Mailing List Archive

I had a similar problem on 2.4, I was unable to initiate any TCP
connections from the local host to the local host... never figured out
what it was (upgraded to 2.6).

Andrew

On Sat, 2005-07-09 at 22:49 -0700, Paul Heinlein wrote:
> I got an odd new problem.
>
> The host in question is on a five-node LAN sitting behind a NAT
> gateway.
>
> I can
>
> a. ping any host on the LAN or Internet (i.e., ICMP works fine)
> b. query any DNS server on LAN or Internet (UDP works fine)
> c. receive TCP connections from LAN or Internet
> d. initiate TCP connections to hosts on LAN
>
> I cannot
>
> * initiate TCP connections to hosts on the Internet
>
> The problem isn't specific to any TCP protocol; they all fail: smtp,
> telnet, ftp, http, ...
>
> I'm working on isolating the interesting parts of strace output; right
> now the only thing that leaps out at me is that connect() is timing
> out, e.g.,
>
> connect(3, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("129.95.36.100")}, 16) = -1 ETIMEDOUT (Connection
> timed out)
>
> Clues?
>
> -- Paul Heinlein <heinlein@madboa.com>

--
gentoo-sparc@gentoo.org mailing list

On Sun, 10 Jul 2005, Andrew Ruef wrote:

> I had a similar problem on 2.4, I was unable to initiate any TCP
> connections from the local host to the local host... never figured
> out what it was (upgraded to 2.6).

TCP over loopback works fine. TCP to LAN hosts works fine. UDP and
ICMP to any hosts works fine. Inbound TCP from anywhere works fine.

It's only routed (non-LAN) outbound TCP that's the problem -- and only
from the problem host; all my other machines on the same LAN are still
in good shape.

I ran tcpdump on the problem host and saw only SYNs being sent. I ran
tcpdump on the target host and never saw the inbound packets.

There are no iptables rules; it's ACCEPT across the board.

Ordinarily, I'd look for routing problems, but routing would also
affect UDP and ICMP, right?

-- Paul Heinlein <heinlein@madboa.com>
--
gentoo-sparc@gentoo.org mailing list

Yes, it would...

The machine sends SYNs outbound to the remote hosts? Does it send ICMP
requests? This sounds more like a topology / firewall problem than a host
problem. If that machine never receives a SYN/ACK back then something is
blocking outgoing TCP connections..?

Andrew

-----Original Message-----
From: Paul Heinlein [mailto:heinlein@madboa.com]
Sent: Sunday, July 10, 2005 2:42 AM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] TCP connect() times out

On Sun, 10 Jul 2005, Andrew Ruef wrote:

> I had a similar problem on 2.4, I was unable to initiate any TCP
> connections from the local host to the local host... never figured
> out what it was (upgraded to 2.6).

TCP over loopback works fine. TCP to LAN hosts works fine. UDP and
ICMP to any hosts works fine. Inbound TCP from anywhere works fine.

It's only routed (non-LAN) outbound TCP that's the problem -- and only
from the problem host; all my other machines on the same LAN are still
in good shape.

I ran tcpdump on the problem host and saw only SYNs being sent. I ran
tcpdump on the target host and never saw the inbound packets.

There are no iptables rules; it's ACCEPT across the board.

Ordinarily, I'd look for routing problems, but routing would also
affect UDP and ICMP, right?

-- Paul Heinlein <heinlein@madboa.com>
--
gentoo-sparc@gentoo.org mailing list


--
gentoo-sparc@gentoo.org mailing list

The problem seems to have been that tcp congestion notification
(net.ipv4.tcp_ecn) had been turned on, which doesn't work and play
well with my internet connection. Turning it off got things working
again.

My guess (and it's only a guess) is that /etc/sysctl.conf was tweaked
when I emerged sys-apps/baselayout back on June 10. When I rebooted
the machine yesterday morning, it got a new ECN setting, which hosed
things.

