Solved

iptables causes connection stall

Posted on 2013-01-16
1
652 Views
Last Modified: 2013-01-16
We are having connection stall issues on many of our http servers. As a test I have created a script that connects to the webserver using curl and tries do download a txt file of about 3mb size.

Every now and then the speed goes down to 0 and the connection hangs.

When I disable iptables the problem resolves and everything works ok.

iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  2080 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
   17  1924 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1564 bytes)
 pkts bytes target     prot opt in     out     source               destination

Open in new window


There is couple of routers and firewalls in between.

Any ideas what this could cause?

Ah. I use Centos 6.3 Kernel 2.6.32-279.19.1.el6.x86_64 Iptables version is: iptables-1.4.7-5.1.el6_2.x86_64
0
Comment
Question by:un1x86
1 Comment
 
LVL 11

Accepted Solution

by:
un1x86 earned 0 total points
ID: 38782063
I found the problem.

By default CentOS had ipv_sack enabled which is a good thing. But somehow on the firewall the packages with SACK were dropped because it did not understand what it is.

So there are 2 solutions:

1. Have a modern firewall that understands and accepts SACK
2. Disable SACK on the server with

sysctl –w sysctl -w net.ipv4.tcp_sack=0

Open in new window

0

Featured Post

Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question