On Mon, Jun 23, 2014 at 12:24:08PM +0200, Petar Bogdanovic wrote: > During the past few weeks the ssh-tunnels to a remote machine started > failing randomly. In a previous mail to tech-net I prematurely blamed > ipfilter because disabling it yielded some immediate success. > > Unfortunately, subsequent testing showed that having npf enabled instead > eventually lead to the same issues. > > What I know: > > * the server suddenly FINs the connection > * the server ignores everything after that and sends about 20-30 > RSTs for lots of late ACKs sent by the client > * ipmon is able to track the connection but misses the FIN > * yet ipfilter manages to update its state table and reduces the > TTL of the connection from 24h to 30s > * a server-tcpdump captures the FIN > * a client-tcpdump captures the same FIN > * according to wireshark, the FINs in both pcaps have sequence > numbers that indicate lost segments (which at least in one > case makes little sense since it was captured directly at the > source) > * ssh and sshd both never try to tear down the connection > * ssh reports that the remote end has closed the connection > * sshd bails on a failed write() with ENETUNREACH
So it could actually have closed the connection after that. Did your tcpdump sequences also capture ICMP traffics ? Did an ICMP network unreacheable packet show up ? -- Manuel Bouyer <bou...@antioche.eu.org> NetBSD: 26 ans d'experience feront toujours la difference --