LabVIEW

I've brought this to NI Support who is also seeing this happen with my code so it's not just my machine and they're working on figuring out why the open tcp connection is blocking when using the service name version.

I just ran into some strange behavior of the "Open-TCP"-vi using "Service" instead of port as well. Under certain firewall-settings or may be even with unstable WiFi-Networks, the "Open-TCP"-Node froze and hung.

Ist there any answer from NI meanwhile?

Hey NordicViking,

What firewall-settings create the hang?

Also a side note, I recommend you create a new thread for something like this. A new thread will get more visibility with other forum users, and you can always link relevant threads in your posts

Hello Steven,

since you're asking about "what firewall": It was usinig standard Windows10 firewall. I would like to share to you all the firewall settings of mine, but I'm not really sure how to export them. Anyway: If you have any special question about the firewall settings, contact me again and I will try to give any information needed.

About the setup in which the error (sometimes) occured: I had two computers, one running as "Master" the other running as client. The master repeatedly opened a TCP-Listerner WITH NO SPECIFIC PORT BUT WITH SERVICENAME "Master". This had a timeout of 5000 ms; if no connction was made during timeout, the master quickly checks if a Stop-Event occured, and if no stop was issued, then normally open the listener again.

The client once in a while wants to send some information to the master. It tries to open a TCP-connection to the master at the masters IP-adress (in dot-format like "11.25.41.250") and with no specific port but "servicename" "Master". There was a timeout of 1000 ms attached to the "Open TCP connection"-vi. The client programm ran as a build application (".exe").

In this setup, when the master had the firewall still active, the client hangs. "Hangs" means, the for many minutes the message could not be send and I was not able to cleanly close the programm (it used the actor framework and the actor with the TCP-VI could not be closed).

I did not totally track down the error, but it very much looks to me, that the "Open TCP-connection" was the problem, because:

 - If I disable the firewall at the Master-PC, the problem was gone

 - After I replaced the TCP-Vis to not use a "service-name" but to use a fixed port-number instead, the problem was also gone.

So, for me it lookes that there is a problem with the resolution of the "Service-name" via the NI-service-locator together with a underlying network-stack.

For me this error was very annoying, because I (of course) relied on, that the TCP-VIs keep their TIMEOUT-settings at least approximately. Having a TCP-vi "hang" for minutes took me some days to troubleshoot, especially since it did not always happen and debugging had to take place in an distributed environment with many PCs involved. 

I would be happy, if NI could fix this issue.

If you need any more information, don't hesitate to contact me.

Is disabling the firewall at the Master-PC or assigning a a fixed port-number a viable work around for you? I will try to recreate this issue on my end and perhaps this will be a CAR

Hey Steven,

yes, assigning a fixed port -number indeed is a workaround and I have successfully implemented this already. It works fine for me. Thus, bug-fixing this issue is not urgent for me anymore.

However, I do think that something so fundamenal as TCP/IP-VIs really should be relyable and "bomb-proof"; so I think, i would be in the interest of NI, too, to have this nasty bug (which could lead to total programm-freeze) fixed.

Anyway, Steven, I'm happy that you careed for it and thanks for your answers.

---

@NordicViking wrote:

Hey Steven,

 

However, I do think that something so fundamenal as TCP/IP-VIs really should be relyable and "bomb-proof"; so I think, i would be in the interest of NI, too, to have this nasty bug (which could lead to total programm-freeze) fixed.

 

---

The only way to have software bomb-proof is to not run it at all! A less extreme way is to test it and retest it a few thousand times on a specific setup and never ever again change anything on it after that. That's the reality and nothing anyone can do about it.

When this feature was added to the TCP/IP VI's, many people would have given you a blank stare if you asked them about what firewall they use with possibly the question: "What is a firewall? or possibly "I don't have a firewall in my house!"

Modern computer firewalls do all kinds of fancy stuff, digging deep into the network stack and modifying its behavior in ways nobody would have thought of 10 years ago, and just about anyone would have declared a person crazy, if they had suggested something like that.

