Mano:
Were this a firewall problem, one would expect a more consistent
behavior than is being observed. We do not see all systems failing to
complete the download and installation of the Google Earth Plugin.
Nor do we see the high CPU utilization when the application is
activated on all systems.
In the path there is a firewall running an intercept application HTTP
proxy. If the server fails to set Content-Length in the HTTP header,
as does the Google server, there is a potential for the transfer to be
terminated prematurely. This is, particularly, true if the connection
is terminated by a RST rather than the FIN procedure. Is there any
reason for the Content-Length not to be set?
The original "crash test dummy" systems that I used could download and
install the Google Earth Plugin without problems and did not encounter
the 100 percent CPU utilization problem. One significant difference
about the physical and virtual "crash test dummy" systems is that they
were not in an Active Directory domain.
Over the weekend, I used a virtual system configured to be in an AD
domain. Consistently, I encountered problems with downloading and
installing the software when Internet Exploder was used to download
the install program. The standard complaint was that the server had
terminated the connection abnormally. After a half-dozen attempts, I
gave up and tried Firefox 3. It downloaded and installed the software
without a problem. Once Firefox was used to download the software, it
was immediately usable by both Firefox and Internet Exploder.
On several of the systems that were encountering problems, we were
using Terminal Service/rdesktop to connect to the systems. We
discovered that the Google Earth Plugin could be downloaded and
installed when we were physically at and logged into the system. Not
sure why it would fail in the first instance but not in the second.
No errors or rule/policy violations have been reported by any of the
corporate firewalls in the path.
I've noticed over the years that web servers that don't use the
Content-Length header are more prone to problems than those that do
especially when the packets must traverse a security boundary.
Merton Campbell Crockett