Hi,
I've run into a strange problem where large file transfers start
stalling over a NATed connection. Packet traces reveal that ACK packets
are sometimes not being passed through to the inside (NATed) host, which
results in a transfer stall until a tcp timeout occurrs and the other
side retransmits the ACK.
This only seems to happen if the conntrack table on the firewall already
contains an entry for the same source and destination in TIME_WAIT
state. If no conntrack entries exist for the same source and
destination, the packets flow fine.
The problem seems to be alevated by setting ip_conntrac_tcp_be_liberal
to 1, but this seems to be only a workaround not a real solution.
Scatter gather and tcp segment offloading have been disabled in the
relevant NICs on the firewall during debugging, to make sure this isn't
a hardware issue.
Is this issue known/is there a patch available or would further
information be needed to help debug the problem?
Regards,
Sven
--
sven.riedel@xxxxxxxxxxxx
SecureNet GmbH
Intranet & Internet Solutions
Frankfurter Ring 193a
D-80807 München
Tel: +49 89 32133-632
Fax: +49 89 32133-699
Zentrale: -600
www.securenet.de
Sitz der Gesellschaft: München
HRB München 118876
Geschäftsführer: Thomas Schreiber
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
