'Re: Connection timeouts on Solaris 9'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Re: Connection timeouts on Solaris 9
From:       "Alexander Stade" <alexanderstade () hotmail ! com>
Date:       2003-01-27 22:20:12
[Download RAW message or body]

No, qfe[0123] are in different VLANs. I also have the local-mac-address? 
variable set to true.

I tried the static arp suggestion, but it doesn't seem to have any effect.

I still have session loss on inbound connections. For laughs, I tried an ftp 
session. The same problem happens there.

Is 3.4.31 perhaps not recommended on Solaris?

-Alex

>From: Joseph Spenner <joseph85750@yahoo.com>
>To: ipfilter@coombs.anu.edu.au
>Subject: Re: Connection timeouts on Solaris 9
>Date: Mon, 27 Jan 2003 13:14:44 -0800 (PST)
>
>I've had similar problems on Solaris machines where
>the interfaces lived on the same physical network.
>Are any of qfe0,1,2,3 on the same network?  If so, try
>telling the system in the firmware to use onboard mac
>for each card.
>
>at the "ok" prompt:
>
>setenv local-mac-address? true
>
>Also, something else I've had to do from time to time
>was to force a static arp entry with the correct
>mac/ip on my clients on the LAN for the side of the
>ipfilter box that they access, because arp would
>sometimes have the mac address of 1 interface matched
>with the IP of another interface.  Again, I believe
>this all comes from having all the interfaces on the
>same network where they can all see each others
>broadcasts.
>
>
>--- Alexander Stade <alexanderstade@hotmail.com>
>wrote:
> > I am having trouble with 3.4.31 on Solaris 9. I
> > compiled 3.4.31 with Sun's
> > Forte 7 compiler and the host is an Ultra 1 with a
> > quadfast ethernet card.
> >
> > When I make an inbound SSH connection, it sometimes
> > doesn't fully establish
> > the SSH session. I have to ^C and rerun the SSH
> > command. Then it works.
> > After a few minutes however, the connection drops.
> >
> > The client keeps resending data as it expects ACKs.
> > The server never sees
> > that data and just quietly listens. I can initiate a
> > new SSH connection
> > inbound, but this will also fail after a few
> > minutes.
> >
> > The time it takes for the connection to sever is
> > arbitrary. Sometimes within
> > seconds, other times within minutes. Any ideas?
> >
> > Here's my ipf.conf:
> >
> > pass in log quick on qfe0 proto tcp from any to
> > 192.168.102.25/32 port = 22
> > flags S keep state
> > pass in log quick on qfe0 proto tcp from any to
> > 192.168.102.25/32 port = 113
> > flags S keep state
> >
> > pass in quick on qfe0 proto udp from any to any port
> > = 68
> >
> > pass out quick on qfe0 proto tcp from any to any
> > flags S keep state
> > pass out quick on qfe0 proto udp from any to any
> >
> > pass in quick on qfe1 from any to any
> > pass out quick on qfe1 from any to any
> >
> > pass in quick on qfe2 from any to any
> > pass out quick on qfe2 from any to any
> >
> > pass in quick on qfe3 from any to any
> > pass out quick on qfe3 from any to any
> >
> > block in on qfe0 proto tcp all
> > block return-rst in on qfe0 proto tcp all flags S
> > block out all
> >
> > And this is my ipnat.conf:
> >
> > map qfe0 192.168.101.0/24 -> 0/32 proxy port 21
> > ftp/tcp
> > map qfe0 192.168.101.0/24 -> 0/32 proxy port 500
> > ipsec/udp
> > map qfe0 192.168.101.0/24 -> 0/32 proxy port 1720
> > h323/tcp
> > map qfe0 192.168.101.0/24 -> 0/32 proxy port 7070
> > raudio/tcp
> > map qfe0 192.168.101.0/24 -> 0/32 portmap tcp/udp
> > 50000:60000
> > map qfe0 192.168.101.0/24 -> 0/32
> > map qfe0 192.168.102.0/24 -> 0/32 proxy port 21
> > ftp/tcp
> > map qfe0 192.168.102.0/24 -> 0/32 proxy port 500
> > ipsec/udp
> > map qfe0 192.168.102.0/24 -> 0/32 proxy port 1720
> > h323/tcp
> > map qfe0 192.168.102.0/24 -> 0/32 proxy port 7070
> > raudio/tcp
> > map qfe0 192.168.102.0/24 -> 0/32 portmap tcp/udp
> > 50000:60000
> > map qfe0 192.168.102.0/24 -> 0/32
> > rdr qfe0 0/0 port 22 -> 192.168.102.25 port 22
> > rdr qfe0 0/0 port 113 -> 192.168.102.25 port 113
> >
> > Thanks,
> >
> > -Alex
> >
> >
>_________________________________________________________________
> > The new MSN 8: advanced junk mail protection and 2
> > months FREE*
> > http://join.msn.com/?page=features/junkmail
> >
>
>
>__________________________________________________
>Do you Yahoo!?
>Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
>http://mailplus.yahoo.com


_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic