LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] Re: [Q] Max number of TCP(?) packets without waiting for an ACK(?)

[ILUG] Re: [Q] Max number of TCP(?) packets without waiting for an ACK(?)

Brian Foster blf at utvinternet.ie
Mon Dec 15 18:35:10 GMT 2008 

On Fri, 12 Dec 2008 10:00:11 +0000 Gavin McCullagh <gmccullagh at gmail.com> wrote:
> On Thu, 11 Dec 2008, Brian Foster wrote:
> >   the admin and I looked at the firewall's diagnostic.
> >  it's not too specific, and basically just means there
> >  was more than 250 packets which needed some additional
> >  processing (I don't recall now the Français term used).
> >  the admin speculated that means either than there was
> >  more than 250 un-ACK'ed packets, or there were badly
> >  fragmented packet(s?).  in essence, the firewall was
> >  using too many resources (having to remember too many
> >  packets), exceeding its threshold of c.250.
> 
> One (probably irrelevant) thing I notice is that your TCP MSS (max segment
> size) looks to be a little lower than usual (you get 1288, I see 1448).
> Perhaps the fact that it's going through a VPN explains this?  I guess use
> of IPv6 might either?

   first, a correction:  I know I said the IMAP-server
  is on a VPN, but I was either mis-heard or the admin
  mis-spoke.  it's on a VLAN, and my current understanding
  is it's the only thing on the VLAN.

   IPv6 is not being used.  it's enabled on my workstation;
  how do I disable it?  (I know this question gets asked a
  lot .....  ;-\  )


> 12:14:38.133825 IP {IT}.imap2 > {ME}.50716: . 3331379:3332667(1288) ack 122 win 143 <nop,nop,timestamp 3087447880 126934469>
> 12:14:38.133831 IP {IT}.imap2 > {ME}.50716: . 3332667:3333955(1288) ack 122 win 143 <nop,nop,timestamp 3087447880 126934469>
> 12:14:38.133835 IP {ME}.50716 > {IT}.imap2: . ack 3332667 win 5545 <nop,nop,timestamp 126934478 3087447880>
> 
> Do you think you could check what the MTU (mss+headers) is on your PC and
> see what it is on others that don't have the issue?  I doubt it's relevant,
> but when you mention packet fragmentation, I wonder.

   I have no idea how to check my workstation's MTU, and
  I've even less of an idea what an MSS is or whether or
  not that mysterious acronym is part of (included in)
  the MTU.  (not too relevant, but I had to explain MTU
  to the admin:  “maximum payload size” is essentially
  what I explained (the admin thought it was the maximum
  number of hops).)


>                                                       It's conceivable
> Linux might be doing path mtu discovery and windows might not, or
> something?  You can disable that feature:
> 
> 	echo 1 > proc/sys/net/ipv4/ip_no_pmtu_disc

   sorry, I didn't get a chance to either check or test
  this idea.


> Ideally, windump on windows would show you the MSS (1288 bytes above) which
> the imap server is sending to it.

   FWIW, the IMAP-server is also running Linux.
  I've no idea about the firewall.
  from the little I've seen of the Français interface
  to the firewall, it looks windross-ish, but I really
  have no idea.


> >   the admin also said I'm the only person with this
> >  problem.  that probably doesn't mean much since I'm
> >  one of the few who runs Linux natively rather than
> >  via VMWare on windross.   on the other hand, I can
> >  download (via the WebMail interface) the problematic
> >  attachment over the internet to my home computer.
> 
> As it's not that unusual for this to cause a problem, you might try turning
> off window scaling if it's on.
> 
> 	echo 0 > /proc/sys/net/ipv4/tcp_window_scaling

   checked (it was on), turned off, no effect.


> >   this problem has, as far as I know, has only showed
> >  up relatively recently.  the only changes either of
> >  us could recall happening was  (1) the replacement
> >  of the switch my workstation (and other kit) connects
> >  to;  and (2) the moving of the IMAP-server from the
> >  local intranet to its own VPN accessed via the firewall
> >  (thus creating a pseudo-DMZ containing the IMAP-server).
> 
> Sounds like [2] could be the issue and linux's tcp stack is irking the
> firewall somehow.

   this also the idea I like.

   as mentioned in a previous posting, when my workstation
  is on the firewall's “whitelist” I can read (download)
  from the IMAP-server without any apparent problems.

