TCP session desyncs

Thu, 30 Mar 2006 02:08:13 -0800 

Hi,

We're experiencing a problem where OpenBSD Packet Filter is involved,
and where the TCP session seems to become desynced. (OpenBSD 3.7 and 3.8)

The problem occurs when we send data to the one external server (not
ours), immediately after the handshake using NAT. client->server data
pipe breaks.

Is this a wscale issue desyncing the session? I'm guessing here, but
does PF set the window to 46 receiving the data push from the server,
while C still believes it's 5792<<7 and sends out 59 bytes? What is
wrong here, PF interpretation of wscale, or the external servers wscale
implementation? Or is this something else completely, like window
calculation? What happens when PF gets a packet with a new win size from
the server but the client sends out data before this has reached it? Is
there a race condition between pkts #4 i both dumps below?

External segment C' (translated from C) -> S:
09:28:32.262996 C'.57942 > S.25: S 2241950929:2241950929(0) win 16384
<mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2645318042 0>
09:28:32.272577 S.25 > C'.57942: S 2468839528:2468839528(0) ack
2241950930 win 5792 <mss 1380,sackOK,timestamp 1790586162
2645318042,nop,wscale 7> (DF)
09:28:32.272718 C'.57942 > S.25: . ack 1 win 16384 <nop,nop,timestamp
2645318042 1790586162>
09:28:32.282821 S.25 > C'.57942: P 1:69(68) ack 1 win 46
<nop,nop,timestamp 1790586172 2645318042> (DF) (<--- win set to 46 (<<7))
09:28:32.491448 S.25 > C'.57942: P 1:69(68) ack 1 win 46
<nop,nop,timestamp 1790586381 2645318042> (DF)
[... repeats...] (<--- C' sends no ack due to waiting for DATA ack?!)

Internal segment C -> S
09:28:32.262958 C'.5042 > S.25: S 2241950929:2241950929(0) win 16384
<mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2645318042 0>
09:28:32.272596 S.25 > C'.5042: S 2468839528:2468839528(0) ack
2241950930 win 5792 <mss 1380,sackOK,timestamp 1790586162
2645318042,nop,wscale 7> (DF)
09:28:32.272702 C'.5042 > S.25: . ack 1 win 16384 <nop,nop,timestamp
2645318042 1790586162>
09:28:32.272827 C'.5042 > S.25: P 1:60(59) ack 1 win 16384
<nop,nop,timestamp 2645318042 1790586162> (<--- DATA never gets sent out
externally)
09:28:32.272829 C'.5042 > S.25: F 60:60(0) ack 1 win 16384
<nop,nop,timestamp 2645318042 1790586162>
09:28:32.282835 S.25 > C'.5042: P 1:69(68) ack 1 win 46
<nop,nop,timestamp 1790586172 2645318042> (DF)
09:28:32.282946 C'.5042 > S.25: F 60:60(0) ack 69 win 16316
<nop,nop,timestamp 2645318042 1790586172>
09:28:32.491476 S.25 > C'.5042: P 1:69(68) ack 1 win 46
<nop,nop,timestamp 1790586381 2645318042> (DF)
[... c->s pipe timeouts]

Regards,
Fredrik Widlund

Reply via email to