Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RE: Question about keep state and TCP state table timing
11 views
Skip to first unread message
Kevin Hoffman
Mar 13, 2012, 11:35:51 AM3/13/12
to
Hi Darren,
> Which Solaris 10 Update are you using?
We're using Solaris 10 update 10.
> Not as such.
> What should happen is that the first SYN packet should prompt ipfilter to discard the old state information quickly and in addition, drop that packet. When the SYN gets retransmitted, state should get created.
In most cases, this seems to happen. But there was a few cases where we saw the SYN packet get transmitted several times by the Linux client over a period of several minutes (e.g., 30 minutes) and the TCP connection would not setup until we disabled the firewall service and then things proceeded normally. Unfortunately we didn't dump the TCP state tables before we shutdown the ipfilter service. Once we get a test environment and can replicate this on, we'll try dumping the TCP state tables as well as logging rejected packets to try and get more information. Is there anything else we should gather in our diagnosis?
Thanks a lot,
--Kevin
> Which Solaris 10 Update are you using?
We're using Solaris 10 update 10.
> Not as such.
> What should happen is that the first SYN packet should prompt ipfilter to discard the old state information quickly and in addition, drop that packet. When the SYN gets retransmitted, state should get created.
In most cases, this seems to happen. But there was a few cases where we saw the SYN packet get transmitted several times by the Linux client over a period of several minutes (e.g., 30 minutes) and the TCP connection would not setup until we disabled the firewall service and then things proceeded normally. Unfortunately we didn't dump the TCP state tables before we shutdown the ipfilter service. Once we get a test environment and can replicate this on, we'll try dumping the TCP state tables as well as logging rejected packets to try and get more information. Is there anything else we should gather in our diagnosis?
Thanks a lot,
--Kevin
Kevin Hoffman
Mar 13, 2012, 10:54:34 PM3/13/12
to
> Unfortunately I've helped about as far as I can with this and to go further, you'll need a support contract with Oracle. This is because the source code is closed and I cannot begin to guess what it does without looking at it.
>
>To make any further meaningful progress, you would need to download version 5.1.1 from http://coombs.anu.edu.au/~avalon/ and get thtat running.
No problem, we've got an active support contract with Oracle and will proceed there. We thought we would try the mailing list first in case others had seen it before. We did get a direct response from Eric Behr indicating that they had seen a similar scenario (Novell client mounting SMB shares with same port, ipfilter was rejecting new connection with TCP out-of-window), and they were able to get around the issue with a rule that had the option "with oow" -- we will also be trying this in test environment.
I appreciate your time and the responses.
Best,
Kevin
>
>To make any further meaningful progress, you would need to download version 5.1.1 from http://coombs.anu.edu.au/~avalon/ and get thtat running.
No problem, we've got an active support contract with Oracle and will proceed there. We thought we would try the mailing list first in case others had seen it before. We did get a direct response from Eric Behr indicating that they had seen a similar scenario (Novell client mounting SMB shares with same port, ipfilter was rejecting new connection with TCP out-of-window), and they were able to get around the issue with a rule that had the option "with oow" -- we will also be trying this in test environment.
I appreciate your time and the responses.
Best,
Kevin
0 new messages