On Fri, Feb 5, 2010 at 11:22 PM, Evgeny Yurchenko <[email protected]>wrote:
> I think it is more FreeBSD's problem than pfSense's but decided anyway to > post it here as somebody might run into the same issue. > When we use MD5 TCP signing with OpenBGP package TCP connection termination > does not go properly which results in BGP password errors on remote cisco > side and thus problems with reestablishing connection/routing. > > So, normal tcp connection tearing down procedure: > ---FIN---> > > <---ACK--- > <---FIN--- > ----ACK---> > All these TCP packets must be MD5 signed (correct me if I am wrong). The > problem is: when pfSense initiates connection termination (you want to clear > BGP session) the last ACK is not MD5 signed. It makes cisco keep this > connection active for some time sending FINs as it attempts to close the > connection. > If somebody has a clue how to fix this I would be very grateful for > solution. > Try disabling selective acks. should be net.inet.tcp.sack.enable=0 > Thanks. > > Evgeny. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > > Commercial support available - https://portal.pfsense.org > > -- Ermal
