Out of window data issue

Out of window data issue

[James A. Pattie]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

	I'm running 2.4.18 kernel's w/ the tcp-window-tracking
patch applied (from p-o-m around iptables 1.2.6a days) and iptables
1.2.6a and I'm getting the following errors in the logs between 2
firewalls where the only traffic that seems to be affected is
Printing from the St. Louis office to the Kansas City Office via
our VPN connections.

Sep 27 14:41:26 hartwigkcm kernel: SRC=192.168.3.98 DST=192.168.5.25
LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=63785 DF PROTO=TCP SPT=721 DPT=515
SEQ=28150977 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B4) Out of
window data: SEQ is over the upper bound (over the window of the receiver)

I have disabled tcp_timestamps, tcp_window_scaling and tcp_sack and
enabled netfilter/ip_conntrack_tcp_be_liberal but I still get the
packets dropped and the above error message output.

The source and dest servers are NT4 Terminal Servers if that helps.

We just upgraded the kernels within the last 3 weeks and the printing
issue is the only thing that we haven't been able to resolve.

I have googled all day looking for anyone else who has had this issue
and what they did to resolve it and have not yet found anything.

I would appreciate any help.

- --
James A. Pattie
james@pcxperience.com

Linux  --  SysAdmin / Programmer
Xperience, Inc.
http://www.pcxperience.com/
http://www.xperienceinc.com/

GPG Key Available at http://www.pcxperience.com/gpgpkeys/james.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE9lLjNtUXjwPIRLVERAuEkAKC3a0ykxMjNGqLnZ4G1HCQoxG+rTACg1mAY
PhNw+iE5JwvijUx/Bb/VdIM=
=Javz
-----END PGP SIGNATURE-----


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Out of window data issue

[Jozsef Kadlecsik]

Hi,

On Fri, 27 Sep 2002, James A. Pattie wrote:

> 	I'm running 2.4.18 kernel's w/ the tcp-window-tracking
> patch applied (from p-o-m around iptables 1.2.6a days) and iptables
> 1.2.6a and I'm getting the following errors in the logs between 2
> firewalls where the only traffic that seems to be affected is
> Printing from the St. Louis office to the Kansas City Office via
> our VPN connections.

I'd suggest to upgrade to the newest version of the patch from
patch-o-matic in cvs. It contains an improved logging of the invalid
packets.

> Sep 27 14:41:26 hartwigkcm kernel: SRC=192.168.3.98 DST=192.168.5.25
> LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=63785 DF PROTO=TCP SPT=721 DPT=515
> SEQ=28150977 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B4) Out of
> window data: SEQ is over the upper bound (over the window of the receiver)
>
> I have disabled tcp_timestamps, tcp_window_scaling and tcp_sack and
> enabled netfilter/ip_conntrack_tcp_be_liberal but I still get the
> packets dropped and the above error message output.

The ip_conntrack_tcp_be_liberal flag has no effect on the logging. If you
enable it, only invalid RST packets will be marked as INVALID - but all
the packets will still be logged.

> The source and dest servers are NT4 Terminal Servers if that helps.
>
> We just upgraded the kernels within the last 3 weeks and the printing
> issue is the only thing that we haven't been able to resolve.

My usual request: please tcpdump TCP on both sides of your firewall and
send me the resulted files together with the (enabled) kernel log of the
same period. It could help to improve the patch.

Regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary