Re: 2.6.9 tcp problems

From: Mark Watts
Date: Wed Dec 01 2004 - 09:07:33 EST

Next message: Daniel Dickman: "setting up EFI on x86"
Previous message: Paul Davis: "Re: [patch] Real-Time Preemption, -RT-2.6.10-rc2-mm2-V0.7.30-2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Stephen Hemminger wrote:
> > On Mon, 29 Nov 2004 13:03:34 -0500
> >
> > kernel <kernel@xxxxxxxxxxxx> wrote:
> >> I've run into a problem with 2.6.(8.1,9) after installing a secondary
> >> firewall. When I try to pull data through the original firewall
> >> (mail, http, ssh), it stops after approx. 260k. Running ethereal
> >> tells me "A segment before the frame was lost" followed by a bunch
> >> of "This is a TCP duplicate ack" when using ssh. All 2.4.x machines
> >> and windows clients work fine. I built 2.4.28 and it works fine from
> >> my machine. I also fiddled with tcp_ecn and that didn't fix it
> >> either. I don't have any problems communicating to "local" machines.
> >> I've attached the tcpdump output from an scp attempt. NIC is a 3Com
> >> Corporation 3c905B.
> >
> > What kind of firewall? There are firewalls that are too stupid and don't
> > understand TCP window scaling.
>
> It's a fortigate 60. We put our secure web servers behind a netscreen 5
> firewall which plugs into the fortigate and that's when the problems
> started. I remember reading some stuff on lkm about recent tcp changes
> but I couldn't remember exactly what it was. Thanks for reminding me !
>
> Here is how it's layed out now
> secure_web_servers->netscreen->fortigate->rest_of_network
>

Not sure if this helps:

I have a pair of Dell PowerEdge 1750's (running Mandrake 9.2/2.4.22) plugged
directly into a Netscreen 5GT and they do not exhibit this behaviour.

Network cards are bcm5700 series.

/proc/sys/net/ipv4/tcp_window_scaling is set to '1'

Mark.

- --
Mark Watts
Senior Systems Engineer
QinetiQ Trusted Information Management
Trusted Solutions and Services group
GPG Public Key ID: 455420ED

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBrdEUBn4EFUVUIO0RAv6VAJ4+sdb3orBiFByfFWbXg40DbA1yygCff8qq
yAF7xiYh75Fi3JU8NnaaVFs=
=nMI1
-----END PGP SIGNATURE-----
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Daniel Dickman: "setting up EFI on x86"
Previous message: Paul Davis: "Re: [patch] Real-Time Preemption, -RT-2.6.10-rc2-mm2-V0.7.30-2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]