Mac Access Agent: Hundreds of "PAX UDP/TCP Port Mapping" rules in Port Forwarding

Discussion in 'General Questions' started by kkramar, Aug 2, 2014.

  1. kkramar

    kkramar Bit Poster

    Messages:
    8
    I was reviewing my router's firewall's port forwarding rules and saw over 250 rules residing there, not created by me... They were labeled:

    PAX UDP port mapping TCP Any -> 37xxx

    The 37xxx refers to numbers that went from 37370 to 37450.

    At first I fretted, and after battening down my hatches found that they were being created by Parallels Access Agent on my 2 Macs - a new, different rule automatically about every 2-3 minutes.

    I've removed Access from my Macs to keep my port forwarding table from getting stomped all over, but now can't use my Access app/subscription, which is frustrating. This seems to have cropped up in the 2.0.1 (26213) version of the agent.

    Has anybody else seen this, or have any info on it? It seems like a bug... Is anybody at Parallels aware of this?

    I have created a problem report & support request about this as well to document with them.

    I've replicated it independently on 2 separate computers by uninstalling & reinstalling with the same results, so I'm pretty certain it's not just a one-time fluke.
     
  2. kkramar

    kkramar Bit Poster

    Messages:
    8
    I also want to note this seems a rather serious concern since my computers (MacBooks) are used on multiple networks. If I caught this on my own router that I administrate, I have to assume this can occur on other networks/routers as well.

    If you are a consultant or tech bringing your system as a resource to client's sites, the possibility exists that you may be punching security holes in their firewalls. This is a real liability issue, which is why I have completely removed the Access Agent via the PurgeParallelsAccess.sh script ... See: http://kb.parallels.com/en/117142

    Simply quitting the Access Agent client from the menu bar on the Mac is NOT sufficient, the background processes still run. The purge script should be run and then the system restarted to fully eliminate the Access Agent processes.

    I hope this thread will be noticed by a Parallels employee and escalated.
     
  3. kkramar

    kkramar Bit Poster

    Messages:
    8
    I also want to note this seems a rather serious concern since my computers (MacBooks) are used on multiple networks. If I caught this on my own router that I administrate, I have to assume this can occur on other networks/routers as well.

    If you are a consultant or tech bringing your system as a resource to client's sites, the possibility exists that you may be punching security holes in their firewalls. This is a real liability issue, which is why I have completely removed the Access Agent via the PurgeParallelsAccess.sh script ... See: http://kb.parallels.com/en/117142

    Simply quitting the Access Agent client from the menu bar on the Mac is NOT sufficient, the background processes still run. The purge script should be run and then the system restarted to fully eliminate the Access Agent processes.

    I hope this thread will be noticed by a Parallels employee and escalated.
     
  4. Fini111

    Fini111

    Messages:
    7
    I noticed the same thing. I uninstalled it 2 weeks ago. Deleted them all. Everything was good. Today I re-installed access and it started happening again. I put in a support ticket. Going to remove it again until resolved.
     
  5. Fini111

    Fini111

    Messages:
    7
    I have a ticket in. Let's see what comes of it.
     
  6. kkramar

    kkramar Bit Poster

    Messages:
    8
    I put in for both a problem report and a support ticket. Parallels contacted me quickly and asked me to try manually defining an NAT rule in my router... However I couldn't find an option in my Verizon Actiontec MI424WR to support NAT-PMP they required for this, so for the meantime I uninstalled Access Agent 2.0.1 (26213).

    So, here's my current status with this problem.

    I checked back this evening and found Access had been updated to 2.0.1 (26400), so I decided to give it a try.

    I manage 2 Macs on my LAN. When I installed it on just one computer, it functioned and there were no extra rules created in my router's Port Forwarding section. *However*, when I added Access to the second computer, the issue returned. New multiple rules started popping up for PAX TCP & UDP port mapping tied to each computer's IP address... The port numbers increased in value (37370, 37371, 37372, 37373, 37374, etc), with one computer's IP address claiming the even numbers, the other the odd.

