Mandi! Grant Taylor In chel di` si favelave... Sorry for the late answer, but i was busy in other things... > > How can i 'debug' this issue? Thanks. > I'd check the output of dmesg to see if you're exhausting the state table. > If you are, you'll see all sorts of messages from the kernel. At least I did > when I ran into this years ago. Adding memory addressed the problem then. No, i've not sayed that, but was the first things i've looked for, no conntrack table overflow... > Short of that low hanging fruit I'd start with packet captures so that you > can watch the traffic flow. I occasionally see invalid traffic after the > flow should have been closed. > > It looks like your client may be sending TCP Reset packets. This could be > directly related to how different systems terminate a TCP connection. -- > Even if the clients agree, they may be doing something different than the > connection tracker helper expects, thus causing a subsequent packet to be > considered invalid after a shorter shutdown. Could be that passing thru a proxy (SSL/CONNECT, squid) could lead to more TCP resets? Seems that proxied connection reset more frequently... I see in proxy cache.log file sometimes: 2021/06/04 12:41:07| TunnelStateData::Connection::error: FD 20: read/write failure: (32) Broken pipe -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
