We have a problem with some tcp connections through the firewall.
We have an ftp server in a network. We connect to it using different
clients from different networks.
We have noticed that when a client tries to put a file, the transfer
rate is very very low.
After looking into the traffic traces, we have discovered that the
firewall modifies some contiguous ftp-data packets, changing the total
lentgh of the ip packet (from 1500 to 40) and the tcp header length
(from 32 to 20). Traffic Follows.
We have also noticed that there are some clients that work ok, and they
are all Fedora Core 2 clients with kernel 2.6.8, wich happens to be the
same kernel version than the server.
We have changed server kernel to 2.6.6, and everything works ok. We have
also tried 2.6.7 kernel, it works the same as 2.6.8.
We have found the same problem with other protocols, as NFS.
Our firewall is NG_AI R55, os RH linux ( kernel 2.4.18-5).
¿Has someone had this problem? ¿Is it a fw1 bug? ¿a Fedora bug? ¿any
explanation?
I hope someone can help.
Thanks in advance,
Anuska.
Traffic dump at the Client network interface:
client server FTP Request: STOR BigFile
server client TCP ftp-data > 1563 [SYN] Seq=0 Ack=0 Win=5840
Len=0 MSS=1460 TSV=2308923645 TSER=0 WS=7
client server TCP 1563 > ftp-data [SYN, ACK] Seq=0 Ack=1
Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
server client TCP ftp-data > 1563 [ACK] Seq=1 Ack=1 Win=5888
Len=0 TSV=2308923648 TSER=0
server client FTP Response: 150 Ok to send data.
client server FTP-DATA FTP Data: 1448 bytes
(1)--> client server FTP-DATA FTP Data: 1448 bytes
server client TCP ftp-data > 1563 [ACK] Seq=1 Ack=1449
Win=8832 Len=0 TSV=2308923816 TSER=1588115
client server FTP-DATA FTP Data: 1448 bytes
client server FTP-DATA FTP Data: 1448 bytes
client server TCP 1562 > ftp [ACK] Seq=83 Ack=199 Win=64042
Len=0
client server FTP Request: \000
server client TCP ftp > 1562 [ACK] Seq=199 Ack=84 Win=5840
Len=0
(1) Packet contents goes at the end.
Traffic dump at the Server network interface:
client server FTP Request: STOR NSSetup-Full.exe
server client TCP ftp-data > 1563 [SYN] Seq=0 Ack=0 Win=5840
Len=0 MSS=1460 TSV=2308923645 TSER=0 WS=7
client server TCP 1563 > ftp-data [SYN, ACK] Seq=0 Ack=1
Win=64240 Len=0 MSS=1460 WS=0 TSV=0 TSER=0
server client TCP ftp-data > 1563 [ACK] Seq=1 Ack=1 Win=5888
Len=0 TSV=2308923648 TSER=0
server client FTP Response: 150 Ok to send data.
client server FTP-DATA FTP Data: 1448 bytes
(2) --> client server TCP [TCP Dup ACK 22#1] 1563 > ftp-data
[ACK] Seq=1449 Ack=1 Win=64240 Len=0
server client TCP ftp-data > 1563 [ACK] Seq=1 Ack=1449
Win=8832 Len=0 TSV=2308923816 TSER=1588115
client server TCP [TCP Dup ACK 22#2] [TCP Previous segment
lost] 1563 > ftp-data [ACK] Seq=2897 Ack=1 Win=64240 Len=0
client server TCP [TCP Dup ACK 22#3] [TCP Previous segment
lost] 1563 > ftp-data [ACK] Seq=4345 Ack=1 Win=64240 Len=0
client server TCP 1562 > ftp [ACK] Seq=83 Ack=199 Win=64042
Len=0
client server FTP Request: \000
server client TCP ftp > 1562 [ACK] Seq=199 Ack=84 Win=5840
Len=0
(2) Packet contents goes at the end.
(1) Packet contents
Internet Protocol, Src Addr: client, Dst Addr: server
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
===> Total Length: 1500
Identification: 0x28a6 (10406)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x055f (correct)
Source: client
Destination: server
Transmission Control Protocol, Src Port: 1565 (1565), Dst Port: ftp-data (20),
Seq: 1449, Ack: 1, Len: 1448
Source port: 1565 (1565)
Destination port: ftp-data (20)
Sequence number: 1449 (relative sequence number)
Next sequence number: 2897 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
===> Header length: 32 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 64240
Checksum: 0x7f5d
Options: (12 bytes)
NOP
NOP
Time stamp: tsval 1633385, tsecr 2313453031
FTP Data
FTP Data:
\001u\b\377E\370!E\364\353\025\017\276\006P\350<.\000\000\205\300Yt\a\307E\364\001\000
(2) Packet contents
Internet Protocol, Src Addr: client, Dst Addr: server
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
===> Total Length: 40
Identification: 0x28a6 (10406)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 127
Protocol: TCP (0x06)
Header checksum: 0x0c13 (correct)
Source: client
Destination: server
Transmission Control Protocol, Src Port: 1565 (1565), Dst Port: ftp-data (20),
Seq: 1449, Ack: 1, Len: 0
Source port: 1565 (1565)
Destination port: ftp-data (20)
Sequence number: 1449 (relative sequence number)
Acknowledgement number: 1 (relative ack number)
===> Header length: 20 bytes
Flags: 0x0010 (ACK)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Window size: 64240
Checksum: 0x816c (correct)
SEQ/ACK analysis
TCP Analysis Flags
This is a TCP duplicate ack
Duplicate ACK #: 1
Duplicate to the ACK in frame: 5
--
A n u s k a A r a g ó n
Servicio Informático e-mail: anuska.aragon AT si.unirioja DOT es
Universidad de La Rioja Tf.: +34 941 299233
Av. de La Paz 93, 26004 Logroño Fax: +34 941 299180
=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
|
