Re: [Fwd: Re: Networking messed up, bad checksum, incorrect length]

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Carlos Velasco <lkml@newipnet.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter-devel@lists.netfilter.org
Subject: Re: [Fwd: Re: Networking messed up, bad checksum, incorrect length]
Date: Wed, 08 Nov 2006 14:17:13 +0100	[thread overview]
Message-ID: <4551D8D9.80303@newipnet.com> (raw)
In-Reply-To: <Pine.LNX.4.64.0610300919270.6150@blackhole.kfki.hu>

Jozsef Kadlecsik escribió:
> On Mon, 30 Oct 2006, Jozsef Kadlecsik wrote:
> 
>> On Mon, 30 Oct 2006, Carlos Velasco wrote:
>>
>>> I'm forwarding a mail from Linux Kernel, as it seems a bug in Netfilter
>>> in 2.6.18.
>> The TCP session dies because a NAT device between the communicating 
>> parties does not adjust the sequence numbers in the SACK fields.
>>
>> Is there a NATing device, which is not identical with the machine running 
>> 2.6.28, between the client and the server?
> 
> No, it's not a NATing device. It's a 'smart' box which munges the TCP 
> sequence numbers and misses to do so in the SACK fields: the first packet 
> from both recordings:

Yes, you are absolutely right. This is not a linux/netfilter issue.

After a little research we saw a Cisco PIX firewall behind the receiver
SMTP server doing ISN randomization.

I contacted Cisco and a bug has been raised for this issue:
Bug number: CSCse14419
http://www.cisco.com/cgi-bin/bugtool/onebug.pl?bugid=CSCse14419

As a workaround, ISN randomization can be disabled for TCP connections,
like this:

===
access-list WAROUNDTCP extended permit tcp any any

class-map WAROUNDTCP
 match access-list WAROUNDTCP

policy-map global_policy
 class WAROUNDTCP
  set connection random-sequence-number disable
===

I thought it's a good thing to post this email for future refence if
this issue comes back again in the future.

Regards,
Carlos Velasco

     prev parent reply	other threads:[~2006-11-08 13:17 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-10-29 23:26 [Fwd: Re: Networking messed up, bad checksum, incorrect length] Carlos Velasco
2006-10-30  8:10 ` Jozsef Kadlecsik
2006-10-30  8:29   ` Jozsef Kadlecsik
2006-11-08 13:17     ` Carlos Velasco [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4551D8D9.80303@newipnet.com \
    --to=lkml@newipnet.com \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=netfilter-devel@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.