Solved

iptables causes connection stall

Posted on 2013-01-16
1
663 Views
Last Modified: 2013-01-16
We are having connection stall issues on many of our http servers. As a test I have created a script that connects to the webserver using curl and tries do download a txt file of about 3mb size.

Every now and then the speed goes down to 0 and the connection hangs.

When I disable iptables the problem resolves and everything works ok.

iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  2080 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
   17  1924 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1564 bytes)
 pkts bytes target     prot opt in     out     source               destination

Open in new window


There is couple of routers and firewalls in between.

Any ideas what this could cause?

Ah. I use Centos 6.3 Kernel 2.6.32-279.19.1.el6.x86_64 Iptables version is: iptables-1.4.7-5.1.el6_2.x86_64
0
Comment
Question by:un1x86
1 Comment
 
LVL 11

Accepted Solution

by:
un1x86 earned 0 total points
ID: 38782063
I found the problem.

By default CentOS had ipv_sack enabled which is a good thing. But somehow on the firewall the packages with SACK were dropped because it did not understand what it is.

So there are 2 solutions:

1. Have a modern firewall that understands and accepts SACK
2. Disable SACK on the server with

sysctl –w sysctl -w net.ipv4.tcp_sack=0

Open in new window

0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a server on collocation with the super-fast CPU, that doesn't mean that you get it running at full power. Here is a preamble. When doing inventory of Linux servers, that I'm administering, I've found that some of them are running on l…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question