I've run into a problem with 2.6.(8.1,9) after installing a secondary
firewall. When I try to pull data through the original firewall (mail,
http, ssh), it stops after approx. 260k. Running ethereal tells me "A
segment before the frame was lost" followed by a bunch of "This is a
TCP duplicate ack" when using ssh. All 2.4.x machines and windows
clients work fine. I built 2.4.28 and it works fine from my machine. I
also fiddled with tcp_ecn and that didn't fix it either. I don't have
any problems communicating to "local" machines. I've attached the
tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.
Thanks !
walt
On Mon, 29 Nov 2004 13:03:34 -0500
kernel <[email protected]> wrote:
> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> firewall. When I try to pull data through the original firewall (mail,
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A
> segment before the frame was lost" followed by a bunch of "This is a
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows
> clients work fine. I built 2.4.28 and it works fine from my machine. I
> also fiddled with tcp_ecn and that didn't fix it either. I don't have
> any problems communicating to "local" machines. I've attached the
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.
What kind of firewall? There are firewalls that are too stupid and don't
understand TCP window scaling.
Stephen Hemminger wrote:
> On Mon, 29 Nov 2004 13:03:34 -0500
> kernel <[email protected]> wrote:
>
>
>
>> I've run into a problem with 2.6.(8.1,9) after installing a secondary
>> firewall. When I try to pull data through the original firewall
>> (mail, http, ssh), it stops after approx. 260k. Running ethereal
>> tells me "A segment before the frame was lost" followed by a bunch
>> of "This is a TCP duplicate ack" when using ssh. All 2.4.x machines
>> and windows clients work fine. I built 2.4.28 and it works fine from
>> my machine. I also fiddled with tcp_ecn and that didn't fix it
>> either. I don't have any problems communicating to "local" machines.
>> I've attached the tcpdump output from an scp attempt. NIC is a 3Com
>> Corporation 3c905B.
>>
>
>
> What kind of firewall? There are firewalls that are too stupid and don't
> understand TCP window scaling.
>
>
>
It's a fortigate 60. We put our secure web servers behind a netscreen 5
firewall which plugs into the fortigate and that's when the problems
started. I remember reading some stuff on lkm about recent tcp changes
but I couldn't remember exactly what it was. Thanks for reminding me !
Here is how it's layed out now
secure_web_servers->netscreen->fortigate->rest_of_network
Thanks !
walt
It is possible that the autoneg code has changed between 2.4 and 2.6
for the interface connected to the current firewall, and that you lose
packets because of a duplex mismatch. Please check the negociation
with ethtool on your system, and do so on the other firewall.
Regards,
willy
On Mon, Nov 29, 2004 at 01:03:34PM -0500, kernel wrote:
> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> firewall. When I try to pull data through the original firewall (mail,
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A
> segment before the frame was lost" followed by a bunch of "This is a
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows
> clients work fine. I built 2.4.28 and it works fine from my machine. I
> also fiddled with tcp_ecn and that didn't fix it either. I don't have
> any problems communicating to "local" machines. I've attached the
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.
>
> Thanks !
> walt
>
On Mon, 29 Nov 2004, kernel wrote:
> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> firewall. When I try to pull data through the original firewall (mail,
> http, ssh), it stops after approx. 260k. Running ethereal tells me "A
> segment before the frame was lost" followed by a bunch of "This is a
> TCP duplicate ack" when using ssh. All 2.4.x machines and windows
> clients work fine. I built 2.4.28 and it works fine from my machine. I
> also fiddled with tcp_ecn and that didn't fix it either. I don't have
> any problems communicating to "local" machines. I've attached the
> tcpdump output from an scp attempt. NIC is a 3Com Corporation 3c905B.
Try `echo 0 > /proc/sys/net/ipv4/tcp_window_scaling'. If this makes it
work, it's almost certainly a buggy firewall.
Also, tcpdumps are far more useful if they are binary (tcpdump -w) and
capture the beginning of the connection.
-John