Sven Riedel wrote:
Patrick McHardy wrote:
Sven Riedel wrote:
Is this issue known/is there a patch available or would further
information be needed to help debug the problem?
2.6.24.3 includes a patches that was supposed to fix problems
with connections in TIME_WAIT state. Does 2.6.24.2 work better
for you?
The firewall system in question is currently productive. I _might_ be
able to try the other kernel tomorrow morning. Once I am able to try it
I'll let you know.
Please enable conntrack logging for TCP by executing:
echo 6 >/proc/sys/net/netfilter/nf_conntrack_log_invalid
and check whether you get any messages in the ring buffer.
Yep, lots ;)
In the following 100.100.100.100 is the external machine and
200.200.200.200 is the NAT IP-Address on the firewall. A 5MB file was
transferred via scp to 100.100.100.100 from the internal network.
The output during a "clean" run, with an empty conntrack table and no
stalls:
nf_ct_tcp: ACK is over the upper bound (ACKed data not seen yet) IN= OUT=
SRC=100.100.100.100 DST=200.200.200.200 LEN=64 TOS=0x00 PREC=0x00 TTL=56
ID=42121
...
During a run with stalls:
nf_ct_tcp: ACK is over the upper bound (ACKed data not seen yet) IN= OUT=
SRC=100.100.100.100 DST=200.200.200.200 LEN=80 TOS=0x00 PREC=0x00 TTL=56
ID=44105
DF PROTO=TCP SPT=22 DPT=35858 SEQ=4160349927 ACK=596614326 WINDOW=49248
RES=0x00 ACK URGP=0 OPT
(0101080A4558793C1B13CE350101051A491E8751491E8CA9491E7B71491E81F9491E40A9491E5B61)
^^^^ Transfer stalled here for ~10 seconds.
printk: 22 messages suppressed.
nf_ct_tcp: ACK is over the upper bound (ACKed data not seen yet) IN= OUT=
SRC=100.100.100.100 DST=200.200.200.200 LEN=72 TOS=0x00 PREC=0x00 TTL=56
ID=44113
Thanks, can you send a binary tcpdump (... -w file) of a connection
that triggers these messages please?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html