On 08 Dec 16:26, Wojciech Ziniewicz wrote:
> Hi,
> After upgrade from old patched etch, my clients cannot browse internet
> anymore (upload is ok but download not bigger than few kbps ) - problem
> occurs randomly - other services that use small packets like voip work
> perfectly.
Between that system and the outside world, is there another
router/firewall?
there's only my router with BGP session acting as a gateway
My initial guess would be that you've hit the tcp window scale problem,
you can (quickly) check this by doing:
sysctl net.ipv4.tcp_window_scaling=0
I did some tests with both settings :
1.
telneting on a host behind my client's router :
listening on ppp296, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
18:58:39.988961 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [S], seq 3615516481, win 5808, options [mss 1452,nop,wscale 2], length 0
18:58:39.991914 IP 10.100.0.194.telnet > 1.mydomain.com.3718: Flags [S.], seq 1759632665, ack 3615516482, win 5840, options [mss 1452,nop,wscale 0], length 0
18:58:39.991975 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [.], ack 1, win 1452, length 0
18:58:39.992118 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 1:25, ack 1, win 1452, length 24
18:58:40.020668 IP 10.100.0.194.telnet > 1.mydomain.com.3718: Flags [P.], seq 1:13, ack 25, win 5840, length 12
18:58:40.020742 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [.], ack 13, win 1452, length 0
18:58:40.020847 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 25:28, ack 13, win 1452, length 3
18:58:40.023064 IP 10.100.0.194.telnet > 1.mydomain.com.3718: Flags [P.], seq 13:28, ack 25, win 5840, length 15
18:58:40.054093 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [.], ack 28, win 1452, length 0
18:58:40.056014 IP 10.100.0.194.telnet > 1.mydomain.com.3718: Flags [P.], seq 28:46, ack 28, win 5840, length 18
--- from now on my router tries to get response from the box behind firewall
18:58:40.056068 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
18:58:40.284102 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
18:58:40.744084 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
18:58:41.664196 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
18:58:43.504119 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
18:58:47.184092 IP 1.mydomain.com.3718 > 10.100.0.194.telnet: Flags [P.], seq 28:37, ack 46, win 1452, length 9
output of telnet is :
root@beta2:/home/wojtek# telnet 10.100.0.194
Trying 10.100.0.194...
Connected to 10.100.0.194.
Escape character is '^]'.
it should be prompt for login and password.
2. after doing the tcp window scaling change i repeated the telnet procedure and here's another sniff from my pppoe-server
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ppp296, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
19:03:12.045452 IP 1.mydomain.com.1048 > 10.100.0.194.telnet: Flags [S], seq 3534691937, win 5808, options [mss 1452], length 0
19:03:12.047495 IP 10.100.0.194.4119 > 1.mydomain.com.1048: Flags [R.], seq 0, ack 3534691938, win 0, length 0
19:03:18.092283 IP 1.mydomain.com.1048 > 10.100.0.194.telnet: Flags [S], seq 3534691937, win 5808, options [mss 1452], length 0
19:03:18.094212 IP 10.100.0.194.4119 > 1.mydomain.com.1048: Flags [R.], seq 0, ack 1, win 0, length 0
syn with reset all the time - totally no connectivity.
so with tcp scaling on my server we have packets going thru client's nat but big packets cannot go thru . on the other hand when I turn tcp window scaling to "on" i can't even connect (reset + syn all the time), but icmp goes thruough both in 1 and 2 case
frankly i have no clue why O_o