Solaris OOW issue?

Thu, 07 May 2009 11:26:54 -0700 


I'm seeing some OOW errors logged on Solaris that I do not understand.

# ipmon -o I
07/05/2009 11:03:28.748026 bge0 @0:2 b 128.120.32.248,1110 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:03:31.048788 bge0 @0:2 b 128.120.32.248,1110 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:03:37.049055 bge0 @0:2 b 128.120.32.248,1110 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:01.049542 bge0 @0:2 b 128.120.32.248,1782 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:07.049674 bge0 @0:2 b 128.120.32.248,1782 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:28.749120 bge0 @0:2 b 128.120.32.248,1452 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:43.749517 bge0 @0:2 b 128.120.32.248,1452 -> 128.120.32.61,389 PR tcp len 20 40 -R IN OOW 07/05/2009 11:04:43.749531 bge0 @0:2 b 128.120.32.248,1782 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:52.050351 bge0 @0:2 b 128.120.32.248,1782 -> 128.120.32.61,389 PR tcp len 20 44 -S IN OOW 07/05/2009 11:04:58.749738 bge0 @0:2 b 128.120.32.248,1782 -> 128.120.32.61,389 PR tcp len 20 40 -R IN OOW 

Rules that seem relevant:
@2 block in log proto tcp from any to any
@20 pass in quick proto tcp from 128.120.32.0/24 to any flags S/FSRPAU keep state keep frags 

So obviously for some reason packets are arriving that I think
would be passed by rule #20 and yet they are not because they
are determined to be Out Of Window.  Thus they fall back to
default rule #2 and get tossed out.  If I switch to entirely
stateless ruleset this problem vanishes.

The problem I am chasing is a Foundry load-balancer that does
periodic layer-7 healthchecks.  The connection ends with a RST
if that matters.  Seems sensible actually that would kick the state
table entry loose faster.  Anyhow sometimes I am seeing FAIL on
the healthchecks like every 20-30 minutes and I *think* it has
something to do with these packets being tossed and thus state
table entries being left present.  Or something.....

I see a while back some commentary about OOW patches in
4.1.10 and later.  Solaris seems stuck at 4.1.9.  I'm not sure if
the patches reference my problem anyhow.

Clues? Ideas where to look next? Peanuts?

Reply via email to