On 14.02.2018 09:35, wishmaster wrote: > The issue is with the second remote server. When I transmit a very big file, > the control channel does not "recreated" and transmitting this file and all > the next is always fails. > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 2985778 2299927348 (300s) STATE tcp 111.222.0.253 63307 <-> > 111.222.0.7 44678 :nts > 03200 59 4622 (6s) STATE tcp 111.222.0.253 63623 <-> 111.222.0.7 > 21 :nts > > root@xxx: ipfw -d show|grep '111.222.0.7' > 03200 3137837 2414765852 (300s) STATE tcp 111.222.0.253 63307 <-> > 111.222.0.7 44678 :nts > > The main server/router uses IPFW and in most places dynamic rules. Is > workaround I have added one rule on external interface: > > $cmd 5153 allow log tcp from any 21 to any 1024-65535 # ipfw - ftp issue > > But I want find the problem.
ipfw starts send keep-alive TCP segments when dynamic state's lifetime is below than 20 seconds. If foreign host replies to keep-alive segment, the state's lifetime will be bumped up to 300 seconds (by default). Otherwise the state will be expired. In your case I guess the foreign host doesn't reply to keep-alive segments, probably due to it has lower value of state's lifetime. And when your host starts sending keep-alive requests, the foreign host has already dropped this state. You can try to decrease net.inet.ip.fw.dyn_ack_lifetime value and determine the value that will be enough for this host. For example, set it to 250, 200, 150, 100. -- WBR, Andrey V. Elsukov
signature.asc
Description: OpenPGP digital signature
