered devices have led to OSes that do power management, and will shut down network interfaces.
Mobile devices will drop on and off between networks as they roam around.

All this will break clients designed on the old paradigm I described.
Modern clients need to work with the OS to deal with this ever-changing network environment.

It seems to me that your email client is failing to gracefully handle one or more of the issues that are simply part of modern network life.

[Kim]

Yes; If I were writing a network client I'd want it to shrug and re-authenticate, without bothering the user about it (except in debugging output).

That said, if the network driver is doing power saving properly, it should be reasonably graceful about it.  Either maintain enough activity so the connection appears to still be connected (if perhaps sluggish), or close the socket outright and let the application handle it.

[Feanor]

Yes; If I were writing a network client I'd want it to shrug and re-authenticate, without bothering the user about it (except in debugging output).

That said, if the network driver is doing power saving properly, it should be reasonably graceful about it.  Either maintain enough activity so the connection appears to still be connected (if perhaps sluggish), or close the socket outright and let the application handle it.

Yes, quite.
But the OS has to provide an API which the programmer can work against.
I don't care if it does keep-alive pings, or closes the socket.
As an app-level programmer, I just need to know what the OS expects of a client; what things the API exposes, and how I need to react to it.

I don't think the OP client is up to the task.

[Mr Larrington]

Yes; If I were writing a network client I'd want it to shrug and re-authenticate, without bothering the user about it (except in debugging output).

That said, if the network driver is doing power saving properly, it should be reasonably graceful about it.  Either maintain enough activity so the connection appears to still be connected (if perhaps sluggish), or close the socket outright and let the application handle it.

Windows used to, and possibly still does, switch off the wifi adapter “to save power”.  Yes, even when one’s laptop was supping its voles from the mains

[robgul]

Yes; If I were writing a network client I'd want it to shrug and re-authenticate, without bothering the user about it (except in debugging output).

That said, if the network driver is doing power saving properly, it should be reasonably graceful about it.  Either maintain enough activity so the connection appears to still be connected (if perhaps sluggish), or close the socket outright and let the application handle it.

Yes, quite.
But the OS has to provide an API which the programmer can work against.
I don't care if it does keep-alive pings, or closes the socket.
As an app-level programmer, I just need to know what the OS expects of a client; what things the API exposes, and how I need to react to it.

I don't think the OP client is up to the task.

That would seem to be the answer - the vendor, of course, says it's not them - BUT why has it suddenly started doing it when nothing has changed on my PC (other than Windows update last week - but the problem started before that) and the email client software is the same version with no updates for probably 9 or 10 months?

It does seem that the "connect first time" seems to happen when a message is being sent - but not when it's checking for new mail . . . but I may be imagining that?

[Afasoas]

Yes; If I were writing a network client I'd want it to shrug and re-authenticate, without bothering the user about it (except in debugging output).

That said, if the network driver is doing power saving properly, it should be reasonably graceful about it.  Either maintain enough activity so the connection appears to still be connected (if perhaps sluggish), or close the socket outright and let the application handle it.

Yes, quite.
But the OS has to provide an API which the programmer can work against.
I don't care if it does keep-alive pings, or closes the socket.
As an app-level programmer, I just need to know what the OS expects of a client; what things the API exposes, and how I need to react to it.

I don't think the OP client is up to the task.

That would seem to be the answer - the vendor, of course, says it's not them - BUT why has it suddenly started doing it when nothing has changed on my PC (other than Windows update last week - but the problem started before that) and the email client software is the same version with no updates for probably 9 or 10 months?

It does seem that the "connect first time" seems to happen when a message is being sent - but not when it's checking for new mail . . . but I may be imagining that?

It's possible the email provider has applied a change to their IMAP servers which closes idle connections after a period of time.

[robgul]

It's POP not IMAP

The email client is set to check email  every 10 minutes - and creates a log (see below for an hour or so this morning)

I sent a message at 10:39 which was sent immediately - I then didn't touch anything until 11:48 and let it just check as per the schedule.  The log shows numerous connection failures and then two successful checks (1 with 2 messages, one with no messages)

I'm getting even more confused!

