On Wed, 15 Jun 2005, Andy Smith wrote: > > You have two choices: either disable TCP SACK support on all your > > real/virtual machines behind your firewall, or upgrade the kernel on the > > firewall. > > Do you have any instructions or a pointer to documentation onhow to > temporarily disable SACK? If it was a /proc setting that would be > ideal; I don't really want to have to recompile kernels though. echo 0 > /proc/sys/net/ipv4/tcp_sack > > There is a SACK related bug in netfilter connection tracking in > > 2.6.11 (and below). According to the dumped traffic your connections > > suffer from packet losses, > > Interesting; this may explain why I only notice this when I'm coming > from 82.44.131.131 - its network is kind of sucky. :) > > > SACK kicks in and conntrack screws up tracking > > the given TCP connections. (Sorry, I can't recall at which rc release was > > the fix submitted in.) > > How sure are you that this is the problem I am seeing? The dump file shows that the communicating parties advertise sack support and later on in the traffic they do use sack options. And because living connections hangs up, that indicates the sack bug. You can simply check it by disabling sack. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
