I am having a very strange problem in linux 2.4 kernels. I have not set
any iptables rules at all, and there is no firewall blocking any of my
outgoing traffic. At what seems like random selection, I can not connect
to IP's yet I can get ping replies from them. Most IP's reply just fine,
but certain ones fail to send even an ACK. This problem disappears when I
boot into 2.2. Here is a brief example of what I am talking about:
meatloop:~>ping 204.202.131.229
PING 204.202.131.229 (204.202.131.229): 56 data bytes
64 bytes from 204.202.131.229: icmp_seq=0 ttl=42 time=114.7 ms
64 bytes from 204.202.131.229: icmp_seq=1 ttl=42 time=117.0 ms
[iptraf output]
ICMP echo request (84 bytes) from 209.192.217.120 to 204.202.131.229 on eth0
ICMP echo reply (84 bytes) from 204.202.131.229 to 209.192.217.120 on eth0
ICMP echo request (84 bytes) from 209.192.217.120 to 204.202.131.229 on eth0
ICMP echo reply (84 bytes) from 204.202.131.229 to 209.192.217.120 on eth0
meatloop:~>telnet 204.202.131.229 80
Trying 204.202.131.229...
telnet: Unable to connect to remote host: Connection timed out
[iptraf output]
209.192.217.120:32926 = 6 360 S--- eth0
204.202.131.229:80 = 0 0 ---- eth0
and yet when I boot 2.2, I have not seen any problems of this nature. Is
this a known issue? Possibly a setting in /proc/sys/net/ipv4 that I dont
know about? Thanks for your help...
dave
On Tue, Apr 10, 2001 at 06:24:46PM -0400, Dave wrote:
> I am having a very strange problem in linux 2.4 kernels. I have not set
> any iptables rules at all, and there is no firewall blocking any of my
> outgoing traffic. At what seems like random selection, I can not connect
> to IP's yet I can get ping replies from them. Most IP's reply just fine,
> but certain ones fail to send even an ACK. This problem disappears when I
> boot into 2.2. Here is a brief example of what I am talking about:
echo -n 0 > /proc/sys/net/ipv4/tcp_ecn
Fix it?
If so, please tell the sites your are trying to connect to to upgrade their
$I#$@#%@(%)@%$ firewall and/or loadbalencer (usually Localdirector or PIX).
This did fix my problem. Thanks very much, I'll be sure to send a polite
message to the admins at sites where I notice this problem! Any detailed
info you might have on why this was failing?
dave
---
This is my signature. There are many like it but this one is mine.
On Tue, 10 Apr 2001, Gregory Maxwell wrote:
> On Tue, Apr 10, 2001 at 06:24:46PM -0400, Dave wrote:
> > I am having a very strange problem in linux 2.4 kernels. I have not set
> > any iptables rules at all, and there is no firewall blocking any of my
> > outgoing traffic. At what seems like random selection, I can not connect
> > to IP's yet I can get ping replies from them. Most IP's reply just fine,
> > but certain ones fail to send even an ACK. This problem disappears when I
> > boot into 2.2. Here is a brief example of what I am talking about:
>
> echo -n 0 > /proc/sys/net/ipv4/tcp_ecn
>
> Fix it?
>
> If so, please tell the sites your are trying to connect to to upgrade their
> $I#$@#%@(%)@%$ firewall and/or loadbalencer (usually Localdirector or PIX).
>
>
On Tue, Apr 10, 2001 at 06:24:46PM -0400, Dave wrote:
>
> I am having a very strange problem in linux 2.4 kernels. I have not set
> any iptables rules at all, and there is no firewall blocking any of my
> outgoing traffic. At what seems like random selection, I can not connect
> to IP's yet I can get ping replies from them. Most IP's reply just fine,
> but certain ones fail to send even an ACK. This problem disappears when I
> boot into 2.2. Here is a brief example of what I am talking about:
Try echo 0 > /proc/sys/net/ipv4/tcp_ecn
If it helps complain to the sites that their firewall is broken.
-Andi
On Wed, Apr 11, 2001 at 02:21:42AM +0200, Andi Kleen wrote:
> Try echo 0 > /proc/sys/net/ipv4/tcp_ecn
> If it helps complain to the sites that their firewall is broken.
It's certain that this refers only to the site firewall?
I had to do this to get to http://www.ibm.com. :-<
mrc
--
Mike Castle Life is like a clock: You can work constantly
[email protected] and be right all the time, or not work at all
http://www.netcom.com/~dalgoda/ and be right at least twice a day. -- mrc
We are all of us living in the shadow of Manhattan. -- Watchmen
On Tue, Apr 10, 2001 at 05:35:31PM -0700, Mike Castle wrote:
> On Wed, Apr 11, 2001 at 02:21:42AM +0200, Andi Kleen wrote:
> > Try echo 0 > /proc/sys/net/ipv4/tcp_ecn
> > If it helps complain to the sites that their firewall is broken.
>
> It's certain that this refers only to the site firewall?
>
> I had to do this to get to http://www.ibm.com. :-<
iirc some load balancer also doesn't like them.
-Andi
On Wed, Apr 11, 2001 at 02:21:42AM +0200, Andi Kleen wrote:
> Try echo 0 > /proc/sys/net/ipv4/tcp_ecn
> If it helps complain to the sites that their firewall is broken.
Not always firewall related.
There are companies like Zyxel that ship broken router
too.
For example the Zyxel 681 SDSL-Router breaks ECN by
stripping 0x80 (ECN Cwnd Reduced) but not 0x40 (ECN Echo)
(TOS bits) on all SYN packets (!).
I complained because of this two times more than a month ago
but they do not even respond.
I do not know if they are unable or just unwilling to fix it;
maybe they just unable to read RFC's.
--
ciao -
Stefan
> For example the Zyxel 681 SDSL-Router breaks ECN by
> stripping 0x80 (ECN Cwnd Reduced) but not 0x40 (ECN Echo)
> (TOS bits) on all SYN packets (!).
>
> I complained because of this two times more than a month ago
> but they do not even respond.
If the router claims to be RFC compliant then you may want to investigate
trading standards bodies. In the UK at least things like the advertising
standards agency get upset by people who claim standards compliance, are shown
not to be compliant and are not fixing things..
On Sat, 14 Apr 2001, Alan Cox wrote:
> If the router claims to be RFC compliant then you may want to investigate
> trading standards bodies. In the UK at least things like the advertising
> standards agency get upset by people who claim standards compliance, are shown
> not to be compliant and are not fixing things..
Wasnt someone going to set up an 'ECN hall of shame' webpage to track
noncompliant vendors
On Sat, Apr 14, 2001 at 03:27:53PM +0100, Alan Cox wrote:
> > For example the Zyxel 681 SDSL-Router breaks ECN by
> > stripping 0x80 (ECN Cwnd Reduced) but not 0x40 (ECN Echo)
> > (TOS bits) on all SYN packets (!).
> >
> > I complained because of this two times more than a month ago
> > but they do not even respond.
>
> If the router claims to be RFC compliant then you may want to investigate
> trading standards bodies. In the UK at least things like the advertising
> standards agency get upset by people who claim standards compliance, are shown
> not to be compliant and are not fixing things..
FYI: I just tested a beta firmare that does not break ECN.
(ZyXEL firmware v2.50(T.05)b6 | 03/28/2001)
I hope that Zyxel will make a release soon, the last official firmare
does not support it. (Ahm, people that are willing to upgrade should
do it on _both_ sides)
--
ciao -
Stefan