Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 698
  • Last Modified:

iptables causes connection stall

We are having connection stall issues on many of our http servers. As a test I have created a script that connects to the webserver using curl and tries do download a txt file of about 3mb size.

Every now and then the speed goes down to 0 and the connection hangs.

When I disable iptables the problem resolves and everything works ok.

iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  2080 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
   17  1924 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1564 bytes)
 pkts bytes target     prot opt in     out     source               destination

Open in new window


There is couple of routers and firewalls in between.

Any ideas what this could cause?

Ah. I use Centos 6.3 Kernel 2.6.32-279.19.1.el6.x86_64 Iptables version is: iptables-1.4.7-5.1.el6_2.x86_64
0
Chris Sandrini
Asked:
Chris Sandrini
1 Solution
 
Chris SandriniSenior System EngineerAuthor Commented:
I found the problem.

By default CentOS had ipv_sack enabled which is a good thing. But somehow on the firewall the packages with SACK were dropped because it did not understand what it is.

So there are 2 solutions:

1. Have a modern firewall that understands and accepts SACK
2. Disable SACK on the server with

sysctl –w sysctl -w net.ipv4.tcp_sack=0

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now