Re: Dropped inbound packets from stateful allow rule

Fri, 16 Apr 2010 12:05:28 -0700 

Paul B. Henson wrote:

On Thu, 15 Apr 2010, Darren Reed wrote:


So there's one other issue that it could be and that is if
there are too many entries in the same hash bucket.


Got an update from Sun support, they're thinking it's a bug with
connections reusing the same source port...


Note, you are talking to Oracle support now, not Sun support...
although some people still work for a legal entity that bears the
name Sun, that will all end sooner rather than later.



-----------------------------------------------------------------------

I think I found a relationship with lost and blocked packets and what
triggers it.
It looks like it is an issue related to TCP ports being reused - similar
to this bug which was fixed a while ago.
  6531894 IPF blocks TCP SYN packets for connections in TIME_WAIT state
-> some clients can't reconnect

 04/14/10-15:59  270 in use  lost 1466
 04/14/10-16:00  323 in use  lost 1467

Apr 14 16:00:13 kyle ipmon[117]: [ID 702911 local0.warning]
16:00:13.167168 e1000g0 @20:11 b 134.71.247.43,43034 -> 134.71.247.14,80
PR tcp len 20 60 -S IN

 10 15:58:43.44771 134.71.247.14 -> 134.71.247.43 TCP D=43034 S=80 Fin
Ack=495580729 Seq=1186132000 Len=0 Win=49232 Options=<nop,nop,tstamp
171551837 1687035435>
 11 15:58:43.44781 134.71.247.43 -> 134.71.247.14 TCP D=80 S=43034
Ack=1186132001 Seq=495580729 Len=0 Win=54 Options=<nop,nop,tstamp
1687035435 171551837>
 - >12 16:00:13.16715 134.71.247.43 -> 134.71.247.14 TCP D=80 S=43034 Syn
Seq=1913409678 Len=0 Win=5840 Options=<mss 1460,sackOK,tstamp 1687057864
0,nop,wscale 7>
 13 16:00:13.16718 134.71.247.14 -> 134.71.247.43 TCP D=43034 S=80 Rst
Ack=1913409679 Win=0

 04/14/10-16:04  251 in use  lost 1467
 04/14/10-16:05  345 in use  lost 1468


Yup, I see what the problem and the fix is...

But I can't do their job and because you're working with Oracle on this
and I've told Oracle that I won't be working on IPFilter until I get an
amended employment agreement that doesn't give them ownership of anything
related to IPFilter that I do at home, I can't help you any further.
If I were to assist further, it would be as if I was working on
IPFilter for Oracle.

Sorry about that.

Darren

Reply via email to