[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
4.6

TCP connections hang in SYN_SENT

Asked by pfenerty in Linux Networking

Tags: syn_sent, tcp

Hello,

I have an intermittent TCP connection problem that affects multiple PCs on a home LAN:

Background:
- all TCP connections from the LAN are masqueraded through an IPCop Linux firewall/gateway
- IPCop is a stock 1.4.6 install ... no addons or modifications
- packets leaving the gateway are routed onto the WAN by way of a Motorola SB3100 Cable Modem
- normal firewall/gateway/LAN behavior was observed for several months before problem was first noticed

Problem:
- all outbound TCP connections intermittently do not complete for a given PC
- all such connection attempts during the problem period remain in state SYN_SENT in gateway connection table
- ping and traceroute to WAN destinations work OK as always during the problem period
- problem occurs typically in firefox 1.5.0.1 on fully patched WindowsXP
- problem also reproduced in netscape 4.7 on Linux 2.2.16 (!)
- typically only one PC is affected at a time
- i.e., other PCS on the LAN routinely establish TCP connections OK while the affected one cannot
- frequency of occurrence is typically several times per week, but typically not more than once per day

Problem Resolution:
- TCP connections, for the affected PC, begin routinely completing again after any of:
  (a) Rebooting the affected PC ... never the gateway
  (b) waiting sufficiently ... tens of minutes to hours
  (c) connection flooding ... multiple rapid repeat browser page reload requests from the affected PC ... 20 to 30 typically

Troubleshooting, so far:
- winXP PCS run Norton AV, Spybot S&D, AD-Aware SE
- IPCop firewall runs rkhunter
- (unreplied) outbound SYN packets from the affected PCs appear on the firewall WAN interface (!)
- these SYN packets appear to be well-formed, at least as far as I can tell, and seem to match subsequent, successfully SYN_ACKed packets

Discusssion:
Initially I thought this would be a Microsoft problem. But then I saw it occur on an old Linux box. So, after packet-sniffing the gateway LAN interface during the problem, and seeing, coming from the affected PC, first only a successful (UDP) DNS transaction, and then followed by groups of three unreplied TCP SYN request packets, one group for each time the connection is tried, I thought that for sure I'd find dropped packets at the firewall. But after inserting log messages up and down the gateway's netfilter chains, none of which caught anything, I eventually moved the sniffer to the gateway's WAN interface, and found there the same three lonely unreplied TCP SYN request packets that had been visible on the LAN side:

WAN interface packet capture:
- packets are sniffed against filter 'host 66.249.81.99' ... google_news server
- google_news server IPaddress determined just prior to packet capture using a non-affected PC
- STEP 1: unreplied SYN packets captured by google_news browser page request from affected PC
- STEP 2: affected PC is rebooted
- STEP 3: completed TCP connection packets captured as per STEP 1
- no changes made to the gateway, or to the laptop running ethereal, other than to start and stop packet capture, during above STEPs

So, where do the SYN packets go? Why are they ignored, intermittently? Is another subscriber on my cable feeder line hijacking them? Perhaps more to the point, at least initially, is if the packets are properly SNATed at the firewall, as they appear to be, how can the problem appear, at the WAN interface, to be localized to a single host on the LAN? And for different PCs, at different times?

??

Thanks so much!
Paul

****************************************************************************************************
From the above mentioned packet capture session, here's the first outbound SYN packet that remains UNREPLIED, such that the connection hangs in state SYN_SENT:

** Note that it is the 7th captured packet for the session. The captured browser page request was preceded by a single google_news 'ping' from the gateway, to verify last minute-reachability (3 ICMP ping requests, 3 replies).


