Problem with conntrackd: TCP RST sent on NAT connections

Problem with conntrackd: TCP RST sent on NAT connections

[Michael Schwartzkopff]

Hi,

I have a strange problem here. I set up a testbed like in the on on the 
website, except that I have NAT im my scenario.

When I test a SSH connection everything goes fine.

When I download a file via HTTP the first failover works, but the failback 
breaks the connection and the download stops. Tracing the connection show that 
during the failback the HTTP Server sends a package to the virtual NAT address 
of my firewall and the firewall send a TCP RST back and thus stops the 
connection.

Of course I tried first to sync the connection table and after that set up my 
virtual addresses, but it seems that it does not help.

A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007 on 
the nf-failover mailing list. But I did not find any solution there.

My system:
debian lenny.
Kernel 2.6.26-1-686
conntrackd version 0.9.6-4

Mode: FTFW, heartbeat as HA solution.

My firewall does allow everything. The only rule is the NAT rule that translats 
all packets comming from internal to the virtual external address.

Any idea what could be wrong? How could I trace the problem further? Thanks 
for any help.

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42

Re: Problem with conntrackd: TCP RST sent on NAT connections

[Pablo Neira Ayuso]

Michael Schwartzkopff wrote:
> Hi,
> 
> I have a strange problem here. I set up a testbed like in the on on the 
> website, except that I have NAT im my scenario.
> 
> When I test a SSH connection everything goes fine.
> 
> When I download a file via HTTP the first failover works, but the failback 
> breaks the connection and the download stops. Tracing the connection show that 
> during the failback the HTTP Server sends a package to the virtual NAT address 
> of my firewall and the firewall send a TCP RST back and thus stops the 
> connection.
> 
> Of course I tried first to sync the connection table and after that set up my 
> virtual addresses, but it seems that it does not help.
> 
> A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007 on 
> the nf-failover mailing list. But I did not find any solution there.
> 
> My system:
> debian lenny.
> Kernel 2.6.26-1-686

I remember that this kernel version has some problems if your setup has
any helper, if so, I suggest you to upgrade to latest linux kernel.

> conntrackd version 0.9.6-4

This is rather old conntrack-tools version. Could you try latest
conntrack-tools version from www.netfilter.org?

Using the latest primary-backup.sh script from git.netfilter.org instead
of the old ones that you are using would be also a good idea:

http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=tree;f=doc/sync;h=d0e3afe1bca3a581d246fa0b07b67bb8175295f6;hb=HEAD

> Mode: FTFW, heartbeat as HA solution.
> 
> My firewall does allow everything. The only rule is the NAT rule that translats 
> all packets comming from internal to the virtual external address.

Your firewall has to drop invalid packets at least, see the example
rule-set in the website. The firewall sends a TCP RST to the client if
it didn't find the NAT information, this happens when the conntrack
entry does not exist.

> Any idea what could be wrong? How could I trace the problem further?

After the first failover, check the primary's internal cache and
backup's external cache with the commands:

show internal cache (do this in the primary):
# conntrackd -i

show external cache (do this in the backup):
# conntrackd -e

They should show the same entries.

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

Re: Problem with conntrackd: TCP RST sent on NAT connections

[Pablo Neira Ayuso]

[-- Attachment #1: Type: text/plain, Size: 107 bytes --]

For the record (users googling for problems).

-- 
"Los honestos son inadaptados sociales" -- Les Luthiers

[-- Attachment #2: Re: Problem with conntrackd: TCP RST sent on NAT connections.eml --]
[-- Type: message/rfc822, Size: 5448 bytes --]

From: Michael Schwartzkopff <misch@multinet.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: Problem with conntrackd: TCP RST sent on NAT connections
Date: Mon, 23 Feb 2009 14:14:54 +0100
Message-ID: <200902231414.54666.misch@multinet.de>

Am Friday 20 February 2009 17:49:23 schrieben Sie:
> Michael Schwartzkopff wrote:
> > Hi,
> >
> > I have a strange problem here. I set up a testbed like in the on on the
> > website, except that I have NAT im my scenario.
> >
> > When I test a SSH connection everything goes fine.
> >
> > When I download a file via HTTP the first failover works, but the
> > failback breaks the connection and the download stops. Tracing the
> > connection show that during the failback the HTTP Server sends a package
> > to the virtual NAT address of my firewall and the firewall send a TCP RST
> > back and thus stops the connection.
> >
> > Of course I tried first to sync the connection table and after that set
> > up my virtual addresses, but it seems that it does not help.
> >
> > A similar problem was described from Abhijit Menon-Sen on Oct, 30th 2007
> > on the nf-failover mailing list. But I did not find any solution there.
> >
> > My system:
> > debian lenny.
> > Kernel 2.6.26-1-686
>
> I remember that this kernel version has some problems if your setup has
> any helper, if so, I suggest you to upgrade to latest linux kernel.
>
> > conntrackd version 0.9.6-4
>
> This is rather old conntrack-tools version. Could you try latest
> conntrack-tools version from www.netfilter.org?
>
> Using the latest primary-backup.sh script from git.netfilter.org instead
> of the old ones that you are using would be also a good idea:
>
> http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=tree;f=
>doc/sync;h=d0e3afe1bca3a581d246fa0b07b67bb8175295f6;hb=HEAD
>
> > Mode: FTFW, heartbeat as HA solution.
> >
> > My firewall does allow everything. The only rule is the NAT rule that
> > translats all packets comming from internal to the virtual external
> > address.
>
> Your firewall has to drop invalid packets at least, see the example
> rule-set in the website. The firewall sends a TCP RST to the client if
> it didn't find the NAT information, this happens when the conntrack
> entry does not exist.
>
> > Any idea what could be wrong? How could I trace the problem further?
>
> After the first failover, check the primary's internal cache and
> backup's external cache with the commands:
>
> show internal cache (do this in the primary):
> # conntrackd -i
>
> show external cache (do this in the backup):
> # conntrackd -e
>
> They should show the same entries.

Hi,

I did an update to:
kernel 2.6.28-1
libnfnetlink 0.0.40
libnetfilter_conntrack-0.0.99
and
conntrack-tools-0.9.11

No it seems to work everything. Thanks for your help.

Waiting to see these packages in the "usual" distributions ...

-- 
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Addresse: Bretonischer Ring 7; 85630 Grasbrunn; Germany
Tel: +49 - 89 - 45 69 11 0
Fax: +49 - 89 - 45 69 11 21
mob: +49 - 174 - 343 28 75

mail: misch@multinet.de
web: www.multinet.de

Sitz der Gesellschaft: 85630 Grasbrunn
Registergericht: Amtsgericht München HRB 114375
Geschäftsführer: Günter Jurgeneit, Hubert Martens

---

PGP Fingerprint: F919 3919 FF12 ED5A 2801 DEA6 AA77 57A4 EDD8 979B
Skype: misch42