Re: Weird nat/conntrack Problem with PASV FTP upload

["Thomas Bätzler" <t.baetzler@bringe.com>]

Hi,

to finish up this matter and perhaps help people who are
in the same situation as me, here's a summary.

- From the end users PoV, data connections from a ftp
client to a ftp server would sometime spontaeously break
down.

- tcpdump on the client side nat gateway showed that
the nat gateway would inject RST packets in the connection.

- Further examination involved logging packets with a
conntrack state of INVALID and proved that the packets
causing the RST reply were considered to be INVALID by
conntrack.

- Upgrading client and NAT gateway from a 2.6.18 Debian
Etch stock kernel to 2.6.25 Debian testing kernel didn't
help.

At this point more info was requested, but I couldn't
provide it in any useful form.

By chance I happend across a posting by Vladislav Kurz
last week, where he suggested to activate conntrack
logging of invalid packets by setting
/proc/sys/net/ipv4/netfilter/ip_conntrack_log_invalid
to the protocol number that one was interested in.

Now that finally gave me some useful output, namely,
"nf_ct_tcp: ACK is under the lower bound (possible overly delayed ACK)".

 From looking at my dumps I think this is probably an
error, but then I'm still digesting the small parts
of TCP/IP Illustrated that I've read so for, so I
might aswell be wrong. If somebody feels like looking
into it, let me know what you need and I'll try and
supply it.

Anyways, the quick and dirty fix to my problem was to put
"inet.ipv4.netfilter.ip_conntrack_tcp_be_liberal=1" in
/etc/systcl.conf.

Cheers,
Thomas
-- 
BRINGE Informationstechnik GmbH
Zur Seeplatte 12
D-76228 Karlsruhe
Germany

Fon: +49 721 94246-0
Fon: +49 171 5438457
Fax: +49 721 94246-66
Web: http://www.bringe.de/

Geschäftsführer: Dipl.-Ing. (FH) Martin Bringe
Ust.Id: DE812936645, HRB 108943 Mannheim