Why SYN-ACK packets are dropped as INVALID?

Why SYN-ACK packets are dropped as INVALID?

[Spenst, Aleksej]

Hi All,

I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK packets coming from the server in response are sometimes dropped by my firewall (iptables) as INVALID. I can’t figure out why the firewall sees these packets invalid. They seem to be Ok. What parameters are taken into account by the firewall when making a decision about invalidity of a packet?

Example from tcpdump:

19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN] Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0 WS=16
19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN, ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1

The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables logs that this SYN-ACK packet is marked as INVALID and dropped. 
When the SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the states are also OK. Why is this packet invalid then?

Thank you!
Aleksej.

Re: Why SYN-ACK packets are dropped as INVALID?

[Neal Murphy]

On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
> 
> I’m sending TCP SYN packets to the server. The problem is that the SYN-ACK
> packets coming from the server in response are sometimes dropped by my
> firewall (iptables) as INVALID. I can’t figure out why the firewall sees
> these packets invalid. They seem to be Ok. What parameters are taken into
> account by the firewall when making a decision about invalidity of a
> packet?
> 
> Example from tcpdump:
> 
> 19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 SACK_PERM=1
> 
> The ACK sequence number (Ack=2646194937) is OK, but I see in my iptables
> logs that this SYN-ACK packet is marked as INVALID and dropped. When the
> SYN-ACK packet comes the TCP session is in the state SYN_SENT -> So, the
> states are also OK. Why is this packet invalid then?

Does the ACK tell the peer the sequence # of the *next* packet the host 
expects to receive? Or does it acknowledge the *last* packet it received? If 
the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet 
that hasn't been sent yet.

AW: Why SYN-ACK packets are dropped as INVALID?

[Spenst, Aleksej]

Hi Neal,

Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes).

Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? 

Thank you,
Aleksej.


-----Ursprüngliche Nachricht-----
Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy
Gesendet: Donnerstag, 26. März 2015 13:53
An: netfilter@vger.kernel.org
Betreff: Re: Why SYN-ACK packets are dropped as INVALID?

On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
> 
> I’m sending TCP SYN packets to the server. The problem is that the 
> SYN-ACK packets coming from the server in response are sometimes 
> dropped by my firewall (iptables) as INVALID. I can’t figure out why 
> the firewall sees these packets invalid. They seem to be Ok. What 
> parameters are taken into account by the firewall when making a 
> decision about invalidity of a packet?
> 
> Example from tcpdump:
> 
> 19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200 
> SACK_PERM=1
> 
> The ACK sequence number (Ack=2646194937) is OK, but I see in my 
> iptables logs that this SYN-ACK packet is marked as INVALID and 
> dropped. When the SYN-ACK packet comes the TCP session is in the state 
> SYN_SENT -> So, the states are also OK. Why is this packet invalid then?

Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: Why SYN-ACK packets are dropped as INVALID?

[Joel Gerber]

The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK.

Joel Gerber
Network Operations Specialist - Telephone
Telephone
Eastlink
Joel.Gerber@corp.eastlink.ca    T: 519.786.1241

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej
Sent: March-26-15 9:25 AM
To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org
Subject: AW: Why SYN-ACK packets are dropped as INVALID?

Hi Neal,

Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes).

Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? 

Thank you,
Aleksej.


-----Ursprüngliche Nachricht-----
Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy
Gesendet: Donnerstag, 26. März 2015 13:53
An: netfilter@vger.kernel.org
Betreff: Re: Why SYN-ACK packets are dropped as INVALID?

On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
> 
> I’m sending TCP SYN packets to the server. The problem is that the 
> SYN-ACK packets coming from the server in response are sometimes 
> dropped by my firewall (iptables) as INVALID. I can’t figure out why 
> the firewall sees these packets invalid. They seem to be Ok. What 
> parameters are taken into account by the firewall when making a 
> decision about invalidity of a packet?
> 
> Example from tcpdump:
> 
> 19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200
> SACK_PERM=1
> 
> The ACK sequence number (Ack=2646194937) is OK, but I see in my 
> iptables logs that this SYN-ACK packet is marked as INVALID and 
> dropped. When the SYN-ACK packet comes the TCP session is in the state 
> SYN_SENT -> So, the states are also OK. Why is this packet invalid then?

Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html
N     r  y   b X  ǧv ^ )޺{.n +   z  ׫ {ay \x1dʇڙ ,j   f   h   z \x1e w       j:+v   w j m         zZ+     ݢj"  ! i

AW: Why SYN-ACK packets are dropped as INVALID?

[Spenst, Aleksej]

Thank you. So, the ACK number is correct. Why is then the packet invalid?

-----Ursprüngliche Nachricht-----
Von: Joel Gerber [mailto:Joel.Gerber@corp.eastlink.ca] 
Gesendet: Donnerstag, 26. März 2015 14:28
An: Spenst, Aleksej; neal.p.murphy@alum.wpi.edu
Cc: netfilter@vger.kernel.org
Betreff: RE: Why SYN-ACK packets are dropped as INVALID?

The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK.

Joel Gerber
Network Operations Specialist - Telephone Telephone Eastlink
Joel.Gerber@corp.eastlink.ca    T: 519.786.1241

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej
Sent: March-26-15 9:25 AM
To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org
Subject: AW: Why SYN-ACK packets are dropped as INVALID?

Hi Neal,

Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes).

Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? 

Thank you,
Aleksej.


