Hi, to finish up this matter and perhaps help people who are in the same situation as me, here's a summary. - From the end users PoV, data connections from a ftp client to a ftp server would sometime spontaeously break down. - tcpdump on the client side nat gateway showed that the nat gateway would inject RST packets in the connection. - Further examination involved logging packets with a conntrack state of INVALID and proved that the packets causing the RST reply were considered to be INVALID by conntrack. - Upgrading client and NAT gateway from a 2.6.18 Debian Etch stock kernel to 2.6.25 Debian testing kernel didn't help. At this point more info was requested, but I couldn't provide it in any useful form. By chance I happend across a posting by Vladislav Kurz last week, where he suggested to activate conntrack logging of invalid packets by setting /proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid to the protocol number that one was interested in. Now that finally gave me some useful output, namely, "nf_ct_tcp: ACK is under the lower bound (possible overly delayed ACK)". From looking at my dumps I think this is probably an error, but then I'm still digesting the small parts of TCP/IP Illustrated that I've read so for, so I might aswell be wrong. If somebody feels like looking into it, let me know what you need and I'll try and supply it. Anyways, the quick and dirty fix to my problem was to put "inet.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1" in /etc/systcl.conf. Cheers, Thomas -- BRINGE Informationstechnik GmbH Zur Seeplatte 12 D-76228 Karlsruhe Germany Fon: +49 721 94246-0 Fon: +49 171 5438457 Fax: +49 721 94246-66 Web: http://www.bringe.de/ Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe Ust.Id: DE812936645, HRB 108943 Mannheim -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
