amd64/123603: tcp_do_segment and Received duplicate SYN
yes298 yes298
yes298 at gmail.com
Thu May 22 13:40:04 UTC 2008
The following reply was made to PR kern/123603; it has been noted by GNATS.
From: "yes298 yes298" <yes298 at gmail.com>
To: andre at freebsd.org
Cc: "John Baldwin" <jhb at freebsd.org>, freebsd-gnats-submit at freebsd.org
Subject: Re: amd64/123603: tcp_do_segment and Received duplicate SYN
Date: Thu, 22 May 2008 21:31:34 +0800
------=_Part_11255_10246163.1211463094510
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Dear Sir,
Thank you so much for your reply.
My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server *directly connects* to
ISP's Cisco 3400 Switch with a 100M broadband line,
After ISP technician creating a ARP static mapping rule on the switch to map
the IP and MAC of My web server NIC,
the problem of 5 seconds delay to view homepage has been solved, now , it is
quit normal , no any delay.
But, my web server sill has received repeatly below log messages,
May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:45979 to [11.22.33.44]:63372
tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data
after socket was closed, sending RST and removing tcpcb
May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:21 to [11.22.33.44]:55007
tcpflags 0x18<PUSH>; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data
after socket was closed, sending RST and removing tcpcb
May 21 22:26:16 mail kernel: TCP: [55.66.77.88]:23439 to [11.22.33.44]:80
tcpflags 0x18<PUSH>; syncache_expand: SEQ 2071739782 != IRS+1 2071738353,
segment rejected
May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
tcpflags 0x10<ACK>; syncache_expand: ACK 1544143634 != ISS+1 4145431138,
segment rejected
May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
authentication, segment rejected (probably spoofed)
May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE
authentication, segment rejected (probably spoofed)
May 22 11:33:20 mail kernel: TCP: [55.66.77.88]:32345 to [11.22.33.44]:80
tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
retransmitting SYN|ACK
I sure to you that there no one to hack my server, because 55.66.77.88 is my
client computer IP.
I would like to know that the above messages will cause any problem? and how
to solve this problem?
Thank you so much!
Best regards,
Victor
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Victor,
Please try two things:
1. Make sure that you don't have a problem with MTU sizes. Some ADSL
customers with PPPoE have slightly smaller MTU sizes than normal
ethernet. Make sure that ICMP unreach packets are not firewalled
or filtered on your side.
2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was
giving problems with a smaller number of CPE devices for ADSL and
Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading
the kernel is sufficient.
I hope this helps. If not, please provide some tcpdumps so we can see
the packets that are exchanged.
--
Andre
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Dear Sir,
Thank you so much for your reply.
My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line,
after testing many times, I found that, when first time to view my website,
it needed to take almost 5~8 seconds to completely open the homepage which
is only a static HTML file with content "coming soon", and there are some
error log about TCP connection found on our web server, it seems that my
FreeBSD 7.0 web server has problem to establish TCP connection. Before the
web server idle time (30s), there are no any delay to re-view the homepage
(Press F5), but after 30 seconds, it needed to take another 5~8 seconds to
re-view, and the log messages will be repeated.
May 15 15:18:21 mail kernel: TCP: [203.186.95.8]:12728 to [58.177.222.113]:80
tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
retransmitting SYN|ACK
May 15 15:19:03 mail kernel: TCP: [221.127.88.188]:5128 to [58.177.222.113]:80
tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
retransmitting SYN|ACK
I know how to disable these log messages, but I would like to know that the
delay is because
of receiving duplicate SYN? is it normal message? Please help me to solve
the problem, thanks !!!!
Thank you so much!
Best regards,
Victor
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
On Monday 12 May 2008 03:45:16 am John wrote:
> >Number: 123603
> >Category: amd64
> >Synopsis: tcp_do_segment and Received duplicate SYN
> >Confidential: no
> >Severity: critical
> >Priority: high
> >Responsible: freebsd-amd64
> >State: open
> >Quarter:
> >Keywords:
> >Date-Required:
> >Class: sw-bug
> >Submitter-Id: current-users
> >Arrival-Date: Mon May 12 07:50:01 UTC 2008
> >Closed-Date:
> >Last-Modified:
> >Originator: John
> >Release: FB7.0 (x64)
> >Organization:
>
> NULL
>
> >Environment:
>
> FreeBSD mail.mydomain.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar 6
> 12:04:57 HKT 2008 root at mydomain.com:/usr/src/sys/amd64/compile/FB7NEW
> amd64
>
> >Description:
>
> A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and
patchs.
> when a client connect and view a static HTML file, At the first time
> (before web server idle time), it needs to wait a long time to establish a
> connection, OR when this server try to download file from Internet, there
> are lots of logs messages just like below:
>
> May 12 11:57:54 mail kernel: TCP: [55.66.77.88]:41792 to [11.22.33.44]:80
> tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer
> and retransmitting SYN|ACK
> May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:45979 to
> [11.22.33.44]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1:
> Received 1448 bytes of data after socket was closed, sending RST and
> removing tcpcb May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:21 to
> [11.22.33.44]:55007 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2:
> Received 13 bytes of data after socket was closed, sending RST and
removing
> tcpcb
>
> >How-To-Repeat:
>
> any type of connection will generate above log messages.
