On Sun, 29 Jul 2007, Willy Tarreau wrote: > On Sun, Jul 29, 2007 at 12:28:04PM +0300, Ilpo Järvinen wrote: > > > [...snip...] > > > > > BTW, some information are missing. It would have been better if the trace > > > had been read with tcpdump -Svv. We would have got seq numbers and ttl. > > > Also, we do not know if there's a firewall between both sides. Sometimes, > > > some IDS identify attacks in crypted traffic and kill connections. It > > > might have been the case here, with the connection closed one way on an > > > intermediate firewall. > > > > Yeah, firewall or some other issue, I'd say it's quite unlikely a bug in > > TCP because behavior to both directions indicate client -> sender > > blackhole independently of each other... > > It would also be possible that something stupid between both ends simply > drops packets with the SACK option set. Also something which sometimes > happen is that some firewalls automatically translate sequence numbers > but not necessarily SACK values, which could pretty well lead to this > packet being received but ignored on the server side.
...One can toggle those off with /proc/sys/net/ipv4/tcp_dsack but I suspect DSACKs are not the cause because these retransmissions neither are making it through (there are many of them also earlier in the log, just quoted the easiest ones :-) ): > > > > 09:36:44.335591 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 > > > > win > > > > 378 <nop,nop,timestamp 800227942 7692910> > > > > 09:38:44.351950 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 > > > > win > > > > 378 <nop,nop,timestamp 800257942 7692910> > > > > 09:40:44.368172 IP CLIENT.50727 > SERVER.ssh: P 2991:3039(48) ack 18464 > > > > win > > > > 378 <nop,nop,timestamp 800287943 7692910> ...there are no SACKs involved in them, yet no cumulative ACK ever arrives from SERVER... -- i.