Contributor
Contributor

Constant NetBIOS Name Service query/refresh for Windows 7 VM

Resuming a Windows 7 VM that uses NAT sometimes triggers an endless loop of NBNS queries/refreshes for the VM's name. From a Wireshark trace it looks like this happens two or three times a second continuously until Fusion is quit (shutting down the VM has no effect). Does anyone know if there's a way to fix this so I stop bombarding the name server?

0 Kudos
19 Replies
Contributor
Contributor

I'm seeing this same problem. I migrated my Win7 VM from Parallels 8 and I wasn't seeing any weird NetBIOS traffic before. It definitely seems related to the vmnat process. For me once the NetBIOS chatter starts (usually within a few minutes to a half hour of starting my Win7 VM), it generates about 80k/s of traffic!

If anyone else is seeing this problem, please reply. For any VMware guys seeing this, let me know what I can do to try to help debug this situation more.

-Arion

0 Kudos
VMware Employee
VMware Employee

Hi Matt,

Thanks for pointing this out. Did you get the NBNS queries/refreshes on your Mac OS or your Windows 7 VM? I could see the NBNS queries on Mac even without Fusion running. Do you mind attaching the sniffer? Thank you.Smiley Happy

0 Kudos
Contributor
Contributor

I only see the NBNS queries/refreshes from my Mac, not from my Windows 7 VM.. Attached is a screenshot from Wireshark..

-Arion

Window 2013-07-04 at 15.47.33.png

0 Kudos
VMware Employee
VMware Employee

Hi Arion,

Thanks for your support. I still could not find NSNB query/refresh packets destinated to device that starts with vmware_XX  on my Mac.Which Fusion version are you using? Judging from the packet, it seems your Mad owns ip address 172.20.204.12, and 172.20.204.x should be allocated to your NAT VM? Does your windows 7 network work properly? Would you mind describe your network setup on your Mac and your windows 7 VM? Thanks you very much.Smiley Happy 

0 Kudos
Contributor
Contributor

Nancy, are you a representative from VMWare?

Here are some details:

My Mac (host system) is on a private network at my house: 172.20.204.0/24, it's IP address is 172.20.204.12. My DHCP/DNS server is a Windows 2008 server at 172.20.204.2. My screenshot may be a little confusing because it shows my Windows 2008 server as having a VMware MAC address -- that's because it's a virtual machine running inside of an ESXi server Smiley Happy

My Windows 7 VM has two network adapters configured -- one NAT and one Bridged. I always prefer to use NAT because sometimes I'm VPN'd in on my Mac and want my Windows 7 VM to be able to reach VPN-based systems. I normally leave the Bridged network device as "disabled" within Windows 7. I don't think it matters, but I configured a custom network range for the shared NAT network between my Mac and NAT-enabled VM instances (172.31.255.240/28) - as you can see it is different than my home network range.

I start seeing a flood of NBNS queries emanating from my Mac's IP address (172.20.204.12) and  destined for my DNS/DHCP server (172.20.204.2) after using my Windows 7 VM for a certain period of time. I haven't been able to narrow down exactly when it starts -- or what might be the trigger event that starts the flood. I run LittleSnith and I usually notice the problem when I see LittleSnitch's network graph start getting pegged with traffic when I have no other significant network activity going on. If I suspend or shutdown my Windows 7 VM, the traffic continues. The only way I can get the NBNS flood to stop is to manually kill the vm-natd process and start it again by hand (via sudo). Sometimes when I try to restart it, I get the following error:

7/4/13 10:54:47.889 PM vmnetNAT[16148]: Reporting status to parent on status fd: 7 failed, error: Device not configured

As a side note, can you explain in detail what these settings in vmnet8/nat.conf do?

[netbios]

# Timeout for NBNS queries.

nbnsTimeout = 2

# Number of retries for each NBNS query.

nbnsRetries = 3

# Timeout for NBDS queries.

nbdsTimeout = 3

I haven't fiddled with any of these defaults...maybe they are related to this problem?

-Arion

0 Kudos
VMware Employee
VMware Employee

Arion,


Did you enable WINS in your windows server 2008?

0 Kudos
Contributor
Contributor

Nope, I'm not running a WINS server on my W2008 box..

