This can be fixed by turning off TCP sequence reordering on the Cisco
appliance. Please note this also affects your Mac, BSD and Windows
machines. You can turn off SACK on your host if you don't care about
performance.

This feature was enabled by Cisco to protect Windows 95 hosts from TCP
sequence prediction attacks (yeah, don't fix the problem, just break the
network). However Cisco doesn't translate the SACK ranges it has
modified the sequences for so your host gets back the 'wrong' range in
the SACK response and simply ignores it because it doesn't match
anything it sent.

https://supportforums.cisco.com/document/48551/single-tcp-flow-
performance-firewall-services-module-fwsm

** Changed in: linux (Ubuntu)
       Status: In Progress => Invalid

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1388786

Title:
  TCP stale transfer with erroneous SACK information

Status in linux package in Ubuntu:
  Invalid

Bug description:
  Cisco PIX/FWSM changes TCP sequence numbers but doesn't change numbers
  in SACK TCP options.

  When this erroneous information comes to Linux server there is some
  corruption in TCP stack in some circunstances with CUBIC TCP
  congestion algorithm and transfer stales.

  Problem can be reproduced in Ubuntu Server 14.04 when a Cisco FWSM is
  changing sequence numbers (default configuration) and a big file
  (30MB, for example) is being transfered.

  Can be solved deactivating SACK:
  sysctl -w net.ipv4.tcp_sack=0

  We have solved it also with this configuration:
  sysctl -w net.ipv4.tcp_congestion_control=reno
  sysctl -w net.ipv4.tcp_frto=1
  sysctl -w net.ipv4.tcp_early_retrans=1

  We can also fix  it by changing firewall configuration.

  Find attached a wireshark capture where you can see at 16613 frame how
  client requests segment 853521869 and server (158.42.250.128) resends
  again a previous segment for 87 seconds until it stops transfer.

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1388786/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to