Olaf Rempel wrote: > On Wed, 23 Nov 2005 23:53:24 +0100 > Vidar Tyldum Hansen <[EMAIL PROTECTED]> wrote: > >> Olaf Rempel wrote: >> >>> - try to relax tcp-window-tracking checkings >>> $ echo 1 > /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal >> BINGO! > Nice. > >> A bit more Googling shows me that disabling SACK fixes the problem. > Hmm, have you disabled SACK with 0 > /proc/net/sys/ipv4/sack?
Yup. > Thats interesting. Are there any other non-linux firewalls involved? Nope. As I mentioned, directly from the gateway to the net works fine. Connecting from a host behind my gateway causes the problem. Everything points to my TSL3 box (which was 100% stock until I disabled SACK). I'm a bit undecided; disable SACK or use the setting you first suggested. Disabling SACK seems like the right thing to do as it goes to the root of the problem. >> However, I must figure out what the implications of disabling SACK are >> and possibly why this is causing problems. I don't have any packetloss >> anywhere. > Afaik with selecktive ACKs you can ACK a part of a packet, not only the > whole packet. And when resending you only need to resend the missing part. My understanding: In the old days you could receive packets 1,2,4,5 in a flow. You would send ACK for 1,2, and then continue to ACK 2 even though 4,5 arrived. So the sender retransmits 3,4,5 instead of just the missing packet. With SACK you can ACK 1,2,4,5 and only packet 3 will be retransmitted. I don't think disabling SACK is a major problem. The headache now is why this is a problem and what triggered it. Tcpdump here I come ;) Again, thanks. _______________________________________________ tsl-discuss mailing list [email protected] http://lists.trustix.org/mailman/listinfo/tsl-discuss