Again, I moved from Parallels 8 to VMware Fusion because of a few quirks I didn't like in Parallels.. I haven't changed the configuration of my Windows 7 VM or my W2008 server and I didn't experience this weird NetBIOS traffic problem under Parallel's NAT solution..

-Arion

0 Kudos
VMware Employee
VMware Employee

Arion,


Thanks very much for your update. Would you please update an sniffer files instead of a screenshot of this problem?

0 Kudos
Contributor
Contributor

We are experiencing the exact same issue with VMWare Workstation and Fusion VM's and only when using NAT networking.

0 Kudos
Contributor
Contributor

Attached is a small PCAP file from me as well. Another thing to note: all of the NetBIOS traffic in my PCAP is invalid. When I captured this traffic, my Mac was connected to a network away from my normal home network. All of the NetBIOS flood traffic observed was directed at a computer at my house, even though I was on a different subnet and that system wasn't even reachable...

-Arion

0 Kudos
Contributor
Contributor

Yep, the NetBIOS traffic we pick up is directed to a WINS server at our office which is also not reachable via the internet.

0 Kudos
Contributor
Contributor

I opened a support ticket for this issue (13348746907).

Also, my vmnet-natd has been consuming 99% CPU recently and I frequently lose connectivity inside my Windows 7 VM.

-Arion

0 Kudos
Contributor
Contributor

Arion,

Did you by any chance get feedback on your support ticket? We're still experiencing the same issue Smiley Sad

0 Kudos
Contributor
Contributor

I found a work-around, but not a complete resolution to the issue. If I completely disable NetBIOS support in my Windows 7 VM, the problem went away (setting is listed as "Disable NetIOS over TCP/IP" -- see screenshot). However, I still consider this a bug in vmnet-natd, because I never had to turn that setting off under Parallels.. and I've never seen this problem with any other virtualization technology that supports NAT when running a Windows 7 VM (VirtualBox, ESXi, VMware Player).

The VMWare tech that responded when I opened the ticket was very helpful but the next steps in debugging this issue was to do a remote screen sharing session during a workday (Mon-Fri, 9-5p EST). I have a pretty hectic schedule and couldn't make time during business hours for that. The support ticket is closed now AFAIK, but if I am able to schedule time for more debugging, I may re-open it (or if you want, I'm sure you could pursue that as well).

-Arion

vmnet-natd-win7-wins.png

0 Kudos
Contributor
Contributor

Seeing the same symptoms here, constant NetBIOS chatter while Windows 7 is running within VMWare Fusion 5.0.3. Disabling NetBIOS within Windows 7 as per previous post didn't help. Looking at /Library/Preferences/VMware Fusion/vmnet8/nat.conf if I bump up the netbios-related timeouts to 20 seconds:

nbnsTimeout = 20

nbdsTimeout = 20

then indeed I see the busts of NetBIOS packets directed at our domain controller (which doesn't answer) only every 20 seconds, which helps to reduce the traffic, but doesn't eliminate the problem. It may be that the problem is also on the domain controller / active directory side, which would cause the domain controller to ignore these WINS queries?

0 Kudos
Contributor
Contributor

I seem to have gotten the NetBIOS chatter under control. Turns out that the Mac (running 10.8.4) had invalid WINS configuration information, pointing to a Windows 2008R2 which didn't have WINS services enabled, so it was just ignoring all the WINS traffic.

So what worked for me:

- disable NetBIOS over IP in the Windows 7 VM as per previous post

- remove incorrect WINS config in the OS X Network System Preferences panel

- reboot

Everything now seems to be quiet.

0 Kudos
Hot Shot
Hot Shot

PsyopSystems wrote:

the Mac (running 10.8.4) had invalid WINS configuration information, pointing to a Windows 2008R2 which didn't have WINS services enabled, so it was just ignoring all the WINS traffic.

Did you mean that Windows 2008R2 was specified as a WINS Server?

0 Kudos
Contributor
Contributor

Yes, the Mac had the IP address of a Windows 2008R2 domain controller set as the WINS server, but that DC didn't have the WINS server role configured. It doesn't look like we need WINS at all in our environment, so disabling it seems to make sense.

0 Kudos