No.     Time        Source                Destination           Protocol Info
      7 32.246799   72.134.170.173        66.249.81.99          TCP      3186 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460

Frame 7 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Feb  3, 2006 12:57:16.931563000
    Time delta from previous packet: 30.040320000 seconds
    Time since reference or first frame: 32.246799000 seconds
    Frame Number: 7
    Packet Length: 62 bytes
    Capture Length: 62 bytes
    Protocols in frame: eth:ip:tcp
Ethernet II, Src: Shuttle_3a:ca:6f (00:30:1b:3a:ca:6f), Dst: USRoboti_40:54:70 (00:c0:49:40:54:70)
    Destination: USRoboti_40:54:70 (00:c0:49:40:54:70)
    Source: Shuttle_3a:ca:6f (00:30:1b:3a:ca:6f)
    Type: IP (0x0800)
Internet Protocol, Src: 72.134.170.173 (72.134.170.173), Dst: 66.249.81.99 (66.249.81.99)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xa07e (41086)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0xd39b [correct]
        Good: True
        Bad : False
    Source: 72.134.170.173 (72.134.170.173)
    Destination: 66.249.81.99 (66.249.81.99)
Transmission Control Protocol, Src Port: 3186 (3186), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0
    Source port: 3186 (3186)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x6f71 [correct]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted


****************************************************************************************************
From the above mentioned packet capture session, here's the first outbound SYN packet that is successfully SYN_ACKed, after reboot of the affected PC, such that a connection attempt completes:

No.     Time        Source                Destination           Protocol Info
      1 0.000000    72.134.170.173        66.249.81.99          TCP      3230 > http [SYN] Seq=0 Ack=0 Win=65535 Len=0 MSS=1460

Frame 1 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Feb  3, 2006 13:14:38.485541000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 62 bytes
    Capture Length: 62 bytes
    Protocols in frame: eth:ip:tcp
Ethernet II, Src: Shuttle_3a:ca:6f (00:30:1b:3a:ca:6f), Dst: USRoboti_40:54:70 (00:c0:49:40:54:70)
    Destination: USRoboti_40:54:70 (00:c0:49:40:54:70)
    Source: Shuttle_3a:ca:6f (00:30:1b:3a:ca:6f)
    Type: IP (0x0800)
Internet Protocol, Src: 72.134.170.173 (72.134.170.173), Dst: 66.249.81.99 (66.249.81.99)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0xa8cd (43213)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 127
    Protocol: TCP (0x06)
    Header checksum: 0xcb4c [correct]
        Good: True
        Bad : False
    Source: 72.134.170.173 (72.134.170.173)
    Destination: 66.249.81.99 (66.249.81.99)
Transmission Control Protocol, Src Port: 3230 (3230), Dst Port: http (80), Seq: 0, Ack: 0, Len: 0
    Source port: 3230 (3230)
    Destination port: http (80)
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x7873 [correct]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

*****************************************

I found no Topic Area labelled 'TCP/IP', which would have been my first choice. So I have chosen "Linux Networking" (for the firewall gateway referenced below). Perhaps 'Broadband' would be a better choice? I suppose that depends on where the problem turns out to be.

I rate this 500 points not so much for urgency, as I have lived with this for a month or so by now. But I rate it pretty-damn-difficult, because I thought for sure that I'd have it figured out long ago.
[+][-]03/18/06 11:54 AM, ID: 16226180Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zone: Linux Networking
Tags: syn_sent, tcp
Sign Up Now!
Solution Provided By: dbardbar
Participating Experts: 2
Solution Grade: B
 
[+][-]02/13/06 03:36 AM, ID: 15940339Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02/13/06 12:15 PM, ID: 15944605Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02/18/06 12:00 PM, ID: 15990182Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]02/26/06 05:33 PM, ID: 16051889Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]02/26/06 05:55 PM, ID: 16051960Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/15/06 10:54 AM, ID: 16197238Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/16/06 06:06 AM, ID: 16204955Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]03/16/06 11:58 AM, ID: 16208802Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/16/06 01:04 PM, ID: 16209569Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/18/06 11:07 AM, ID: 16225945Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/18/06 11:35 AM, ID: 16226090Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/18/06 12:26 PM, ID: 16226326Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/18/06 12:30 PM, ID: 16226343Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]03/18/06 12:33 PM, ID: 16226361Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92