Re: 2.6.9 tcp problems

[kernel]

Stephen Hemminger wrote:

> On Mon, 29 Nov 2004 13:03:34 -0500
> kernel <kernel@xxxxxxxxxxxx> wrote:
>
>  
>
> > I've run into a problem with 2.6.(8.1,9) after installing a secondary 
> > firewall. When I try to pull data through the original firewall 
> > (mail, http, ssh), it stops after approx. 260k. Running ethereal 
> > tells me "A segment before the frame was lost" followed by a bunch 
> > of  "This is a TCP duplicate ack" when using ssh. All 2.4.x machines 
> > and windows clients work fine. I built 2.4.28 and it works fine from 
> > my machine. I also fiddled with tcp_ecn and that didn't fix it 
> > either. I don't have any problems communicating to "local" machines. 
> > I've attached the tcpdump output from an scp attempt. NIC is a 3Com 
> > Corporation 3c905B.
> >   
>
>
> What kind of firewall?  There are firewalls that are too stupid and don't
> understand TCP window scaling.
>
>  
It's a fortigate 60.  We put our secure web servers behind a netscreen 5 
firewall which plugs into the fortigate and that's when the problems 
started.  I remember reading some stuff on lkm about recent tcp changes 
but I couldn't remember exactly what it was. Thanks for reminding me !

Here is how it's layed out now
secure_web_servers->netscreen->fortigate->rest_of_network

Thanks !
walt

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/