Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: syncache_timer: Response timeout and other msgs, whats up?

8 views
Skip to first unread message

Andre Oppermann

unread,
Feb 3, 2008, 4:27:14 AM2/3/08
to
Oskar Eyb wrote:
> Hello!
>
> A remote MTA cannot deliver me any email. the admin gets the following
> errors:
>
> "retry time not reached for any host after a long failure period"
> and "retry timeout exceeded".
>
> After I cant find anything related to this server in my postfix log, I
> grep'ed for <ip> in /var/log/* and got the following hits:
>
> [...]
> dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25 tcpflags
> 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
> retransmitting SYN|ACK
> dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
> syncache_timer: Response timeout, retransmitting (1) SYN|ACK
> dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
> syncache_timer: Response timeout, retransmitting (2) SYN|ACK
> dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
> syncache_timer: Response timeout, retransmitting (3) SYN|ACK
> dmesg.yesterday:TCP: [85.214.42.62]:43127 to [172.16.0.2]:25;
> syncache_timer: Retransmits exhausted, giving up and removing syncache
> entry
>
> 85.214.42.62 is the other MTA, 172.16.0.2 is my jail.
> I use PF with rdr/nat on FreeBSD 7 RC4.

We have not released 7RC4 yet. You probably run BETA4. An upgrade to
7RC1 or 7RC2 in the next few days fixes all known TCP bugs.

Other than that it looks like your PF rule set may be not entirely
correct. Please post your pf.conf.

--
Andre

> in the daily security email I get dozens of messages like this, also to
> other tcp ports (e.g. 80)
>
> default-values for:
> net.inet.tcp.syncache.rst_on_sock_fail: 1
> net.inet.tcp.syncache.rexmtlimit: 3
> net.inet.tcp.syncache.hashsize: 512
> net.inet.tcp.syncache.count: 0
> net.inet.tcp.syncache.cachelimit: 15360
> net.inet.tcp.syncache.bucketlimit: 30
>
>
> Can anybody help me out of this?
_______________________________________________
freeb...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net...@freebsd.org"

Oskar Eyb

unread,
Feb 3, 2008, 9:32:27 AM2/3/08
to

Andre Oppermann schrieb am 03.02.2008 10:26:
>> 85.214.42.62 is the other MTA, 172.16.0.2 is my jail.
>> I use PF with rdr/nat on FreeBSD 7 RC4.
>
> We have not released 7RC4 yet. You probably run BETA4. An upgrade to
> 7RC1 or 7RC2 in the next few days fixes all known TCP bugs.

Yeah of course, I mean BETA4. uname says: 7.0-PRERELEASE

Which tag is the best?
currently I use release=cvs tag=RELENG_7. Will I get with this 7RC..?

> Other than that it looks like your PF rule set may be not entirely
> correct. Please post your pf.conf.


expect the filter-rules this is the top of my pf.conf

<some macros>

set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }


# Normalisierung
#scrub in all

set optimization normal
set block-policy return


....


Oskar

Andre Oppermann

unread,
Feb 4, 2008, 3:42:54 AM2/4/08
to
Oskar Eyb wrote:
>
> Andre Oppermann schrieb am 03.02.2008 10:26:
>>> 85.214.42.62 is the other MTA, 172.16.0.2 is my jail.
>>> I use PF with rdr/nat on FreeBSD 7 RC4.
>>
>> We have not released 7RC4 yet. You probably run BETA4. An upgrade to
>> 7RC1 or 7RC2 in the next few days fixes all known TCP bugs.
>
> Yeah of course, I mean BETA4. uname says: 7.0-PRERELEASE
>
> Which tag is the best?
> currently I use release=cvs tag=RELENG_7. Will I get with this 7RC..?

Yes. Please cvsup and recompile your kernel.

>> Other than that it looks like your PF rule set may be not entirely
>> correct. Please post your pf.conf.
>
>
> expect the filter-rules this is the top of my pf.conf
>
> <some macros>
>
> set timeout { interval 30, frag 10 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
>
>
> # Normalisierung
> #scrub in all
>
> set optimization normal
> set block-policy return

This information is insufficient to see what happens in PF. I need to
see the actual firewall, nat and rdr rules. You can send them to me by
private mail (entire pf.conf).

--
Andre

Sergey Matveychuk

unread,
Feb 4, 2008, 10:06:38 AM2/4/08
to
Andre Oppermann wrote:
> Oskar Eyb wrote:
>>
>> Andre Oppermann schrieb am 03.02.2008 10:26:
>>>> 85.214.42.62 is the other MTA, 172.16.0.2 is my jail.
>>>> I use PF with rdr/nat on FreeBSD 7 RC4.
>>>
>>> We have not released 7RC4 yet. You probably run BETA4. An upgrade to
>>> 7RC1 or 7RC2 in the next few days fixes all known TCP bugs.
>>
>> Yeah of course, I mean BETA4. uname says: 7.0-PRERELEASE
>>
>> Which tag is the best?
>> currently I use release=cvs tag=RELENG_7. Will I get with this 7RC..?
>
> Yes. Please cvsup and recompile your kernel.
>

Really, if he wants to get -RC1, he should cvsup tag=RELENG_7_0.
RELENG_7 still identified as -PRERELEASE.

--
Dixi.
Sem.

0 new messages