Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

John Candlish Tue, 08 Mar 2016 12:29:36 -0800

I think this may be an issue with Xen that is triggered when DNATting
between a physical and virtual interface.


I have not yet trigger the problem when DNATting between two virtual interfaces.

The problem is repeatable, but intermittent.

What I see are ACKs going missing.  They are disappearing in the firewall DomU.

Here are three traces:  at the webserver, at the firewall DMZ
interface and at the firewall internet (pciback physical) interface.

On the webserver and at the DMZ interface the http GET on line 4 is
immediately followed by an ACK from the webserver.

On the internet facing firewall interface this ACK is missing.

Apologies for Gmail's horrible linewrapping

========================
webserver
30.195628 78.225.169.33 -> 81.63.145.197 TCP 66 1305 → 80 [SYN] Seq=0
Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
30.195641 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1305 [SYN, ACK]
Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
30.243165 78.225.169.33 -> 81.63.145.197 TCP 54 1305 → 80 [ACK] Seq=1
Ack=1 Win=65536 Len=0
30.244419 78.225.169.33 -> 81.63.145.197 HTTP 479 GET
/wp-content/plugins/bbpress/templates/default/css/bbpress.css?ver=2.5.8-5815
HTTP/1.1
30.244441 81.63.145.197 -> 78.225.169.33 TCP 54 80 → 1305 [ACK] Seq=1
Ack=426 Win=30336 Len=0
30.246504 81.63.145.197 -> 78.225.169.33 HTTP 2958 HTTP/1.1 200 OK  (text/css)
30.246579 81.63.145.197 -> 78.225.169.33 TCP 2671 80 → 1305 [PSH, ACK]
Seq=2905 Ack=426 Win=30336 Len=2617
30.298839 78.225.169.33 -> 81.63.145.197 TCP 66 [TCP Dup ACK 197#1]
1305 → 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=4357
30.299064 78.225.169.33 -> 81.63.145.197 TCP 66 [TCP Dup ACK 197#2]
1305 → 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=5522
30.299084 81.63.145.197 -> 78.225.169.33 HTTP 1506 [TCP Fast
Retransmission] HTTP/1.1 200 OK  (text/css)

========================
firewall dmz facing
31.140504 78.225.169.33 -> 81.63.145.197 TCP 66 1305 → 80 [SYN] Seq=0
Win=65535 Len=0 MSS=1452 WS=2 SACK_PERM=1
31.140633 81.63.145.197 -> 78.225.169.33 TCP 66 80 → 1305 [SYN, ACK]
Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
31.188045 78.225.169.33 -> 81.63.145.197 TCP 54 1305 → 80 [ACK] Seq=1
Ack=1 Win=65536 Len=0
31.189287 78.225.169.33 -> 81.63.145.197 HTTP 479 GET
/wp-content/plugins/bbpress/templates/default/css/bbpress.css?ver=2.5.8-5815
HTTP/1.1
31.189468 81.63.145.197 -> 78.225.169.33 TCP 54 80 → 1305 [ACK] Seq=1
Ack=426 Win=30336 Len=0
31.191515 81.63.145.197 -> 78.225.169.33 HTTP 2958 HTTP/1.1 200 OK  (text/css)
31.191569 81.63.145.197 -> 78.225.169.33 TCP 2671 80 → 1305 [PSH, ACK]
Seq=2905 Ack=426 Win=30336 Len=2617
31.243692 78.225.169.33 -> 81.63.145.197 TCP 66 [TCP Dup ACK 203#1]
1305 → 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=4357
31.243930 78.225.169.33 -> 81.63.145.197 TCP 66 [TCP Dup ACK 203#2]
1305 → 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=5522
31.244086 81.63.145.197 -> 78.225.169.33 HTTP 2958 [TCP Fast
Retransmission] HTTP/1.1 200 OK  (text/css)

========================
firewall internet facing
24.872242 78.225.169.33 -> 5.145.19.28  TCP 66 1305 → 80 [SYN] Seq=0
Win=65535 Len=0 MSS=1460 WS=2 SACK_PERM=1
24.872412  5.145.19.28 -> 78.225.169.33 TCP 66 80 → 1305 [SYN, ACK]
Seq=0 Ack=1 Win=29200 Len=0 MSS=1452 SACK_PERM=1 WS=128
24.919779 78.225.169.33 -> 5.145.19.28  TCP 60 1305 → 80 [ACK] Seq=1
Ack=1 Win=65536 Len=0
24.921022 78.225.169.33 -> 5.145.19.28  HTTP 479 GET
/wp-content/plugins/bbpress/templates/default/css/bbpress.css?ver=2.5.8-5815
HTTP/1.1
24.923342  5.145.19.28 -> 78.225.169.33 TCP 1506 [TCP Previous segment
not captured] 80 → 1305 [ACK] Seq=2905 Ack=426 Win=30336 Len=1452
24.923346  5.145.19.28 -> 78.225.169.33 TCP 1219 80 → 1305 [PSH, ACK]
Seq=4357 Ack=426 Win=30336 Len=1165
24.975437 78.225.169.33 -> 5.145.19.28  TCP 66 [TCP Dup ACK 57#1] 1305
→ 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=4357
24.975680 78.225.169.33 -> 5.145.19.28  TCP 66 [TCP Dup ACK 57#2] 1305
→ 80 [ACK] Seq=426 Ack=1 Win=65536 Len=0 SLE=2905 SRE=5522
24.975861  5.145.19.28 -> 78.225.169.33 HTTP 1506 [TCP Fast
Retransmission] HTTP/1.1 200 OK  (text/css)


I am thankful for any recommendations on how to proceed from here.

jCandlish

.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://makebettercode.com/inteldaal-eval
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Re: [Shorewall-users] DNAT corruption with Multi-ISP: MSS related?

Reply via email to