    I think what I'm observing shows that if only installed on one system on the LAN, Access doesn't need to punch a hole in the router, it must somehow discreetly use that 37370 port. *BUT* if two systems are running Access, they seem to be fighting for that same port, and have to negotiate and agree to each map their own ports in the router.

    However, it seems that they must somehow be continuously polling and discovering each other, and the Agents then decide to open the next highest port to again avoid conflict. But instead of settling on and agreeing to use what they've already opened, they keep polling and negotiating until hundreds of ports are created. It's crazy! Given what I noted above re: my router, the only way I can eliminate it is to uninstall the Access Agents from my systems and not use the product. But while I'm not using, my paid subscription ticks away.

    I ran two Access Agent systems on my LAN earlier in the year with no problem until sometime in July. Something in the code appears to have changed, causing this issue. At this point, it's a strictly a single user / single computer product... It appears not to handle more than one computer at a time on a LAN, which unfortunately pulls this application out of an IT pro's toolkit.

    Parallels is a good company with some really useful products — I hope they can resolve this problem soon!
     
  7. Fini111

    Fini111

    Messages:
    7
    My second mac has access installed but that machine has been powered off for the past 2 weeks so that's not a reason for why it's doing this for me anyways.

    We do have a something in common though. We are both using actiontec routers.
     
  8. Fini111

    Fini111

    Messages:
    7
    My second mac has access installed but that machine has been powered off for the past 2 weeks so that's not a reason for why it's doing this for me anyways.

    We do have a something in common though. We are both using actiontec routers.
     
  9. Fini111

    Fini111

    Messages:
    7
    Here is the reply I received from Parallels:

    We received an update from our Development Team:

    Seems that the router reports incorrect information.

    We would like to offer you two options here:

    1. Update your router's firmware.
    2. Disable UPnP in your router.
     
  10. Fini111

    Fini111

    Messages:
    7
    Ok so the fios actiontec router no longer provides a one click link to UPNP. They hide it now. You have to go here to http://192.168.1.1/index.cgi?active_page=900 to get to it. Once you disable UPNP obviously the PAX ports stop multiplying. Of course disabling UPNP has its advantages and disadvantages. Xbox Live probably going to be my biggest worry. I might have to manually fwd ports and set a static IP. No biggie there. I am just wondering what other devices or applications are going to give me trouble since UPNP is now disabled.

    What I still don't understand is this issue didn't occur until Access 2.0 and my router hasn't been updated in a while so what changed in Access that started this?
     
  11. kkramar

    kkramar Bit Poster

    Messages:
    8
    Fini111 - thanks for that info.

    For me, I know that when I use Skype, and when I setup WIFI network cams, UPnP is used to configure them in the port forwards. I'm not certain the value of using Access outweighs those types of activity, at least for me. I can reach & control my Macs using VNC if I map the machine's listening ports to match the ports being forwarded by the router.

    I'll turn off the UPnP to test it out, but I doubt I'll want to accept that as a permanent solution. I'll likely need to ditch Access until they get the issue figured out. While Access is convenient, it's not my "killer app", and I can accomplish something similar through non-intrusive VNC... There's no need for me to base my network setup around Parallels Access.

    I had used Access 2.0.x on my 2 Macs from April through mid July without a hitch. The developers changed something when they released it during July. My hunch is that they were trying to improve their UPnP / ZeroConf experience for the user. I noticed on the Actiontec UPnP page that there's an option to "Enable Automatic Cleanup of Old Unused UPnP Services" which is checked on by default. Perhaps Access isn't addressing that feature on the Actiontec modems?

    Hopefully a Parallels employee will read this thread and investigate that option.
     
