[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

One NAT'ed machine fails.

I have A SuSE machine running as a NAT machine.  On the internal LAN is a
Windows machine, and two Debian testing/unstable machines (one is a
laptop).

The desktop Debian 'bumby' works fine most of the time, although I noticed
that I could not reach (at my son's request) lego.com.  I thought it was
down, as traceroute failed (although they probably are blocking pings).

But, when I tried from the Debian laptop I can reach lego.com.

On the SuSE NAT machine netstat -M shows both connections:

prot   expire source               destination          ports
tcp   1:56.02 bumby                www.lego.com         40828 -> www-http (61123)
tcp   1:59.79 laptop               www.lego.com         1026 -> www-http (61124)

And there is not a firewall running on the SuSE machine:

> ipchains -L -n
Chain input (policy ACCEPT):
Chain forward (policy ACCEPT):
target     prot opt     source                destination           ports
MASQ       all  ------  192.168.0.0/24       0.0.0.0/0             n/a
Chain output (policy ACCEPT):

Here's a "tcpdump host www.lego.com" on the NAT machine.  

The laptop is running testing with 2.4.18 and the desktop (bumby) is
running testing/unstable with 2.4.20.  I suppose the difference in the
flag is the difference in the TCP/IP stack in the two kernels.

I assume it's the server failing to deal with the ECN-Echo or CWR flag.
Seems like the only significant difference.

lego.com sets a cookie with "ASPSESSION..." which makes me suspect IIS.

I'm no expert with tcpdump...

First tcpdump of the laptop connection:

15:44:05.501142 laptop.1029 > www.lego.com.http: S 461862062:461862062(0) win 5840 <mss 1460,sackOK,timestamp 139840 0,nop,wscale 0> (DF)
15:44:05.593932 www.lego.com.http > laptop.1029: S 2028817538:2028817538(0) ack 461862063 win 64240 <mss 1380,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
15:44:05.597874 laptop.1029 > www.lego.com.http: . 1:1(0) ack 1 win 5840 <nop,nop,timestamp 139850 0> (DF)
15:44:05.605551 laptop.1029 > www.lego.com.http: P 1:459(458) ack 1 win 5840 <nop,nop,timestamp 139851 0> (DF)
15:44:05.737622 www.lego.com.http > laptop.1029: P 1:260(259) ack 459 win 63782 <nop,nop,timestamp 42968557 139851> (DF)
15:44:05.740119 www.lego.com.http > laptop.1029: FP 260:401(141) ack 459 win 63782 <nop,nop,timestamp 42968557 139851> (DF)
15:44:05.742671 laptop.1029 > www.lego.com.http: . 459:459(0) ack 260 win 6432 <nop,nop,timestamp 139864 42968557> (DF)
15:44:05.783058 laptop.1029 > www.lego.com.http: . 459:459(0) ack 402 win 7504 <nop,nop,timestamp 139869 42968557> (DF)

Now of the Desktop:

> tcpdump host www.lego.com
User level filter, protocol ALL, datagram packet socket
tcpdump: listening on eth0
15:46:58.791804 bumby.41055 > www.lego.com.http: S [ECN-Echo,CWR] 632915726:632915726(0) win 5840 <mss 1460,sackOK,timestamp 55055407 0,nop,wscale 0> (DF)
15:47:01.785164 bumby.41055 > www.lego.com.http: S [ECN-Echo,CWR] 632915726:632915726(0) win 5840 <mss 1460,sackOK,timestamp 55055707 0,nop,wscale 0> (DF)
15:47:07.784961 bumby.41055 > www.lego.com.http: S [ECN-Echo,CWR] 632915726:632915726(0) win 5840 <mss 1460,sackOK,timestamp 55056307 0,nop,wscale 0> (DF)
15:47:19.784555 bumby.41055 > www.lego.com.http: S [ECN-Echo,CWR] 632915726:632915726(0) win 5840 <mss 1460,sackOK,timestamp 55057507 0,nop,wscale 0> (DF)

What's happening?


-- 
Bill Moseley moseley@hank.org
Reply to: