Workaround: Re: dtrace to trace incoming connection not suceeding ?

In reply to: Kurt Jaeger : "Re: dtrace to trace incoming connection not suceeding ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kurt Jaeger <pi_at_freebsd.org>
Date: Fri, 19 Nov 2021 17:54:18 UTC

Hi!

> > > There's one small diff between the two that I do not understand:

> > > -       18040 times no signature provided by segment
> > > +       18045 times no signature provided by segment
> > 
> > This means, that received TCP segment has not TCP-MD5 signature, but
> > listen socket expects it. Such SYN segment will be dropped by syncache
> > code. Probably your BGP daemon configured to use TCP-MD5 for connection,
> > but remote side does not.
> 
> Thanks, that might be another possible cause.

Thanks to your pointer, analysis done by KlaraSystems shows that
the problem seems to be like this:

frr has this open socket where it listens on incoming tcp/179:

tcp4       0      0 *.179                  *.*                    LISTEN     
tcp6       0      0 *.179                  *.*                    LISTEN     

The problem starts sometime after FreeBSD 12.1p8, when some of the bgp
peers have tcp-md5 set and others have not.

If any bgp peer has tcp-md5, it seems, some (all?) non-tcp-md5 secured
bgp peers will fail to connect, until a tcp-md5 secret is configured.

Therefore, we can use this workaround for now and investigate frr
and/or FreeBSD for a proper fix without too much hurry.

-- 
pi@FreeBSD.org         +49 171 3101372                  Now what ?