'Strange disconnection problem'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Strange disconnection problem
From:       Per_Gøtterup <per () webhotel ! net>
Date:       2007-01-15 13:36:54
Message-ID: 45AB8376.4060904 () webhotel ! net
[Download RAW message or body]

Help needed! :)

We are running a set of firewalls on OpenBSD 4.0 (GENERIC amd64) using 
carp and pf and since upgrading from 3.5 we've begun seeing some strange 
disconnections usually during http, ftp or ssh transfers, but only from 
or to certain external locations (usually ADSL lines).

Dumping traffic using tcpdump we see something like this; first a few 
normal transfer packages (usually there are a minute or two of these):

14:18:30.464345 217.145.48.102.2035 > 80.198.225.70.80: . [tcp sum ok] 
303:303(0) ack 14845472 win 65535 (DF) (ttl 127, id 22113, len 40)
14:18:30.480462 80.198.225.70.80 > 217.145.48.102.2035: . 
14845472:14846878(1406) ack 303 win 65233 (DF) (ttl 118, id 10125, len 1446)
14:18:30.481509 217.145.48.102.2035 > 80.198.225.70.80: . [tcp sum ok] 
303:303(0) ack 14846878 win 65535 (DF) (ttl 127, id 22115, len 40)
14:18:30.496333 80.198.225.70.80 > 217.145.48.102.2035: P 
14846878:14848162(1284) ack 303 win 65233 (DF) (ttl 118, id 10126, len 1324)

Then this happens:

tcpdump: WARNING: compensating for unaligned libpcap packets
14:18:30.496413 217.145.49.101 > 80.198.225.70: icmp: host 
217.145.48.102 unreachable for 80.198.225.70.80 > 217.145.48.102.2035: 
2198678154 [|tcp] (DF) (ttl 118, id 10126, len 1324) (ttl 255, id 36421, 
len 56)
14:18:30.513493 80.198.225.70.80 > 217.145.48.102.2035: . 
14848162:14849568(1406) ack 303 win 65233 (DF) (ttl 118, id 10128, len 1446)
14:18:30.514669 217.145.48.102.2035 > 80.198.225.70.80: . [tcp sum ok] 
303:303(0) ack 14846878 win 65535 <nop,nop,sack 1 {14848162:14849568} > 
(DF) (ttl 127, id 22117, len 52)
14:18:30.530807 80.198.225.70.80 > 217.145.48.102.2035: . 
14849568:14850974(1406) ack 303 win 65233 (DF) (ttl 118, id 10129, len 1446)
14:18:30.531616 217.145.48.102.2035 > 80.198.225.70.80: . [tcp sum ok] 
303:303(0) ack 14846878 win 65535 <nop,nop,sack 1 {14848162:14850974} > 
(DF) (ttl 127, id 22118, len 52)
14:18:30.546648 80.198.225.70.80 > 217.145.48.102.2035: P 
14850974:14852258(1284) ack 303 win 65233 (DF) (ttl 118, id 10130, len 1324)
14:18:30.547465 217.145.48.102.2035 > 80.198.225.70.80: . [tcp sum ok] 
303:303(0) ack 14846878 win 65535 <nop,nop,sack 1 {14848162:14852258} > 
(DF) (ttl 127, id 22119, len 52)

Now the transfer stalls completely (no more packets) and the client 
reports a timeout a short time later.

What happens - and more important - is there anything to do about it?

Thanks a million in advance for any helpful insights! :)

-- 
Per Gøtterup <per@webhotel.net> · Systems Administrator & Support
WebHotel.net · INFORCE A/S · Sydvestvej 100 · DK-2600 Glostrup · Denmark
Phone: +45 70232490 · Fax: +45 70232480 · Web: www.webhotel.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic