Am 2012-05-08 16:02, schrieb Stuart Henderson:
On 2012-05-08, [email protected] <[email protected]>
wrote:
Hi misc,
I'm about to set up two OpenBGPd machines. At the moment they are
each
connected to two different upstream providers running OpenBGPd (and
OpenOSFPd on the internal interfaces). Operating system is
OpenBSD test-a.openbgp.bla.com 5.0 GENERIC.MP#0 amd64
(dmesg below)
On a host reserved for testing (CentOS 6.2 x86_64), which sits
logically
(seen from the internet) behind those machines, in a otherwise empty
/22, I see weird network problems (tcpdumping traffic on port 25,
and
loading it into wireshark for further analysis):
Receiving mails (port 25, plain SMTP, a 3MiByte attachment) from an
external mail server, which comes in via one of the new BGP
machines, I
see massive 'TCP out of order' messages in wireshark, as well as
'TCP
Dup ACK' messages. This is on the testbed machine itself.
On the OpenBGPd router, captured exactly the same traffic, all seems
perfect.
There are two Cisco switches sitting between test-a.openbgp.bla.com
and
the testbed mail server, all interfaces perfectly clean, no duplex
problems, no underruns, no runts, nothing -- perfect.
Traffic within my AS is also absolutely no problem, the Linux
machine
runs here perfectly as well.
Any idea where to look?
Is PF in use? if so, have you done anything to make sure that you
aren't running into problems due to stateful firewall only seeing
half the packets (i.e. inbound via one machine, outbound via the
other)?
That's a point, I do have asymmetric routing at the moment, as only the
(now active) Ciscos announce the /22 in question to the rest of the
world. So, ingress traffic crosses my OpenBSD machine, while egress
traffic does not.
However, the problem remains if I issued 'pfctl -d'.
(Specifically, if this is happening and unavoidable, you could look
at 'defer' in pfsync, or sloppy states in PF).
Thanks,
Bernd
$ dmesg
[ snipped from quote, but thanks for including it :) ]
