Am I sending this to a stupid email address...?
Has anyone else experience the same problem with NAT timeouts...?
Thanks
-------- Original Message --------
Subject: Re: Fwd: Firewall timeout problem
Date: Thu, 21 Oct 2004 12:36:43 +0100
From: Ben Tyson-Norrman <>
To: Ben Tyson-Norrman <>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
And again forwarding the same question - we are now starting to see the same problem with Fedora Core 2 machines.
Playing MP3s from across the firewall, the mount drops after the tcp timeout.
Not sure why I'm having to send this email repeatedly since July without acknowledgment...?
Ben Tyson-Norrman DTV/IT Manager
--------------------------------
Ben Tyson-Norrman wrote:
Once again I raise this question.
MACs (OS X) and FreeBSD have continual problems talking across GTA firewalls. Copies using both FTP and SFTP take excessive time. My current work around is to transfer files to a Linux system, then copy them over to external machines.
The initial suggested work around is causing us a problem with NAT resources running out, having a timeout higher than default doesn't really help at the end of the day.
I would be grateful for some response, to indicate you have received the email, if nothing else
thanks
Ben Tyson-Norrman DTV/IT Manager --------------------------------
Ben Tyson-Norrman wrote:
Sorry to trouble you - but we still haven't had a reply to this. Appreciate that you have been struggling to get back to normal, however some update would be gratefully received, to say you have received the item
Many thanks
Ben
Ben Tyson-Norrman wrote:
Good morning - we sent this email to you a while back and you came back with the answer that we should increase the timeouts on our GTA. Whilst this is a work around, its not actually a solution.
I've just had the problem that a backup job that was running overnight aborted, because of a terminal disconnect (Currently the time out is at 12 hours). Also looking at my linux box, I've got samba mounts which have been there for the last week, without a problem. I can't do the same with OS X / BSD because the whole lot time out, after the time out period (however long that is).
Can you give me some idea when / if this issue is going to be addressed...?
Thanks
Ben Tyson-Norrman wrote:
We are having problems with our OS X macs trying to access items from behind our GTA's.. Its easy enough to repeat - take a MAC and ssh to an outside host - leave the telnet session open for above 15 seconds without doing anything and when you return to the telnet session, you will see a lock up for approx 5 seconds.
This causes us particular problems, because we use our machines inside one interface to talk to machines on another interface (i.e. we protect our power users). On OS X - not only does this not work on telnet, SSH, but also on Samba or any other type of remote connection. The result is that anything with a BSD base doesn't work. MACs get stuck and can't show network drives at all, and eventually lock the whole machine up - until you force a disconnect.
This problem can be replicated with any install of BSD - default install will show exactly the same behaviour.
Below is analysis from one of my colleagues
Ben
Begin forwarded message:
From: Alex Dyas <[EMAIL PROTECTED]> Date: Tue May 4, 2004 18:43:23 Europe/London To: Ben Tyson-Norrman <> Subject: Firewall timeout problem
Right, the problem is probably best explained with a tcpdump.
Situation :
OSX - Firewall - Solaris
tcpdump lines below were taken on the OSX machine.
OSX telnets to Solaris through the firewall. I do some stuff, everything
works fine :
19:23:37.055274 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: P 106:108(2) ack 1321 win 65535 <nop,nop,timestamp 3951925665 538711635>
19:23:37.055967 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: P 1321:1323(2) ack 108 win 24616 <nop,nop,timestamp 538711653 3951925665>
19:23:37.081690 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . ack 1323 win 65535 <nop,nop,timestamp 3951925665 538711653>
19:23:37.082047 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: P 1323:1338(15) ack 108 win 24616 <nop,nop,timestamp 538711655 3951925665>
19:23:37.281872 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . ack 1338 win 65535 <nop,nop,timestamp 3951925665 538711655>
Then, I leave the session alone. After around 10 seconds idle time, the following happens :
19:23:48.703458 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: . ack 108 win 0
19:23:48.703585 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . ack 1338 win 65535 <nop,nop,timestamp 3951925688 538711655>
The OSX box appears to get a "win 0" message from the remote host. However
a tcpdump of the remote host shows that this message is looks like it comes
from the firewall, not the remote host itself.
If I try typing into the telnet session, I get a delay of around 5 seconds
before I see any response, then things seem ok again :
19:23:55.301857 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . 108:109(1) ack 1338 win 65535 <nop,nop,timestamp 3951925701 538711655>
19:23:55.395936 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: . ack 109 win 24616 <nop,nop,timestamp 538713487 3951925701>
19:23:55.396044 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: P 109:110(1) ack 1338 win 65535 <nop,nop,timestamp 3951925702 538713487>
19:23:55.396198 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: P 1338:1340(2) ack 109 win 24616 <nop,nop,timestamp 538713487 3951925701>
19:23:55.484896 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . ack 1340 win 65535 <nop,nop,timestamp 3951925702 538713487>
19:23:55.485339 IP 172.17.1.111.telnet > yoda.bops.twowaytv.co.uk.51276: P 1340:1355(15) ack 110 win 24616 <nop,nop,timestamp 538713495 3951925702>
19:23:55.685029 IP yoda.bops.twowaytv.co.uk.51276 > 172.17.1.111.telnet: . ack 1355 win 65535 <nop,nop,timestamp 3951925702 538713495>
It is this delay which is the problem.
A few extra points :
- The same problem can be seen on a FreeBSD client connecting through the
firewall (FreeBSD 4.9 or 5.2.1). OSX takes its network stack from FreeBSD
so this isn't surprising.
- The host on the other side of the firewall doesn't seem to matter, be
it Solaris, Linux or FreeBSD.
- Telnet is used here as an example, but the problem is seen using any
protocol (NFS/FTP/ssh etc).
- Connecting across a number of other firewall brands does not exhibit
the problem.
- The problem has been seen consistantly for the last 3 years.
Alex..
--
Ben Tyson-Norrman DTV/IT Manager --------------------------------
------------------------------------------------------ To unsubscribe: [EMAIL PROTECTED] For additional commands: [EMAIL PROTECTED] Archive: http://archives.gnatbox.com/gb-users/