====

10:39:32 Robert Gullen (Smtp): Login request
10:39:33 Robert Gullen (Smtp): Login OK
10:39:38 Robert Gullen (Smtp): Message Sent
10:39:38 Robert Gullen (Smtp): Logoff OK
10:48:58 RG BT (Pop3): Login request
10:48:58 RG BT (Pop3): Error, Login failure The connection to the server is not active
10:58:58 RG BT (Pop3): Login request
10:58:58 RG BT (Pop3): Error, Login failure The connection to the server is not active
11:08:58 RG BT (Pop3): Login request
11:08:58 RG BT (Pop3): Error, Login failure The connection to the server is not active
11:18:58 RG BT (Pop3): Login request
11:18:59 RG BT (Pop3): Login OK
11:18:59 RG BT (Pop3): Total Messages: 2 New Messages: 2
11:18:59 RG BT (Pop3): Retrieving Message 2 of 2
11:19:00 RG BT (Pop3):  Message 2 saved as: C8A0C7EC-E9D7-446A-BAF8-7749F66526A4.msg
11:19:00 RG BT (Pop3): Retrieving Message 1 of 2
11:19:01 RG BT (Pop3):  Message 1 saved as: AA13DF6E-C3FA-420B-B143-B7A0C5ABE96C.msg
11:19:02 RG BT (Pop3): Logoff OK
11:28:58 RG BT (Pop3): Login request
11:28:59 RG BT (Pop3): Login OK
11:28:59 RG BT (Pop3): Total Messages: 0 New Messages: 0
11:28:59 RG BT (Pop3): Logoff OK
11:38:58 RG BT (Pop3): Login request
11:38:58 RG BT (Pop3): Error, Login failure The connection to the server is not active
11:48:58 RG BT (Pop3): Login request
11:48:59 RG BT (Pop3): Error, Login failure The connection to the server is not active

[robgul]

A bit more of a test .... I have a number of domains that have catch-all email forwarding to my main BT account - and the email client is set up to be able to send messages from the domains but they come back to the BT account.

I added one of the domain accounts (one on Ionos) to be the one I checked and sent a message from the BT account to the IONOS account.   The mail check then connected immediately to the IONOS account and downloaded a few messages (they remain on the server for 2 days) and then failed with the connect to the BT account (these were manual checks, not the timed)

That seems to point to either BT not liking the email client, or the email client (now) deciding it doesn't like BT.


===
12:05:11 RG BT (Smtp): Login request
12:05:12 RG BT (Smtp): Login OK
12:05:14 RG BT (Smtp): Message Sent
12:05:14 RG BT (Smtp): Logoff OK
12:05:17 Robert Gullen (Pop3): Login request
12:05:17 Robert Gullen (Pop3): Login OK
12:05:17 Robert Gullen (Pop3): Total Messages: 9 New Messages: 9
12:05:17 Robert Gullen (Pop3): Retrieving Message 9 of 9
12:05:18 Robert Gullen (Pop3):  Message 9 saved as: 7E8117E1-ACA1-4EB2-A110-BFEE7CBA7428.msg
12:05:18 Robert Gullen (Pop3): Retrieving Message 8 of 9
12:05:19 Robert Gullen (Pop3):  Message 8 saved as: 59EEFF18-F05A-431B-813F-D4CE3D7FF294.msg
12:05:19 Robert Gullen (Pop3): Retrieving Message 7 of 9
12:05:20 Robert Gullen (Pop3):  Message 7 saved as: 0FB67315-9945-4583-97F0-C0262E0D5865.msg
12:05:20 Robert Gullen (Pop3): Retrieving Message 6 of 9
12:05:23 Robert Gullen (Pop3):  Message 6 saved as: FC65E9E7-BE1D-4C89-926F-5CDB6A267859.msg
12:05:23 Robert Gullen (Pop3): Retrieving Message 5 of 9
12:05:28 Robert Gullen (Pop3):  Message 5 saved as: 0DFA576D-693C-4FA8-BE39-BFF2AF6C712A.msg
12:05:28 Robert Gullen (Pop3): Retrieving Message 4 of 9
12:05:31 Robert Gullen (Pop3):  Message 4 saved as: 63DAB641-F5F5-46A6-949F-4C4E504BD525.msg
12:05:31 Robert Gullen (Pop3): Retrieving Message 3 of 9
12:05:32 Robert Gullen (Pop3):  Message 3 saved as: D05447B0-B41D-4982-AEA3-3A685EA1B6A2.msg
12:05:32 Robert Gullen (Pop3): Retrieving Message 2 of 9
12:05:32 Robert Gullen (Pop3):  Message 2 saved as: 49C035D7-A911-4DB0-BDFD-E964D5BD3FE3.msg
12:05:32 Robert Gullen (Pop3): Retrieving Message 1 of 9
12:05:33 Robert Gullen (Pop3):  Message 1 saved as: 5EAC790D-CE3B-4F30-8D4D-FADA2192BEA0.msg
12:05:34 Robert Gullen (Pop3): Logoff OK
12:05:34 RG BT (Pop3): Login request
12:05:34 RG BT (Pop3): Error, Login failure The connection to the server is not active
12:07:04 Robert Gullen (Pop3): Login request
12:07:04 Robert Gullen (Pop3): Login OK
12:07:05 Robert Gullen (Pop3): Total Messages: 0 New Messages: 0
12:07:05 Robert Gullen (Pop3): Logoff OK