Connection problems on large high speed connections.

Stian B. Barmen stian at
Wed Apr 27 00:50:37 CEST 2005

My firewall has started to drop large connections, like downloading a
>1MB file over FTP or HTTP typically fails. But, it seems that the speed
needs to be over 4-500 K/s before the error occurs. 

I live in Norway and if I ftp from a linux distro ISO for
instance this will faill at about 1 MB size, then it will retry,
continue another megabyte and a new stall. But if I download a large
file from a slow server at about 100-200 K/s the download will continue.

When I flush my iptables script the error is gone. 

I did some tests like remove all iptables entries with -m limit and
such. Also I tested from a nat'ed machine behind the firewall and from
the firewall itself. Same error on both. I also run Snort on the
computer, but it does no difference if it is started or not.

The only thing I can think of is that I not very long ago upgraded from
a 2.4 kernel to a 2.6 kernel. The last two kernels I tried was 2.6.11
and now the 2.6.12-rc3, both produces the same error. I also now
upgraded iptables from 1.2.11 to 1.3.1 but the same error appears. 

My dmesg shows no error messages. How can I get a log from what is
happening? It is not in the FORWARD or OUTPUT chains since it happens
from both internal clients and the firewall itself. Can it be NAT? I use
SNAT to do natting of all connections. How can I debug nat?

I did a ping -f to my gateway, no packet loss, even if i crank the size
up to 1450. I am outta ideas. 

System info:

Fujitsu Server
eepro100 NICs (2)
SCSI disks 2 at 10GB each
Kernel 2.6.11 and 2.6.12-rc3
iptables 1.2.11 and 1.3.1

Hope you have some ideas on my problem. 

Best regards 
Stian B. Barmen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2685 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050427/241f2ea2/smime-0001.bin

More information about the netfilter mailing list