From: Glen Turner <gdt@gdt.id.au>
To: Jan Engelhardt <jengelh@computergmbh.de>
Cc: James Nichols <jamesnichols3@gmail.com>,
Eric Dumazet <dada1@cosmosbay.com>,
linux-kernel@vger.kernel.org,
Linux Netdev List <netdev@vger.kernel.org>
Subject: Re: After many hours all outbound connections get stuck in SYN_SENT
Date: Fri, 21 Dec 2007 01:11:35 +1030 [thread overview]
Message-ID: <1198161695.6154.47.camel@andromache> (raw)
In-Reply-To: <Pine.LNX.4.64.0712191857270.12329@fbirervta.pbzchgretzou.qr>
[speculation by network engineer -- not kernel hacker -- follows]
> The router could be sooo crappy that it drops all packets from
> TCP streams that have SACK enabled and the client has opened
> 200+ SACK connections previously... something like that?
As far as any third party is concerned the existing TCP connections
continue to have negotiated "SACK Permitted". Only new connections
will not negotiate this. So "router crappiness" promptly disappearing
doesn't seem too likely (a way I could see this happening is if the
Linux box sends a Ack for each connection and this clears out Sack
datastructures on the third party).
But I'd be very surprised if the router is acting as anything more
that a network-layer device. It might perhaps have some soft connection
state being used for generating accounting records. Being Cisco
it's probably a switch-router, so it might carry some per-port hard
state for validating source IP addresses and ARPs on each port.
The firewall is much more likely to be carrying per-flow Sack
state. The Cisco PIX had a bug with SACK handling (CSCse14419,
fixed in 7.0(7), 7.1(2.34), 7.2(2.2), 8.0(0.141) but perhaps it
has regressed). A simple trace either side of the firewall will
show the inconsistency between the TCP sequence number (which
gets randomised) and the Sack sequence number (which didn't).
You could disable the TCP Sequence Number Randomisation feature
and see if the fault reoccurs.
You'd probably should also investigate the Linux kernel,
especially the size and locks of the components of the Sack data
structures and what happens to those data structures after Sack is
disabled (presumably the Sack data structure is in some unhappy
circumstance, and disabling Sack allows the data to be discarded,
magically unclaging the box).
In the absence of the reporter wanting to dump the kernel's
core, how about a patch to print the Sack datastructure when
the command to disable Sack is received by the kernel?
Maybe just print the last 16b of the IP address?
Best wishes, Glen
next prev parent reply other threads:[~2007-12-20 14:48 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <83a51e120712141239u52d2dd68p1b6ee7ed08f2cecf@mail.gmail.com>
[not found] ` <Pine.LNX.4.64.0712180009390.32270@fbirervta.pbzchgretzou.qr>
[not found] ` <83a51e120712180734i334399dbl51f44fe32d815f7d@mail.gmail.com>
[not found] ` <Pine.LNX.4.64.0712181704380.4422@fbirervta.pbzchgretzou.qr>
[not found] ` <83a51e120712180845k6cadf67bn5dd66fb2d3ac72d4@mail.gmail.com>
[not found] ` <Pine.LNX.4.64.0712181818360.4422@fbirervta.pbzchgretzou.qr>
[not found] ` <83a51e120712181009pf954f43mcb63ea4dab638458@mail.gmail.com>
[not found] ` <Pine.LNX.4.64.0712181910580.4422@fbirervta.pbzchgretzou.qr>
[not found] ` <83a51e120712181021p4c4c2a13g8820271f1e00361b@mail.gmail.com>
[not found] ` <4768123A.7040603@cosmosbay.com>
[not found] ` <83a51e120712181144l65633b32r72cc369f9d012f47@mail.gmail.com>
2007-12-18 20:37 ` After many hours all outbound connections get stuck in SYN_SENT Eric Dumazet
2007-12-18 21:20 ` Jan Engelhardt
2007-12-19 16:53 ` James Nichols
2007-12-19 17:07 ` Eric Dumazet
2007-12-19 17:43 ` James Nichols
2007-12-19 17:58 ` Jan Engelhardt
2007-12-19 18:12 ` James Nichols
2007-12-20 14:41 ` Glen Turner [this message]
2007-12-20 16:37 ` James Nichols
2007-12-20 21:05 ` Ilpo Järvinen
2007-12-21 6:06 ` Jan Engelhardt
2007-12-21 4:51 ` Glen Turner
2007-12-21 13:57 ` James Nichols
2007-12-19 18:03 ` Eric Dumazet
2007-12-19 21:27 ` Ilpo Järvinen
2007-12-20 16:08 ` James Nichols
2007-12-20 20:44 ` Ilpo Järvinen
2007-12-20 20:49 ` Justin Banks
2007-12-16 16:34 James Nichols
2007-12-17 16:27 ` James Nichols
2007-12-19 12:54 ` Ilpo Järvinen
2007-12-19 17:38 ` James Nichols
2007-12-19 18:32 ` Ilpo Järvinen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1198161695.6154.47.camel@andromache \
--to=gdt@gdt.id.au \
--cc=dada1@cosmosbay.com \
--cc=jamesnichols3@gmail.com \
--cc=jengelh@computergmbh.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).