Netfilter list, We are seeing a fair amount of Triple Duplicate Acks between a webserver that is using the following nat table prerouting redirect and an application server.... *nat :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A PREROUTING -d <another hosts IP address> -j REDIRECT COMMIT Here is our conntrack tcp parameters: # for i in `ls /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp*` ; do echo "$i" && cat $i ; done /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal 0 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_loose 3 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_max_retrans 3 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close 10 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_close_wait 60 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_established 432000 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_fin_wait 120 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_last_ack 30 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_max_retrans 300 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_recv 60 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_syn_sent 120 /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_timeout_time_wait 120 # Is there anything that can be done from the conntrack perspective to lessen/eliminate the Triple Duplicate Acks? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
