Kerio 2.15 in Windows 2k inside VMware Player

[Ninho]

I'm running Windows 2000 SP4 inside of a VMware (Player 1) virtual machine, hosted on SUSE Linux. Had to disable the Kerio firewall 2.1.5, because else the virtual machine repeatably blue-screens at loading fwdrv.sys (the infamous STOP 0xD1, driver_irql_not_less_or_equal).

When running the same config natively instead of in a VM, Kerio loads and works flawlessly. Kerio also loads and works flawlessly in a VM, but in Windows 98 instead of win 2k (this uses a VxD rather than the NT style .sys driver).

All this would point to some incompatibility between Kerio's driver and VMware Player, and I would accept it as one of those sad facts of life, except - someone I don't distrust told me, on another forum, that he is able to run KPF 2.15 in a Windows 2k VM in Linux, without the driver startup crashing the VM.

This if confirmed could justify some more debugging : therefore I'm asking for more evidence of (in)compatibility between VMware Player on the one hand, Kerio's fwdrv.sys OTOH.

If it works for some, the reason it doesn't for me might be some subtle interference with other drivers, driver load order, the amount of memory or other resources, the fact that my VM runs from a "raw" disk rather than virtual... who knows. Anyway, I could as well submit here, in case someone had a bright idea or two...

Cheers

--

Ninho

[GrofLuigi]

The key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fwdrv

Interesting values are:

KernelModuleAuth

MaxBufferSize

AlwaysSecure

ErrPopup

GL

[Ninho]

Hi!

> The key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fwdrv

> Interesting values are: KernelModuleAuth....

It is well configured, since it runs OK outside a VM; I run the VM out of the same physical, raw disk, hence the Kerio in particular is the same. I don't think tweaking that registry key should have an influence; which value are you suggesting to be adjusted anyway, and why ?

Furthermore, the crash occurs on launching the kernel driver, not the service executable. It is not even sure if fwdrv.sys examines the registry at all, or crashes before it has a chance (I could try to check using sysinternals Registry monitor, ISTR it has a way to be launched very early in the boot sequence, however... not sure it can be active before a /kernel driver/ such as fwdrv.sys is activated)

Thank you, GrofLuigi ! More ideas ? Others ?

[Ninho]

GrofLuigi ! I have to apologise for not quite believing, and thank you! Indeed,

changing the KernelModuleAuth value to 0 (from 1) and simultaneously doubliing MaxBuffer up to 32768

made Kerio happy! :=)

I have yet to try the mods separately, to acertain which the crucial one is (unless both are).

Just guessing and ICBW, from the name of the value, "KernelModuleAuth" seems to

be the more effective cause for the observed behavior.

[Edited :] Yep, the KernelModuleAuth is the one that matters ! [Edit end]

Do you know exactly what this is supposed to do, and what I lose without it ? I googled a bit to no avail...

Cheers...

Edited February 10, 2008 by Ninho

[GrofLuigi]

The reason I didn't post explanations was I don't really remember any more... Long time ago I played with it. Now I only transfer these settings without thinking, and while they work for me on XP, I couldn't make them work on Server2003 (so that's why I didn't post any numbers either).

Glad I helped some though

GL

[Ninho]

Glad I helped some though

It certainly did help. Unsetting the "KernelModuleAuth" let fwdrv.sys launch itself without blue-screening.

However this is not the end of the story, as I first thought. Instead it uncovered a further problem,

leading to another Stop-D1 blue screen, this time accusing NDIS.SYS ! This seems to occur whnever the firewall engine, fwdrv.exe, is launched as a service (as it should, really). OTOH no blue screen occurs and the firewall /seems/ to be working if fwdrv is launched manually from the desktop (with admin privilege of course).

However I believe it's not practical - and maybe not secure - to launch the FW engine from the desktop.

Well, I surely am not going to struggle with undocumented settings in an otherwise excellent but sadly unsupported FW ;=)

Just consider this report a pebble added to the online collection of experience about KPF 2.1...

Thanks again