[OpenAFS] Vista, OpenAFS 1.5.20, Cisco VPN - AFS dead

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 06 Jul 2007 11:51:27 -0400


Jason Edgecombe wrote:
> Jeffrey Altman wrote:
>> I installed Cisco VPN 3.8.2 on Vista Ultimate with current Windows
>> Updates and OpenAFS 1.5.20 works just fine when connecting to and
>> disconnecting from a VPN using the UDP tunneling.
>>
>> This does not mean that you are not having a real problem.  It does me=
an
>> that the problem is not pervasive and requires something specific to
>> your environment to reproduce it.
>>
>> Jeffrey Altman
>> Secure Endpoints Inc.
>>  =20
> Just another data point.
>=20
> It's been my experience with the Cisco VPN client on my Mac that I have
> to reauthenticate to AFS after starting or stopping the VPN client.

I don't think this is relevant.

A refresher course on how the AFS client on Windows is implemented might
be in order.


       ............................................................
       |                                                          |
       |  Windows Applications such a Office, NIM, AFS Creds      |
       |                                                          |
       |                                                          |
       |........................................................../
              |                                       |
              |      Windows CIFS client              |
              |                                       |
              '`''''''''''''''''''|'''''''''''''''''''
                                  |
                  Loopback Adapter|10.254.254.253
                                  |
             ..........................................
             |      AFS Client Service (SMB Server)   |
             |                                        |
             |           AFS Cache Manager            |
             |________________________________________J
                                  |
                                  |
                      External    |   Network
                                  |
             _____________________|_____________________
            |                                          |
            |                                          |
            |       AFS Servers (File, VLDB)           |
            |                                          |
             `''''''''''''''''''''''''''''''''''''''''''

On versions of Windows prior to Vista, the Loopback Adapter interface
was not plug-n-play and was unaware of Power Management events.  Its
configuration was static.  Once it obtained its IP address the AFS
client service could bind its SMB server to it and it would be stable
until the machine was shutdown or the loopback adapter itself was
manually disabled or uninstalled.

In Windows Vista, the loopback adapter is a PnP driver and it is aware
of power management events.  When the network configuration on the
machine is reconfigured or the machine is being suspended, the loopback
adapter will be turned on and off just like any physical adapter.
Beginning with the 1.5.12 release, the AFS client service was updated to
handle the case in which the bound network adapter may shutdown
unexpectedly.  In this case, the AFS client service will periodically
retry to bind to the adapter.

Quoting the OpenAFS for Windows Release Notes:

"Due to a feature change in Windows Vista=E2=80=99s Plug-n-Play network s=
tack,
during a standby/hibernate operation the MSLA is disabled just as any
other piece of hardware would be.  This causes the OpenAFS Client=E2=80=99=
s
network binding to be lost.  As a result, it takes anywhere from 30 to
90 seconds after the operating system is resumed for access to the
OpenAFS Client and the AFS file space to become available.  Until the
network bindings have be re-established ticket managers and other tools
will report that the AFS Client Service may not have been started."

During the period in which the AFS client is unable to receive CIFS
requests, it is not possible to access \\AFS for files, to set tokens or
to list tokens.  From the perspective of the Windows CIFS client, the
AFS server (which appears to be on a remote machine) is not present on
the network.

If there is a problem with the Cisco VPN client, my guess is that it
would have something to do with temporarily reseting the loopback
adapter or modifying the routing table.  However, based upon my tests
with OpenAFS 1.5.20 and Cisco VPN 3.8.0.2, I have not witnessed any such
interference.

Lars has described his problems as being more severe than just the AFS
client not working.  He says that he can't access any DNS server; not
even on the private network.  As a result, I think his problems are
Cisco VPN configuration issues that have nothing to do with AFS.

Jeffrey Altman
Secure Endpoints Inc.