-----Ursprüngliche Nachricht-----
Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy
Gesendet: Donnerstag, 26. März 2015 13:53
An: netfilter@vger.kernel.org
Betreff: Re: Why SYN-ACK packets are dropped as INVALID?

On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
> 
> I’m sending TCP SYN packets to the server. The problem is that the 
> SYN-ACK packets coming from the server in response are sometimes 
> dropped by my firewall (iptables) as INVALID. I can’t figure out why 
> the firewall sees these packets invalid. They seem to be Ok. What 
> parameters are taken into account by the firewall when making a 
> decision about invalidity of a packet?
> 
> Example from tcpdump:
> 
> 19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200
> SACK_PERM=1
> 
> The ACK sequence number (Ack=2646194937) is OK, but I see in my 
> iptables logs that this SYN-ACK packet is marked as INVALID and 
> dropped. When the SYN-ACK packet comes the TCP session is in the state 
> SYN_SENT -> So, the states are also OK. Why is this packet invalid then?

Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html
N     r  y   b X  ǧv ^ )޺{.n +   z  ׫ {ay \x1dʇڙ ,j   f   h   z \x1e w       j:+v   w j m         zZ+     ݢj"  ! i

RE: Why SYN-ACK packets are dropped as INVALID?

[Joel Gerber]

I would probably have to see a packet capture (tcpdump/tshark/dumpcap) starting from the initial SYN to the "invalid" segment to give much more help.

Joel Gerber
Network Operations Specialist - Telephone
Telephone
Eastlink
Joel.Gerber@corp.eastlink.ca    T: 519.786.1241

-----Original Message-----
From: Spenst, Aleksej [mailto:Aleksej.Spenst@harman.com] 
Sent: March-26-15 12:15 PM
To: netfilter@vger.kernel.org; Joel Gerber; neal.p.murphy@alum.wpi.edu
Subject: AW: Why SYN-ACK packets are dropped as INVALID?

Thank you. So, the ACK number is correct. Why is then the packet invalid?

-----Ursprüngliche Nachricht-----
Von: Joel Gerber [mailto:Joel.Gerber@corp.eastlink.ca]
Gesendet: Donnerstag, 26. März 2015 14:28
An: Spenst, Aleksej; neal.p.murphy@alum.wpi.edu
Cc: netfilter@vger.kernel.org
Betreff: RE: Why SYN-ACK packets are dropped as INVALID?

The ACK number reflects the bytes that you have processed from the remote end. When you have a TCP "signaling" datagram, which contains no actual user data, you will always add 1 to the sequence number of the received packet when performing an ACK.

Joel Gerber
Network Operations Specialist - Telephone Telephone Eastlink
Joel.Gerber@corp.eastlink.ca    T: 519.786.1241

-----Original Message-----
From: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] On Behalf Of Spenst, Aleksej
Sent: March-26-15 9:25 AM
To: neal.p.murphy@alum.wpi.edu; netfilter@vger.kernel.org
Subject: AW: Why SYN-ACK packets are dropped as INVALID?

Hi Neal,

Is this configurable? I thought the ACK number is always 1 greater than the sequence number of the SYN packet. So, in my case the ACK shows the sequence number of the next packet the host expects to receive. I see this in tcpdump logs when everything works fine (the described problem happens only sometimes).

Can it be that my system sometimes suddenly expects that the ACK shows the last packet the host received (instead of the next)? 

Thank you,
Aleksej.


-----Ursprüngliche Nachricht-----
Von: netfilter-owner@vger.kernel.org [mailto:netfilter-owner@vger.kernel.org] Im Auftrag von Neal Murphy
Gesendet: Donnerstag, 26. März 2015 13:53
An: netfilter@vger.kernel.org
Betreff: Re: Why SYN-ACK packets are dropped as INVALID?

On Thursday, March 26, 2015 04:41:21 AM Spenst, Aleksej wrote:
> Hi All,
> 
> I’m sending TCP SYN packets to the server. The problem is that the 
> SYN-ACK packets coming from the server in response are sometimes 
> dropped by my firewall (iptables) as INVALID. I can’t figure out why 
> the firewall sees these packets invalid. They seem to be Ok. What 
> parameters are taken into account by the firewall when making a 
> decision about invalidity of a packet?
> 
> Example from tcpdump:
> 
> 19:29:22.045106  <my IP>      <Server IP>  TCP  60710→8080 [SYN]
> Seq=2646194936 Win=14600 Len=0 MSS=1460 SACK_PERM=1 TSval=1356920 TSecr=0
> WS=16 19:29:22.817859  <Server IP>  <my IP>      TCP  8080→60710 [SYN,
> ACK] Seq=3920856233 Ack=2646194937 Win=65535 Len=0 MSS=1200
> SACK_PERM=1
> 
> The ACK sequence number (Ack=2646194937) is OK, but I see in my 
> iptables logs that this SYN-ACK packet is marked as INVALID and 
> dropped. When the SYN-ACK packet comes the TCP session is in the state 
> SYN_SENT -> So, the states are also OK. Why is this packet invalid then?

Does the ACK tell the peer the sequence # of the *next* packet the host expects to receive? Or does it acknowledge the *last* packet it received? If the latter, then the SYN-ACK as sent is invalid, as it acknowledges a packet that hasn't been sent yet.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@vger.kernel.org More majordomo info at  http://vger.kernel.org/majordomo-info.html
N     r  y   b X  ǧv ^ )޺{.n +   z  ׫ {ay \x1dʇڙ ,j   f   h   z \x1e w       j:+v   w j m         zZ+     ݢj"  ! i