From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marco Gaiarin Date: Fri, 04 Jun 2021 15:23:11 +0000 Subject: Re: Connection tracking debugging?! Message-Id: <20210604152311.GJ3056@sv.lnf.it> List-Id: References: <20210525103639.GF3214@sv.lnf.it> In-Reply-To: <20210525103639.GF3214@sv.lnf.it> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable To: lartc@vger.kernel.org Mandi! Grant Taylor In chel di` si favelave... Sorry for the late answer, but i was busy in other things... > > How can i 'debug' this issue? Thanks. > I'd check the output of dmesg to see if you're exhausting the state table. > If you are, you'll see all sorts of messages from the kernel. At least I = did > when I ran into this years ago. Adding memory addressed the problem then. No, i've not sayed that, but was the first things i've looked for, no conntrack table overflow... > Short of that low hanging fruit I'd start with packet captures so that you > can watch the traffic flow. I occasionally see invalid traffic after the > flow should have been closed. >=20 > It looks like your client may be sending TCP Reset packets. This could be > directly related to how different systems terminate a TCP connection. -- > Even if the clients agree, they may be doing something different than the > connection tracker helper expects, thus causing a subsequent packet to be > considered invalid after a shorter shutdown. Could be that passing thru a proxy (SSL/CONNECT, squid) could lead to more TCP resets? Seems that proxied connection reset more frequently... I see in proxy cache.log file sometimes: 2021/06/04 12:41:07| TunnelStateData::Connection::error: FD 20: read/write= failure: (32) Broken pipe --=20 dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.= it/ Polo FVG - Via della Bont=E0, 7 - 33078 - San Vito al Tagliamento= (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842= 797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)