   HOWEVER, today we wasted most of the day trying to grok
  a problem with being on the whitelist:  I now can_not_
  *send* any e-mail!  (SMTP is also handled by the same
  machine which handles IMAP.)

   I don't have any clews per se (partly because I'm now
  at home, away from my notes).  basic behaviour is that
  whilst the MUA can connect, AFAICR that is all that
  happens?  the attempt to send hangs (and eventually
  times-out?).  indeed, I can ‘telnet’ to the SMTP-service
  Ok (albeit whether or not I can then do anything useful
  is unknown since I haven't manually “sent” e-mail in so
  long I cannot recall how to do it now).

   the admin did say the setup is one of those where you
  have to be authenticated to the IMAP-server before you
  can use the SMTP-server.

   I *presume* the firewall is not involved in the SMTP,
  but I do not know for assorted reasons.  one reason is
  because a lot of these tests were done using the Claws
  MUA (since it has the most useful diagnostics).  but as
  configured, it has a property which seems to show yet
  another bit of mysterious brokenness:  to send e-mail,
  it copies the e-mail that is to be sent to a “Queue”
  IMAP-folder.  I presume that after copying, it then
  uses SMTP to send (from my workstation) the original
  e-mail, and removes the copy from “Queue” iff. the
  transmission is successful.  however, unfortunately,
  the copying to “Queue” of a large e-mail hangs!  ;-(
  (and so we never get to the SMTP step.)

   I had to leave before I could try a different MUA
  (or trying to re-configure Claws) which doesn't use
  IMAP for outgoing-backups.  we didn't try spying on
  what was going on.


> >   the admin suggested trying IMAPS instead of IMAP,
> >  but we ran out of time and had to leave before we
> >  could conclude that test .....  ;-\ 
> 
> It still uses the same tcp stack, so this seems unlikely to matter, but who
> knows.

   you are correct, it didn't seem to matter at all.


> >  ( we also tried to replicate the problem by copying
> >   large files across the firewall, but everything
> >   worked fine.  this remains an e-mail–only issue?
> 
> Was it across the same path of the firewall (ie that vpn) to the email
> server?

   no, it was not.  when I pointed this out to the admin,
  he didn't seem to get it, and refused to do the test.
  
   the admin is stilling insisting it's a problem with
  my TCP/IP stack, based solely on the point that I'm
  the only one having a problem.  I keep pointing out
  that's it's only one(-ish) service/server which has
  a problem, that server “changed” recently (moving to
  its own VLAN (and _maybe_ also a software upfrade?)),
  my workstation (esp. networking-wise) is essentially
  a default Kubuntu 7.10 installation, and things have
  been working fine (AFAIK) for >1 year.  anyways ....

   what we did try was removing the switch from the path.
  no effect.

   the other thing we haven't tried yet is using a
  different workstation.  (the admin did suggest this,
  so I presume that he won't refuse to do this test.)


> >   according to the admin, the firewall stops allowing
> >  that specific connection.  this seems to be broadly
> >  correct, since *nothing*else* is obviously effected:
> >  I can, e.g., ‘ping’ machines in the local intranet
> >  (both connected to the same switch as my workstation
> >  and also those connected elsewhere), and also outside
> >  machines on the Wild Wild Web.
> 
> > >[ ... ]  The above trace is not functioning at all, apparently
> > > not even a network link.  I'd guess you couldn't even ping
> > > nearby machines during that period.
> > 
> >  NO.  *nothing* else behaved strangely during that
> >  interval (or before, or after).
> 
> Ah, perhaps the STP stuff is normal enough (I'm used to seeing it prior to
> a link coming up)  and just no data was tranferring.

   sorry, I've no idea.
cheers!
	-blf-

> Gavin

-- 
“How many surrealists does it take to    |  Brian Foster
 change a lightbulb?  Three.  One calms  |  somewhere in south of France
 the warthog, and two fill the bathtub   |     Stop E$$o (ExxonMobil)!
 with brightly-coloured machine tools.”  |       http://www.stopesso.com

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell