Connection problems on large high speed connections.
Stian B. Barmen
stian at barmen.nu
Wed Apr 27 00:50:37 CEST 2005
My firewall has started to drop large connections, like downloading a
>1MB file over FTP or HTTP typically fails. But, it seems that the speed
needs to be over 4-500 K/s before the error occurs.
I live in Norway and if I ftp from ftp.sunet.se a linux distro ISO for
instance this will faill at about 1 MB size, then it will retry,
continue another megabyte and a new stall. But if I download a large
file from a slow server at about 100-200 K/s the download will continue.
When I flush my iptables script the error is gone.
I did some tests like remove all iptables entries with -m limit and
such. Also I tested from a nat'ed machine behind the firewall and from
the firewall itself. Same error on both. I also run Snort on the
computer, but it does no difference if it is started or not.
The only thing I can think of is that I not very long ago upgraded from
a 2.4 kernel to a 2.6 kernel. The last two kernels I tried was 2.6.11
and now the 2.6.12-rc3, both produces the same error. I also now
upgraded iptables from 1.2.11 to 1.3.1 but the same error appears.
My dmesg shows no error messages. How can I get a log from what is
happening? It is not in the FORWARD or OUTPUT chains since it happens
from both internal clients and the firewall itself. Can it be NAT? I use
SNAT to do natting of all connections. How can I debug nat?
I did a ping -f to my gateway, no packet loss, even if i crank the size
up to 1450. I am outta ideas.
eepro100 NICs (2)
SCSI disks 2 at 10GB each
Kernel 2.6.11 and 2.6.12-rc3
iptables 1.2.11 and 1.3.1
Hope you have some ideas on my problem.
Stian B. Barmen
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2685 bytes
Desc: not available
Url : /pipermail/netfilter/attachments/20050427/241f2ea2/smime-0001.bin
More information about the netfilter