Well, that blew a few hours of my time. Feh. :-)

On Sat, 9 Jul 2005, Paul Heinlein wrote:

> I got an odd new problem.
>
> The host in question is on a five-node LAN sitting behind a NAT gateway.
>
> I can
>
> a. ping any host on the LAN or Internet (i.e., ICMP works fine)
> b. query any DNS server on LAN or Internet (UDP works fine)
> c. receive TCP connections from LAN or Internet
> d. initiate TCP connections to hosts on LAN
>
> I cannot
>
> * initiate TCP connections to hosts on the Internet
>
> The problem isn't specific to any TCP protocol; they all fail: smtp, telnet,
> ftp, http, ...
>
> I'm working on isolating the interesting parts of strace output; right now
> the only thing that leaps out at me is that connect() is timing out, e.g.,
>
> connect(3, {sa_family=AF_INET, sin_port=htons(80),
> sin_addr=inet_addr("129.95.36.100")}, 16) = -1 ETIMEDOUT (Connection timed
> out)
>
> Clues?
>
> -- Paul Heinlein <heinlein@madboa.com>
> --
> gentoo-sparc@gentoo.org mailing list
>
>

-- Paul Heinlein <heinlein@madboa.com>
--
gentoo-sparc@gentoo.org mailing list

From: Paul Heinlein <heinlein@madboa.com>
Date: Sun, 10 Jul 2005 08:07:26 -0700 (PDT)

> The problem seems to have been that tcp congestion notification
> (net.ipv4.tcp_ecn) had been turned on, which doesn't work and play
> well with my internet connection. Turning it off got things working
> again.

You should inform the person running the firewall in between your two
systems to get their stuff fixed. Silently dropping packets with the
TCP ECN bits set is illegal.
--
gentoo-sparc@gentoo.org mailing list

On Sun, 10 Jul 2005, David S. Miller wrote:

> You should inform the person running the firewall in between your
> two systems to get their stuff fixed. Silently dropping packets
> with the TCP ECN bits set is illegal.

OK. I'll bite. Can you provide me a pointer that spells out the
legal[1] ramifications of dropping ECN bits?

-- Paul Heinlein <heinlein@madboa.com>

[1] Legal in the sense of criminal or civil code, not in the sense of
RFC 3360.
--
gentoo-sparc@gentoo.org mailing list

I believe he is speaking in terms of the legality of the RFC :-P

Andrew

-----Original Message-----
From: Paul Heinlein [mailto:heinlein@madboa.com]
Sent: Sunday, July 10, 2005 6:06 PM
To: gentoo-sparc@lists.gentoo.org
Subject: Re: [gentoo-sparc] SOLVED: TCP connect() times out

On Sun, 10 Jul 2005, David S. Miller wrote:

> You should inform the person running the firewall in between your
> two systems to get their stuff fixed. Silently dropping packets
> with the TCP ECN bits set is illegal.

OK. I'll bite. Can you provide me a pointer that spells out the
legal[1] ramifications of dropping ECN bits?

-- Paul Heinlein <heinlein@madboa.com>

[1] Legal in the sense of criminal or civil code, not in the sense of
RFC 3360.
--
gentoo-sparc@gentoo.org mailing list


--
gentoo-sparc@gentoo.org mailing list

From: Paul Heinlein <heinlein@madboa.com>
Date: Sun, 10 Jul 2005 16:06:18 -0700 (PDT)

> On Sun, 10 Jul 2005, David S. Miller wrote:
>
> > You should inform the person running the firewall in between your
> > two systems to get their stuff fixed. Silently dropping packets
> > with the TCP ECN bits set is illegal.
>
> OK. I'll bite. Can you provide me a pointer that spells out the
> legal[1] ramifications of dropping ECN bits?
>
> -- Paul Heinlein <heinlein@madboa.com>
>
> [1] Legal in the sense of criminal or civil code, not in the sense of
> RFC 3360.

I didn't mean it was illegal in the sense of criminal or
civil code. I can't believe that in a technical discussion
you would intepret illegal in that way, that's just silly.
--
gentoo-sparc@gentoo.org mailing list