On 10/22/12 15:16, Marcin wrote: > Hi, > > I recently upgraded to 5.1, but I was able to reproduce the issue > described below with 4.8, 5.0 and 5.2 snapshot. > > After the upgrade I discovered that workstations behind the OpenBSD > firewall experience occasional timeouts > while trying to access web servers running IIS 6.0 on Windows 2003 > Server. The firewall itself is not affected. > The problem is rather intermittent and happens with 30%-50% > requests.The workstations are running Windows 7, > Windows XP and Linux. > > I was also able to reproduce the issue by installing Windows 2003 R2 > server in default configuration, > setting up extremely basic PF rules to redirect port 80 and accessing > the server from the Internet. I was unable to expose > this issue in LAN, which suggests it might happen only on links slower > than 100Mbit. However, it seems to > be hardware independent (although all tests were run on i386 arch) as > I achieve the same results on three > different machines in three different geographic locations connected > via independent ISPs. > > This is how the problem can be exposed with curl: > > #curl -vI http://www.startvbdotnet.com/ > * About to connect() to www.startvbdotnet.com port 80 (#0) > * Trying 64.79.160.13... connected >> HEAD / HTTP/1.1 >> User-Agent: curl/7.22.0 (i686-pc-linux-gnu) libcurl/7.22.0 OpenSSL/1.0.1 zlib/1.2.3.4 libidn/1.23 librtmp/2.3 >> Host: www.startvbdotnet.com >> Accept: */* >> > * Recv failure: Connection reset by peer > * Closing connection #0 > curl: (56) Recv failure: Connection reset by peer > > I uploaded the tcpdump from machine running curl here: > http://pastebin.com/AkqCeQwW > > As far as I can tell, the Win 2008 and Win 2012 are not affected. > Also, the 4.5 seemed to be free from this problem. > > Thanks in advance for any suggestions / workarounds! > > -- > Regards, > Marcin > > >
Please post the following things: - output of `pfctl -si` - your pf ruleset - output of `vmstat -m` -- James Shupe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
