Hi!
Two questions regardin this strange effect:
a) Is there a performance penalty for this huge number of connections in
contracker?
b) Why does it occure primarily with the Cisco Content Switch. The
numbers were much lower
before utilising the content switch! So the CSS is ACK flooding! Is
there a strange
interaction between the CSS and netfilter?
Cheers,
Martin
P.s: I will try to trace some of these faulty connections on the port of
the css!
-----Original Message-----
From: Harald Welte [mailto:[EMAIL PROTECTED]]
Sent: Donnerstag, 28. März 2002 20:49
To: Martin Sperl
Cc: [EMAIL PROTECTED]
Subject: Re: Strange Contracker problem in conjuction with Cisco Content
Switch
On Thu, Mar 28, 2002 at 05:25:06PM +0100, Martin Sperl wrote:
> Hi!
>
> We are experiencing problems with connection tracking with a Cisco
> Content Switch behind a firewall and think that it might partly be a
> problem with netfilter in stock Linux 2.4.17.
>
> We just started using CSS in a productive environment and now the
number
> of connections in /proc/net/ip_conntrack have reached 200000.
> Which may be OK, but the problem is that 75% of these connections are
in
> "UNREPLIED" state and the timeout given as 3rd value in
> /proc/net/ip_conntrack goes up to values like: 431998 - alsmost 5
days.
> So 75% of all connections in the tracking list are garbage and only
> discarded after 5 days!
>
> Ok, the problem does arise with non CSS as well, but with CSS the rise
> was most pronounced, still connections are left open.
>
> Any ideas, explaination,
It seems like you have been ACK-flooded by somebody.
conntrack default behaviour is to do connection pickup when receiving
an ACK in some not-already-tracked connection. The ACK packet is
getting
a state of NEW and if the packet is allowed by the ruleset, the timeout
is increased to 5 days.
However, as soon as we run out of conntrack entries, the UNREPLIED
entries are overwritten.
To disable the 'no pickup' behaviour, there's a patch in patch-o-matic
called 'conntrack-nopickup.patch'
> Cheers,
> Martin Sperl
--
Live long and prosper
- Harald Welte / [EMAIL PROTECTED]
http://www.gnumonks.org/
========================================================================
====
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O-
M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++
y+(*)
