PF 7.1 Preerelease problem.

[Jose Amengual]

Ho guys.

I install a Freebsd 7.1 as a firewall with pf, jails for mail etc.

I was starting having problems with the mails in the defer spool with
error messages like "time out" and I check the message log and I found
this :

TCP: [58.9.5.38]:48146 to [10.0.0.11]:25 tcpflags 0x14<RST,ACK>;
syncache_chkrst: Spurious RST with ACK, SYN or FIN flag set, segment
ignored
TCP: [10.0.0.11]:10024 to [10.0.0.11]:65215 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [192.168.168.157]:60139 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [192.168.150.101]:1188 to [10.0.0.11]:110 tcpflags 0x2<SYN>;
_syncache_add: Received duplicate SYN, resetting timer and
retransmitting SYN|ACK
TCP: [10.0.0.11]:10024 to [10.0.0.11]:64412 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:60048 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:56838 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [65.54.244.72]:25 to [10.0.0.11]:54881 tcpflags
0x19<FIN,PUSH,ACK>; tcp_do_segment: FIN_WAIT_1: Received 71 bytes of
data after socket was closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:59431 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:62617 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [221.192.149.119]:37691 to [200.27.171.194]:22; syncache_timer:
Response timeout, retransmitting (1) SYN|ACK
TCP: [192.168.168.157]:60143 to [10.0.0.11]:25 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [195.245.230.131]:25 to [10.0.0.11]:54615 tcpflags
0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_1: Received 39 bytes of data
after socket was closed, sending RST and removing tcpcb
Connection attempt to UDP 10.0.0.11:25969 from 192.168.168.1:53
TCP: [10.0.0.11]:10024 to [10.0.0.11]:65086 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [192.168.150.130]:2167 to [10.0.0.11]:25 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
Connection attempt to UDP 10.0.0.11:14486 from 200.27.2.7:53
TCP: [192.168.168.157]:60056 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [10.0.0.11]:10024 to [10.0.0.11]:62813 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:57904 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [200.91.27.33]:25 to [10.0.0.11]:62292 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 17 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [81.75.251.139]:51325 to [10.0.0.11]:25 tcpflags 0x14<RST,ACK>;
syncache_chkrst: Spurious RST with ACK, SYN or FIN flag set, segment
ignored
TCP: [10.0.0.11]:25 to [200.27.171.194]:60795 tcpflags 0x12<SYN,ACK>;
tcp_input: Connection attempt to closed port
TCP: [200.27.171.194]:60795 to [10.0.0.11]:25 tcpflags 0x4<RST>;
syncache_chkrst: Our SYN|ACK was rejected, connection attempt aborted
by remote endpoint
TCP: [10.0.0.11]:10024 to [10.0.0.11]:63130 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [10.0.0.11]:10024 to [10.0.0.11]:57051 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [192.168.150.130]:2171 to [10.0.0.11]:25 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [221.192.149.119]:44046 to [200.27.171.194]:22; syncache_timer:
Response timeout, retransmitting (1) SYN|ACK
Connection attempt to UDP 10.0.0.11:46152 from 192.168.168.1:53
TCP: [10.0.0.11]:110 to [200.27.171.194]:52781 tcpflags 0x12<SYN,ACK>;
tcp_input: Connection attempt to closed port
TCP: [200.27.171.194]:52781 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Our SYN|ACK was rejected, connection attempt aborted
by remote endpoint
TCP: [10.0.0.11]:10024 to [10.0.0.11]:57348 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [192.168.168.157]:60061 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [221.192.149.119]:45265 to [200.27.171.194]:22; syncache_timer:
Response timeout, retransmitting (1) SYN|ACK
TCP: [221.192.149.119]:45951 to [200.27.171.194]:22; syncache_timer:
Response timeout, retransmitting (1) SYN|ACK
TCP: [10.0.0.11]:110 to [200.27.171.194]:53722 tcpflags 0x12<SYN,ACK>;
tcp_input: Connection attempt to closed port
TCP: [200.27.171.194]:53722 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Our SYN|ACK was rejected, connection attempt aborted
by remote endpoint
TCP: [10.0.0.11]:10024 to [10.0.0.11]:59020 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [118.136.197.127]:61865 to [10.0.0.11]:25 tcpflags 0x14<RST,ACK>;
syncache_chkrst: Spurious RST with ACK, SYN or FIN flag set, segment
ignored
TCP: [10.0.0.11]:10024 to [10.0.0.11]:50065 tcpflags 0x18<PUSH,ACK>;
tcp_do_segment: FIN_WAIT_2: Received 64 bytes of data after socket was
closed, sending RST and removing tcpcb
TCP: [221.192.149.119]:46739 to [200.27.171.194]:22; syncache_timer:
Response timeout, retransmitting (1) SYN|ACK
TCP: [10.0.0.11]:110 to [200.27.171.194]:57522 tcpflags 0x12<SYN,ACK>;
tcp_input: Connection attempt to closed port
TCP: [200.27.171.194]:57522 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Our SYN|ACK was rejected, connection attempt aborted
by remote endpoint
TCP: [10.0.0.11]:110 to [200.27.171.194]:50027 tcpflags 0x12<SYN,ACK>;
tcp_input: Connection attempt to closed port
TCP: [200.27.171.194]:50027 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Our SYN|ACK was rejected, connection attempt aborted
by remote endpoint
TCP: [192.168.168.157]:60095 to [10.0.0.11]:110 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored
TCP: [200.27.163.29]:42513 to [10.0.0.11]:25 tcpflags 0x4<RST>;
syncache_chkrst: Spurious RST without matching syncache entry
(possibly syncookie only), segment ignored

The 10.0.0 are my jails and the rest is normal connections.

What s this ?

I'm using exactly the same setup in the same network with a 6.4 and no
problem ( the same company, new server ).

The problems is that my postfix jail is defferring mails because of
the connection errors.

Please advice.

Thanks.

_______________________________________________
freebsd...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-curre...@freebsd.org"

[Julian Stacey]

> I install a Freebsd 7.1 as a firewall with pf, jails for mail etc.

....

> The problems is that my postfix jail is defferring mails because of
> the connection errors.
>
> Please advice.

Just a possibility:
Do uour pings to other hosts look good/ normal ?
Or have the times gone up maybe ?

I saw a problem on 7.1-BETA-i386-disc1.iso that went away with
7.1-BETA2-i386-disc1.iso see:

Subject: Re: rl0: watchdog timeout + 40,000 ms ping with 7.1-BETA-i386-disc1.iso
To: sta...@freebsd.org
Date: Fri, 17 Oct 2008 14:57:28 +0200

http://lists.freebsd.org/pipermail/freebsd-stable/2008-September/045337.html

Cheers,
Julian
--
Julian Stacey: BSDUnixLinux C Prog Admin SysEng Consult Munich www.berklix.com
Mail plain ASCII text. HTML & Base64 text are spam. www.asciiribbon.org

[Jose Amengual]

Hi.

I install the server with a the version 7.0-STABLE-200807-i386-disc1
then I did a cvsup with the stable sup file using cvsup2.freebsd.org
and that update my system to 7.1-PRERELEASE, and after I got all the
problem.

the ping was working ok, I didn't notice any weird thing.

Now I rollback using stable-supfile with RELENG_7_0 to see what happen.

The most strange thing is that not ALL the connections fails.

[Jose Amengual M]

With FreeBSD 7.0-P5 is the same issue.

anyone have a clue ?