  12. Neilism

    Neilism

    Messages:
    4
    A week ago, Access Desktop was stuck on "Turning On" on both my Macbook Pro and iMac. Both Macs are running on the same office network. (I installed PA on a Mac at my home and it worked perfectly.) Parallels tech support was, as it has always been … completely useless. I read this thread and clearly the problem is that Parallels Access 2.0.1 (26400) cannot run on two computers on the same network.
    This morning, I used the Access uninstall script to remove PA from both computers. Reinstalled PA on my Macbook Pro and it works fine. What a waste of time figuring this out.
     
  13. Andrew@Parallels

    Andrew@Parallels Parallels Team

    Messages:
    633
    Hi All -
    Your feedback has been shared with the development team and they are considering it for further product improvement.
    Please keep your Parallels Access updated to stay on top of the fixes and enhancements we implement. Thanks!
     
  14. Fini111

    Fini111

    Messages:
    7
    Apparently the issue is the new WOL setting in PA. I asked support to tell development to give us the option to shut WOL off. I am still ok myself right now because I shut UPNP off on my router. I had to port forward one or 2 things so far. Nothing crazy. Technically with UPNP off I should be more secure.
     
  15. kkramar

    kkramar Bit Poster

    Messages:
    8
    That makes sense and was one of the things I considered when trying to figure what changed & when it started.

    Frankly, I don't need WOL via WAN... LAN is OK, but not required. I would *SO* gladly welcome the option to disable it. Parallels (Andrew), if this is the culprit can you please ask the developers to build in a disable function?
     
  16. Don_Morris

    Don_Morris

    Messages:
    1
    For what it's worth, I, too, am having this problem with Parallels Access and my Verizon Actiontec MI424WR. But I have a similar issue on a smaller scale with a couple other apps that use u-PNP to set ports for access. It seems to me the problem is with the router, perhaps not reporting uPNP status correctly. It seems to me the problem is with the router, perhaps not reporting uPNP status correctly -- the other two apps report that automatic port forwarding isn't working even though it clearly is.

    However, disabling uPNP and removing all the PAX rules doesn't seem to affect my use of Parallels Access. I suppose that's because of NAT traversal, although I then wonder why the app is punching holes in my firewall in the first place.
     
  17. rlhamil

    rlhamil Bit Poster

    Messages:
    16
    Not unique to that router - also seeing it on a D-Link DIR-868L, thousands of rules (been awhile since the router was rebooted). Easy to see these if one builds the free miniupnpc for the Mac, and then (in Terminal, as root) lists the info obtainable from the router with upnpc -l
     
  18. rlhamil

    rlhamil Bit Poster

    Messages:
    16
    ...and in 32:12 (mm:ss) between two samples I happened to take after rebooting the router, (with Access enabled but not used the whole time), two additional pairs of rules appeared.

    IMO, it should check if needed rules are in place before adding more; _and_ it should probably create them with an expiration time, and renew them as needed, rather than leaving them there forever. That would let the exposure go away after awhile if not needed.
     
  19. kkramar

    kkramar Bit Poster

    Messages:
    8
    Ok, here it is 5 months later, on version 2.5.1 (29529), and Access is still punching hundreds of holes in my router's firewall. Is anybody at Parallels taking this seriously? Does anybody there believe this is a problem, or will someone contact me and try to convince me it's a "feature" that's working correctly?

    C'mon guys...
    1.) UPnP shouldn't need to be disabled to work with your product.
    2.) Verizon FiOS is placing boatloads, boatloads and more boatloads of Actiontec MI424WR's into US homes... Get a few, get the instruction set and test your product until it works correctly.
    3.) If WOL is the hole-punching culprit, give us the option to disable the feature.

    I've got a $ubscription to the Access service that's lying fallow for 5 months now, going to waste because I can't use it with my modem... That's lost money, that's crazy! Get on the stick! Hey Andrew@Parallels, are you still in on this conversation? A bunch of folks jawboning in a forum thread about work-arounds only goes so far... We need Parallels developers to resolve this.
     
  20. kkramar

    kkramar Bit Poster

    Messages:
    8
    By the hundreds...
     

    Attached Files:

Share This Page