And a firewall is supposed to work seamlessly, which means it does not return an error when you attempt to do something that it feels is not legitimate according to its rules, but it generally simply makes the underlying network stack function behave as if the desired address or function is not present, which will result in lengthy and usually inside the stack hardwired timeouts. Generally nothing LabVIEW could even detect, since it's desired behavior that a malware application can NOT detect that it is blocked by a firewall but instead just sits there waiting for the connection to succeed, which will never happen if the firewall works correctly. And if a malware shouldn't be able to detect that it is blocked by a firewall, LabVIEW can't detect it either.

The service lookup relies on the fact that a local service locater deamon (a Windows service on a Windows machine) on the target machine is installed, enabled and running and that it has network access rights. When you use the Create Listener function with a service name, it creates a socket bound to an arbitrary port and then registers that service name and according port number with the service locater deamon on its own machine.

When you then use TCP Open to connect to a Listener by service name, this will contact the service locater service on the target IP address and query for the port number that service has registered. If successful it will  connect to the port number that query returned and return. If the service name could not be found it will return with an error. But there is a third option, that the firewall on the server machine (or possibly your own firewall on your own machine considers this an illegal connection attempt and it simply makes the connection request to the NI Service Locater only return after a HUGE delay, with an error indicating that the remote application is not reachable. Now LabVIEW could simply return with that error, or considering that TCP/IP can sometimes flake out, retry another time to connect to that service! And now you have a problem. You either make some legitimate retry attempts (legitimate because connection requests can sometimes timeout and will succeed if you try another time) and run into the problem that when this failure is caused by a firewall you run into seemingly indefinite timeouts, or you abort after the first failure and return with a timeout error and let the application developer deal with the decision to retry on error or not. But even in this second case the inherent timeout caused by the firewall on the first call already might be in the order of minutes anyways.

So lets look how the NI Service Locater service works: First you have the NI Service Locator deamon running on the machine that runs the TCP IP Server which registers itself under a name. This usually works, since a local process usually has the right to connect to a local TCP/IP port, so the TCP Create Listener function can normally connect to the NI Service Locator service to register itself.

Now for the client the things are a bit more complicated. This client needs to have the right to make a connection to the target machine and specifically on TCP port number 3580, which is the NI Service Locator port number. The protocol it uses is HTTP but it obviously can't use the port number 80, as that is to likely to conflict with another user installed service or application that wants to behave as HTTP server. But strictly configured firewalls, especially on the computer that runs the Service Locator will often block incoming connections to TCP/IP endpoints that are not well known TCP port numbers and/or considered unsafe such as port 21 for FTP for instance.

There is also the chance that even the client computer will restrict outgoing connections to port numbers it does not recognize as well known services, possibly also coupled with stateful protocol inspection to make sure that there is really the expected protocol transferred over the wire, that matches with the port number.

The real problem is not that LabVIEW doesn't know how to work around a firewall, but that you need to understand what TCP ports are involved and to configure your firewalls on the server machine and possibly your client machine, to allow for these ports to be accessed.

Rolf Kalbermatter
My Blog

Hello Rolf,

thanks for your detailed explainations. I do understand that firewalls and networks in their depth are complicated and I see the challanges for Labview/NI.

However, at the end of the day, I would wish for the following:

 - Even if a firewall discards/drops some packages necessary to resolve the port of the named service: The TCP-Open Vi should somewhat finish within its timeout. If it doesn't succeed to open the TCP-connection, that's o.k., but if a timeout of 1s is given, then even when a firewall blocks the desired requist, the VI can still terminate at least approximately within timeout.

- If the above mentioned requirement to terminate within timeout constraint  - under some really nasty network- and firewall conditions - really cannot be hold, then AT LEAST I would expect the help-text for the Open-TCP-Vi will inform me in advance about this problem.

If I followed Rolfs reasoning to the ultimate consequence, it would mean: "Whenever one uses TCP-Vis in one's Labview-project, your code may by chance hang for an unpredictable amount of time, and there is nothing you can do about it, because networks and firewalls are so complicated". Ok., that's somewhat put a bit sarcastic, but that's what it would come down to, and that's probably not what you would find to be acceptable.

What I finally want to say: I would wish NI to take a bit more care with these fundaments (primitive) Labview-TCP-VIs, so that at least they do not undeterministically hang for several minutes (or I want to know about this potential problem before).

This might be a great addition to our Idea Exchange. 

http://forums.ni.com/t5/Idea-Exchange/ct-p/ideas