This can be fixed by turning off TCP sequence reordering on the Cisco appliance. Please note this also affects your Mac, BSD and Windows machines. You can turn off SACK on your host if you don't care about performance.
This feature was enabled by Cisco to protect Windows 95 hosts from TCP sequence prediction attacks (yeah, don't fix the problem, just break the network). However Cisco doesn't translate the SACK ranges it has modified the sequences for so your host gets back the 'wrong' range in the SACK response and simply ignores it because it doesn't match anything it sent. https://supportforums.cisco.com/document/48551/single-tcp-flow- performance-firewall-services-module-fwsm ** Changed in: linux (Ubuntu) Status: In Progress => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1388786 Title: TCP stale transfer with erroneous SACK information Status in linux package in Ubuntu: Invalid Bug description: Cisco PIX/FWSM changes TCP sequence numbers but doesn't change numbers in SACK TCP options. When this erroneous information comes to Linux server there is some corruption in TCP stack in some circunstances with CUBIC TCP congestion algorithm and transfer stales. Problem can be reproduced in Ubuntu Server 14.04 when a Cisco FWSM is changing sequence numbers (default configuration) and a big file (30MB, for example) is being transfered. Can be solved deactivating SACK: sysctl -w net.ipv4.tcp_sack=0 We have solved it also with this configuration: sysctl -w net.ipv4.tcp_congestion_control=reno sysctl -w net.ipv4.tcp_frto=1 sysctl -w net.ipv4.tcp_early_retrans=1 We can also fix it by changing firewall configuration. Find attached a wireshark capture where you can see at 16613 frame how client requests segment 853521869 and server (158.42.250.128) resends again a previous segment for 87 seconds until it stops transfer. Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1388786/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