You can either comment out all the log(LOG_DEBUG, ...) calls
in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send
kern.debug
messages to the console.
I think these messages should probably be conditional on a kernel option
FWIW.
--
John Baldwin
------=_Part_11255_10246163.1211463094510
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Dear Sir,<br> <br>Thank you so much for your reply.<br> <br>My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server <b>directly connects</b> to ISP's Cisco 3400 Switch with a 100M broadband line, <br>After ISP technician creating a ARP static mapping rule on the switch to map the IP and MAC of My web server NIC,<br>
the problem of 5 seconds delay to view homepage has been solved, now , it is quit normal , no any delay. <br>But, my web server sill has received repeatly below log messages,<br><br>May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:45979 to [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data after socket was closed, sending RST and removing tcpcb <br>
May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:21 to [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18<PUSH>; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data after socket was closed, sending RST and removing tcpcb <br>
May 21 22:26:16 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:23439 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18<PUSH>; syncache_expand: SEQ 2071739782 != IRS+1 2071738353, <br>
segment rejected <br>May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10<ACK>; syncache_expand: ACK 1544143634 != ISS+1 4145431138, segment rejected<br>
May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br>
May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br>
May 22 11:33:20 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:32345 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
<br>I sure to you that there no one to hack my server, because <a href="http://55.66.77.88">55.66.77.88</a> is my client computer IP.<br>I would like to know that the above messages will cause any problem? and how to solve this problem?<br>
<br>Thank you so much!<br> <br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
Victor,<br><br>Please try two things:<br><br> 1. Make sure that you don't have a problem with MTU sizes. Some ADSL<br> customers with PPPoE have slightly smaller MTU sizes than normal<br> ethernet. Make sure that ICMP unreach packets are not firewalled<br>
or filtered on your side.<br><br> 2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was<br> giving problems with a smaller number of CPE devices for ADSL and<br> Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading<br>
the kernel is sufficient.<br><br>I hope this helps. If not, please provide some tcpdumps so we can see<br>the packets that are exchanged.<br><br>-- <br>Andre<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
Dear Sir,<br> <br>Thank you so much for your reply.<br> <br>My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line, after testing many times, I found that, when first time to view my website, it needed to take almost 5~8 seconds to completely open the homepage which is only a static HTML file with content "coming soon", and there are some error log about TCP connection found on our web server, it seems that my FreeBSD 7.0 web server has problem to establish TCP connection. Before the web server idle time (30s), there are no any delay to re-view the homepage (Press F5), but after 30 seconds, it needed to take another 5~8 seconds to re-view, and the log messages will be repeated.<br>
<br>May 15 15:18:21 mail kernel: TCP: [<a href="http://203.186.95.8">203.186.95.8</a>]:12728 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
May 15 15:19:03 mail kernel: TCP: [<a href="http://221.127.88.188">221.127.88.188</a>]:5128 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
<br>I know how to disable these log messages, but I would like to know that the delay is because<br>of receiving duplicate SYN? is it normal message? Please help me to solve the problem, thanks !!!!<br>Thank you so much!<br>
<br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>On Monday 12 May 2008 03:45:16 am John wrote:<br>
> >Number: 123603<br>> >Category: amd64<br>> >Synopsis: tcp_do_segment and Received duplicate SYN<br>> >Confidential: no<br>> >Severity: critical<br>> >Priority: high<br>
> >Responsible: freebsd-amd64<br>> >State: open<br>> >Quarter:<br>> >Keywords:<br>> >Date-Required:<br>> >Class: sw-bug<br>> >Submitter-Id: current-users<br>
> >Arrival-Date: Mon May 12 07:50:01 UTC 2008<br>> >Closed-Date:<br>> >Last-Modified:<br>> >Originator: John<br>> >Release: FB7.0 (x64)<br>> >Organization:<br>><br>> NULL<br>
><br>> >Environment:<br>><br>> FreeBSD <a href="http://mail.mydomain.com">mail.mydomain.com</a> 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar 6<br>> 12:04:57 HKT 2008 root at mydomain.com:/usr/src/sys/amd64/compile/FB7NEW<br>
> amd64<br>><br>> >Description:<br>><br>> A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and patchs.<br>> when a client connect and view a static HTML file, At the first time<br>> (before web server idle time), it needs to wait a long time to establish a<br>
> connection, OR when this server try to download file from Internet, there<br>> are lots of logs messages just like below:<br>><br>> May 12 11:57:54 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:41792 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80<br>
> tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer<br>> and retransmitting SYN|ACK<br>> May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:45979 to<br>> [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1:<br>
> Received 1448 bytes of data after socket was closed, sending RST and<br>> removing tcpcb May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:21 to<br>> [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2:<br>
> Received 13 bytes of data after socket was closed, sending RST and removing<br>> tcpcb<br>><br>> >How-To-Repeat:<br>><br>> any type of connection will generate above log messages.<br><br>You can either comment out all the log(LOG_DEBUG, ...) calls<br>
in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send kern.debug<br>messages to the console.<br><br>I think these messages should probably be conditional on a kernel option FWIW.<br><br>--<br>John Baldwin
------=_Part_11255_10246163.1211463094510--
More information about the freebsd-net
mailing list