From: Willy Tarreau <w@1wt.eu>
To: Klavs Klavsen <kl@vsen.dk>
Cc: Eric Dumazet <eric.dumazet@gmail.com>, netdev@vger.kernel.org
Subject: Re: TCP fast retransmit issues
Date: Fri, 28 Jul 2017 09:27:50 +0200 [thread overview]
Message-ID: <20170728072750.GA6437@1wt.eu> (raw)
In-Reply-To: <0d41553d-69ac-651c-9c41-743391619a40@vsen.dk>
On Fri, Jul 28, 2017 at 08:36:49AM +0200, Klavs Klavsen wrote:
> The network guys know what caused it.
>
> Appearently on (atleast some) Cisco equipment the feature:
>
> TCP Sequence Number Randomization
>
> is enabled by default.
I didn't want to suggest names but since you did it first ;-) Indeed it's
mostly on the same device that I've been bothered a lot by their annoying
randomization. I used to know by memory the exact command to type to disable
it, but I don't anymore (something along "no randomization"). The other
trouble it causes is retransmits of the first SYN when your source ports
wrap too fast (ie when installed after a proxy). The SYNs reaching the
other end find a session in TIME_WAIT, but the SYN sometimes lands in
the previous window and leads to an ACK instead of a SYN-ACK, which the
firewall blocks. This was easily worked around using timestamps on both
sides thanks to PAWS. But disabling the broken feature is better. And no,
"more secure" is not an excuse for "broken".
> It would most definetely be beneficial if Linux handled SACK "not working"
> better than it does - but then I might never have found the culprit who
> destroyed SACK :)
Yep ;-)
Willy
next prev parent reply other threads:[~2017-07-28 7:27 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-07-26 11:07 TCP fast retransmit issues Klavs Klavsen
2017-07-26 11:49 ` Eric Dumazet
2017-07-26 12:18 ` Klavs Klavsen
2017-07-26 13:31 ` Eric Dumazet
2017-07-26 13:42 ` Willy Tarreau
2017-07-26 14:32 ` Eric Dumazet
2017-07-26 14:50 ` Willy Tarreau
2017-07-26 16:43 ` Neal Cardwell
2017-07-26 17:06 ` Neal Cardwell
2017-07-26 18:38 ` Neal Cardwell
2017-07-26 19:02 ` Neal Cardwell
2017-07-28 22:54 ` Neal Cardwell
2017-08-01 3:17 ` Neal Cardwell
2017-07-28 6:53 ` Christoph Paasch
2017-07-26 14:08 ` Klavs Klavsen
2017-07-26 14:18 ` Willy Tarreau
2017-07-26 14:25 ` Klavs Klavsen
2017-07-26 14:38 ` Willy Tarreau
2017-07-28 6:36 ` Klavs Klavsen
2017-07-28 7:27 ` Willy Tarreau [this message]
2017-08-17 13:20 ` Jeremy Harris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170728072750.GA6437@1wt.eu \
--to=w@1wt.eu \
--cc=eric.dumazet@gmail.com \
--cc=kl@vsen.dk \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.