Re: 2.6.9 tcp problems

Re: 2.6.9 tcp problems

[kernel]

Stephen Hemminger wrote:

> On Mon, 29 Nov 2004 13:03:34 -0500
> kernel <kernel@nea-fast.com> wrote:
>
>  
>
>> I've run into a problem with 2.6.(8.1,9) after installing a secondary 
>> firewall. When I try to pull data through the original firewall 
>> (mail, http, ssh), it stops after approx. 260k. Running ethereal 
>> tells me "A segment before the frame was lost" followed by a bunch 
>> of  "This is a TCP duplicate ack" when using ssh. All 2.4.x machines 
>> and windows clients work fine. I built 2.4.28 and it works fine from 
>> my machine. I also fiddled with tcp_ecn and that didn't fix it 
>> either. I don't have any problems communicating to "local" machines. 
>> I've attached the tcpdump output from an scp attempt. NIC is a 3Com 
>> Corporation 3c905B.
>>   
>
>
> What kind of firewall?  There are firewalls that are too stupid and don't
> understand TCP window scaling.
>
>  
>
It's a fortigate 60.  We put our secure web servers behind a netscreen 5 
firewall which plugs into the fortigate and that's when the problems 
started.  I remember reading some stuff on lkm about recent tcp changes 
but I couldn't remember exactly what it was. Thanks for reminding me !

Here is how it's layed out now
secure_web_servers->netscreen->fortigate->rest_of_network

Thanks !
walt

Re: 2.6.9 tcp problems

[Mark Watts]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Stephen Hemminger wrote:
> > On Mon, 29 Nov 2004 13:03:34 -0500
> >
> > kernel <kernel@nea-fast.com> wrote:
> >> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> >> firewall. When I try to pull data through the original firewall
> >> (mail, http, ssh), it stops after approx. 260k. Running ethereal
> >> tells me "A segment before the frame was lost" followed by a bunch
> >> of  "This is a TCP duplicate ack" when using ssh. All 2.4.x machines
> >> and windows clients work fine. I built 2.4.28 and it works fine from
> >> my machine. I also fiddled with tcp_ecn and that didn't fix it
> >> either. I don't have any problems communicating to "local" machines.
> >> I've attached the tcpdump output from an scp attempt. NIC is a 3Com
> >> Corporation 3c905B.
> >
> > What kind of firewall?  There are firewalls that are too stupid and don't
> > understand TCP window scaling.
>
> It's a fortigate 60.  We put our secure web servers behind a netscreen 5
> firewall which plugs into the fortigate and that's when the problems
> started.  I remember reading some stuff on lkm about recent tcp changes
> but I couldn't remember exactly what it was. Thanks for reminding me !
>
> Here is how it's layed out now
> secure_web_servers->netscreen->fortigate->rest_of_network
>

Not sure if this helps:

I have a pair of Dell PowerEdge 1750's (running Mandrake 9.2/2.4.22) plugged 
directly into a Netscreen 5GT and they do not exhibit this behaviour.

Network cards are bcm5700 series.

/proc/sys/net/ipv4/tcp_window_scaling is set to '1'

Mark.

- -- 
Mark Watts
Senior Systems Engineer
QinetiQ Trusted Information Management
Trusted Solutions and Services group
GPG Public Key ID: 455420ED

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBrdEUBn4EFUVUIO0RAv6VAJ4+sdb3orBiFByfFWbXg40DbA1yygCff8qq
yAF7xiYh75Fi3JU8NnaaVFs=
=nMI1
-----END PGP SIGNATURE-----

Re: 2.6.9 tcp problems

[John Heffner]

On Mon, 29 Nov 2004, kernel wrote:

> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> firewall. When I try to pull data through the original firewall (mail,
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A
> segment before the frame was lost" followed by a bunch of  "This is a
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows
> clients work fine. I built 2.4.28 and it works fine from my machine. I
> also fiddled with tcp_ecn and that didn't fix it either. I don't have
> any problems communicating to "local" machines. I've attached the
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.

Try `echo 0 > /proc/sys/net/ipv4/tcp_window_scaling'.  If this makes it
work, it's almost certainly a buggy firewall.

Also, tcpdumps are far more useful if they are binary (tcpdump -w) and
capture the beginning of the connection.

  -John

Re: 2.6.9 tcp problems

[Willy Tarreau]

It is possible that the autoneg code has changed between 2.4 and 2.6
for the interface connected to the current firewall, and that you lose
packets because of a duplex mismatch. Please check the negociation
with ethtool on your system, and do so on the other firewall.

Regards,
willy

On Mon, Nov 29, 2004 at 01:03:34PM -0500, kernel wrote:
> I've run into a problem with 2.6.(8.1,9) after installing a secondary 
> firewall. When I try to pull data through the original firewall (mail, 
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A 
> segment before the frame was lost" followed by a bunch of  "This is a 
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows 
> clients work fine. I built 2.4.28 and it works fine from my machine. I 
> also fiddled with tcp_ecn and that didn't fix it either. I don't have 
> any problems communicating to "local" machines. I've attached the 
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.
> 
> Thanks !
> walt
> 

Re: 2.6.9 tcp problems

[Stephen Hemminger]

On Mon, 29 Nov 2004 13:03:34 -0500
kernel <kernel@nea-fast.com> wrote:

> I've run into a problem with 2.6.(8.1,9) after installing a secondary 
> firewall. When I try to pull data through the original firewall (mail, 
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A 
> segment before the frame was lost" followed by a bunch of  "This is a 
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows 
> clients work fine. I built 2.4.28 and it works fine from my machine. I 
> also fiddled with tcp_ecn and that didn't fix it either. I don't have 
> any problems communicating to "local" machines. I've attached the 
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.

What kind of firewall?  There are firewalls that are too stupid and don't
understand TCP window scaling.

2.6.9 tcp problems

[kernel]

[-- Attachment #1: Type: text/plain, Size: 648 bytes --]

I've run into a problem with 2.6.(8.1,9) after installing a secondary 
firewall. When I try to pull data through the original firewall (mail, 
http, ssh), it stops after approx. 260k. Running ethereal tells me "A 
segment before the frame was lost" followed by a bunch of  "This is a 
TCP duplicate ack" when using ssh. All 2.4.x machines and windows 
clients work fine. I built 2.4.28 and it works fine from my machine. I 
also fiddled with tcp_ecn and that didn't fix it either. I don't have 
any problems communicating to "local" machines. I've attached the 
tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.

Thanks !
walt


[-- Attachment #2: dump.txt.gz --]
[-- Type: application/x-gzip, Size: 1165 bytes --]