Solved

iptables causes connection stall

Posted on 2013-01-16
1
660 Views
Last Modified: 2013-01-16
We are having connection stall issues on many of our http servers. As a test I have created a script that connects to the webserver using curl and tries do download a txt file of about 3mb size.

Every now and then the speed goes down to 0 and the connection hangs.

When I disable iptables the problem resolves and everything works ok.

iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   28  2080 ACCEPT     all  --  any    any     anywhere             anywhere            state RELATED,ESTABLISHED
    0     0 ACCEPT     icmp --  any    any     anywhere             anywhere
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:ssh
    0     0 ACCEPT     tcp  --  any    any     anywhere             anywhere            state NEW tcp dpt:http
   17  1924 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     all  --  any    any     anywhere             anywhere            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 15 packets, 1564 bytes)
 pkts bytes target     prot opt in     out     source               destination

Open in new window


There is couple of routers and firewalls in between.

Any ideas what this could cause?

Ah. I use Centos 6.3 Kernel 2.6.32-279.19.1.el6.x86_64 Iptables version is: iptables-1.4.7-5.1.el6_2.x86_64
0
Comment
Question by:un1x86
1 Comment
 
LVL 11

Accepted Solution

by:
un1x86 earned 0 total points
ID: 38782063
I found the problem.

By default CentOS had ipv_sack enabled which is a good thing. But somehow on the firewall the packages with SACK were dropped because it did not understand what it is.

So there are 2 solutions:

1. Have a modern firewall that understands and accepts SACK
2. Disable SACK on the server with

sysctl –w sysctl -w net.ipv4.tcp_sack=0

Open in new window

0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Need To Change Centos 6 Timestamp Form In Log File 24 92
Can't connect to WAMP server 5 71
awk to variable in bash 2 70
centos commands 6 68
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
If your site has a few sections that need to be secure when data is transmitted between the server and local computer, such as a /order/ section for ordering or /customer/ which contains customer data, etc it would of course be recommended to secure…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question