Re: IPF 4.1.16 - Slow NAT/FTP mix-up

Tue, 02 Jan 2007 14:44:30 -0800 


Can I ask you to also apply the TCP window scaling patch?
Or have you done that?



No - I didn't have that patch applied. I thought that it was only for vers
4.1.13, but I've just applied the (second TCP window scaling) patch to
4.1.16. Unfortunately it didn't seem to help.

However, what I did just try was to remove the FTP proxy line from
ipnat.conf .
ie: removed: map bge1 from 10.0.0.0/8 to 0.0.0.0/0 -> 0/32 proxy port ftp
ftp/tcp

It looks like that definitely fixes the problem - the connections run much
much faster.

For example, previously all telnet sessions were taking around 5 seconds to
become usable - now its instantaneous.
And the web browsing is way faster.

(Obviously it means that I can't do ftps, without the line in ipnat.conf, so
hopefully its not the solution..)

I'll now download tcpdump and have a look for retransmissions.
I used snoop earlier and nothing appeared different between this firewall
and its IPF3.4 counterpart.
What I did notice before when snooping the telnet session, was that the
snoop showed packet flow between my host and the remote host well before the
telnet session "started" (ie prompt appeared). Now its instantaneous.

I've attached output for ipnat -lvd, as you asked:

MAP 10.5.0.115      3796  <- -> my-public-ip   3796  [216.239.53.19 80]
   ttl 477 use 0 sumd 0x216b/0x216b pr 6 bkt 5460/10816 flags 1
   ifp X,X bytes 0/5920 pkts 0/5 ipsumd 216b
   proxy ftp/6 use -49 flags 0
       proto 6 flags 0 bytes 0 pkts 0 data YES size 344
       state[0,0], sel[0,0]
       seq: off 0/0 min 0/0
       ack: off 0/0 min 0/0
   FTP Proxy:
       passok: 1
   Client:
       seq 0 (ack 0) len 0 junk 0 cmds 0
       buf [\000]
   Server:
       seq bda1750e (ack 0) len 0 junk 0 cmds 0
       buf [\000]

and

MAP 10.5.0.115      3792  <- -> my-public-ip   3792  [216.239.53.19 80]
   ttl 468 use 0 sumd 0x216b/0x216b pr 6 bkt 4436/9792 flags 1
   ifp X,X bytes 0/8840 pkts 0/7 ipsumd 216b
   proxy ftp/6 use -49 flags 0
       proto 6 flags 0 bytes 0 pkts 0 data YES size 344
       state[0,0], sel[0,0]
       seq: off 0/0 min 0/0
       ack: off 0/0 min 0/0
   FTP Proxy:
       passok: 1
   Client:
       seq 0 (ack 0) len 0 junk 0 cmds 0
       buf [\000]
   Server:
       seq cd7a08fb (ack 0) len 0 junk 0 cmds 0
       buf [\000]

Cheers,
Corey.






















					Reply via email to