Re: [gb-users] Rejecting unexpected packet - SOLVED

Fri, 05 Mar 2004 16:35:27 -0800

So, if this is actually the case, when should we expect to get our free upgade?


At 04:21 PM 3/5/2004, you wrote:

Paul Emerson wrote: 
The log message indicates that the packet is a TCP Reset (flag=0x4) packet.
This message just indicates that a Reset packet was not expected, (as Reset
packets are generally used to terminate/reset a session).  Could also be a
case of someone forging a packet and sending the reset to screw things up or
attempt to hijack a session, (possible but maybe unlikely).  Since you'd send
a Reset to one side while you jump in the middle and start talking to the
other.

The issue was indeed with GNAT Box. The version I was using has a problem talking to other hosts that make use of Explicit Congestion Notification (ECN). Here is a snippet I found using google.com:

---Snippet---
CONFIG_INET_ECN:

Explicit Congestion Notification (ECN) allows routers to notify
clients about network congestion, resulting in fewer dropped packets
and increased network performance. This option adds ECN support to the
Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which
allows ECN support to be disabled at runtime.

Note that, on the Internet, there are many broken firewalls which
refuse connections from ECN-enabled machines, and it may be a while
before these firewalls are fixed. Until then, to access a site behind
such a firewall (some of which are major sites, at the time of this
writing) you will have to disable this option, either by saying N now
or by using the sysctl.
---Snippet---

I figured this out with the help of the friend who originally notified me of the problem. He is running Debian Linux mail servers with ECN built into the kernel.

I've updated the GB-1000 to v3.4.2 and the problem has disappeared. As a warning to other people running older versions of GNAT Box (mine was 3.3.4s), you may want to search your firewall filter logs for 'Rejecting unexpected packet' and make sure that you aren't rejecting legitimate connections due to a bug in GNAT Box.

///Jason

------------------------------------------------------
To unsubscribe:           [EMAIL PROTECTED]
For additional commands:         [EMAIL PROTECTED]
Archive:  http://archives.gnatbox.com/gb-users/


------------------------------------------------------
To unsubscribe:           [EMAIL PROTECTED]
For additional commands:         [EMAIL PROTECTED]
Archive:  http://archives.gnatbox.com/gb-users/

Reply via email to