More debug details: I sniffed traffic on the backend interface, and both packet-filter interfaces. Notice how weird it is, the first two packets don't follow through, then the third one does and the socket opens.
The network diagram is: backend -- cisco switch -- packet-filter -- cisco switch -- otherhost On backend interface: 16:21:03.314620 IP (tos 0x0, ttl 64, id 19715, offset 0, flags [DF], proto 6, length: 60) backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780638207 0,nop,wscale 2> 16:21:06.314399 IP (tos 0x0, ttl 64, id 19717, offset 0, flags [DF], proto 6, length: 60) backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780641207 0,nop,wscale 2> 16:21:12.313302 IP (tos 0x0, ttl 64, id 19719, offset 0, flags [DF], proto 6, length: 60) backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780647207 0,nop,wscale 2> 16:21:12.313803 IP (tos 0x0, ttl 127, id 56156, offset 0, flags [none], proto 6, length: 64) otherhost.1024 > backend.47061: S [tcp sum ok] 358573471:358573471(0) ack 1144445693 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> 16:21:12.313828 IP (tos 0x0, ttl 64, id 19721, offset 0, flags [DF], proto 6, length: 52) backend.47061 > otherhost.1024: . [tcp sum ok] 1:1(0) ack 1 win 1460 <nop,nop,timestamp 780647208 0> On packet-filter backend_if: 16:19:22.268809 backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780638207 0,nop,wscale 2> (DF) (ttl 64, id 19715, len 60) 16:19:25.268606 backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780641207 0,nop,wscale 2> (DF) (ttl 64, id 19717, len 60) 16:19:31.267825 backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780647207 0,nop,wscale 2> (DF) (ttl 64, id 19719, len 60) 16:19:31.268188 otherhost.1024 > backend.47061: S [tcp sum ok] 358573471:358573471(0) ack 1144445693 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (ttl 127, id 56156, len 64) 16:19:31.268329 backend.47061 > otherhost.1024: . [tcp sum ok] 1:1(0) ack 1 win 1460 <nop,nop,timestamp 780647208 0> (DF) (ttl 64, id 19721, len 52) On packet-filter otherhost_if: 16:19:31.267881 backend.47061 > otherhost.1024: S [tcp sum ok] 1144445692:1144445692(0) win 5840 <mss 1460,sackOK,timestamp 780647207 0,nop,wscale 2> (DF) (ttl 63, id 19719, len 60) 16:19:31.268167 otherhost.1024 > backend.47061: S [tcp sum ok] 358573471:358573471(0) ack 1144445693 win 16384 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,nop,sackOK> (ttl 128, id 56156, len 64) 16:19:31.268351 backend.47061 > otherhost.1024: . [tcp sum ok] 1:1(0) ack 1 win 1460 <nop,nop,timestamp 780647208 0> (DF) (ttl 63, id 19721, len 52) Rui -- + No matter how much you do, you never do enough -- unknown + Whatever you do will be insignificant, | but it is very important that you do it -- Gandhi + So let's do it...? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
