Re: Session tracking failure - ssh packets dropped as INVALID

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10.02.2008 05:29, John Zornig wrote:
I can connect via ssh, but often when I generate a lot of traffic e.g. by cat'ing a large file or running top, the session hangs. By selective logging, I have discovered that when a session hangs the packets coming to port 22 for that session change from ESTABLISHED to INVALID and I have a rule that all INVALID packets are dropped. For some reason the connection tracking appears to be faulty. Is this a known issue or am I doing something incorrect? I've had this occur on a number of systems I'm setting up at the moment all are configured similarly.

No word of advice unfortunately but I have bitten by packets getting dropped by the INVALID rule as well. In the end, I have disabled the rule that drops INVALID packets.

On 15.11.2007 Jozsef Kadlezsic wrote to a similar question:

Please enable full internal logging in netfilter and make sure at least one loggin target module is loaded in and record by tcpdump one full TCP session where such packets occurs. Then send me the generated kernel log and the dump file so that I could analyze it.

I did not have the time to debug it. Maybe you can. In addition, I have seen reports that increasing timeouts may help (ip_conntrack_tcp_timeout_close_wait, ip_conntrack_tcp_timeout_close, ip_conntrack_tcp_timeout_fin_wait, ip_conntrack_tcp_timeout_last_ack). It did not help for me and of course this is just a work around. The real problem lies elsewhere.

--
Eray
-
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux