Date: Fri, 22 Aug 2008 13:19:36 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-net@freebsd.org Subject: strange TCP issue on RELENG_7 Message-ID: <200808221719.m7MHJY25090566@lava.sentex.ca>
next in thread | raw e-mail | index | archive | help
On one of our sendmail boxes that we are running RELENG_7, we have
noticed an odd issue triggered or noticed by our monitoring system
(bigbrother in this case). The seems to have been happening ever
since we installed it, so its not a recent commit issue.
Every 5 min, one of our monitoring stations connects to the box on port 25
The connection process is pretty simple. It connects and sends a QUIT
and if that works, all is "ok".
Here is a normal exchange
17:44:27.966100 IP 192.168.1.2.59586 > 192.168.1.9.25: S
1590561033:1590561033(0) win 65535 <mss 1460,nop,wscale 3,sackOK,time
stamp 603180718 0>
17:44:27.966119 IP 192.168.1.9.25 > 192.168.1.2.59586: S
2644498016:2644498016(0) ack 1590561034 win 65535 <mss 1460,nop,wscal
e 3,sackOK,timestamp 1701504477 603180718>
17:44:27.966649 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 1 win
8326 <nop,nop,timestamp 603180719 1701504477>
17:44:27.966664 IP 192.168.1.2.59586 > 192.168.1.9.25: P 1:12(11) ack
1 win 8326 <nop,nop,timestamp 603180719 1701504477>
17:44:27.969087 IP 192.168.1.9.25 > 192.168.1.2.59586: P 1:186(185)
ack 12 win 8326 <nop,nop,timestamp 1701504480 603180719>
17:44:27.969119 IP 192.168.1.9.25 > 192.168.1.2.59586: F 186:186(0)
ack 12 win 8326 <nop,nop,timestamp 1701504480 603180719>
17:44:27.969642 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 187 win
8326 <nop,nop,timestamp 603180722 1701504480>
17:44:27.969657 IP 192.168.1.2.59586 > 192.168.1.9.25: F 12:12(0) ack
187 win 8326 <nop,nop,timestamp 603180722 1701504480>
17:44:27.969668 IP 192.168.1.9.25 > 192.168.1.2.59586: . ack 13 win
8325 <nop,nop,timestamp 1701504481 603180722>
But, perhaps twice a day, or once every 2 days, I will see an RST
from the host being monitored for some reason?!
It looks like
17:49:27.496803 IP (tos 0x0, ttl 64, id 8521, offset 0, flags [DF],
proto TCP (6), length 60) 199.212.134.2.65013 > 199.212.134.9.25: S,
cksum 0xabde (correct), 2204170858:2204170858(0) win
65535 <mss 1460,nop,wscale 3,sackOK,timestamp 603480222 0>
17:49:27.496829 IP (tos 0x0, ttl 64, id 42946, offset 0, flags [DF],
proto TCP (6), length 60) 199.212.134.9.25 > 199.212.134.2.65013: S,
cksum 0xfe09 (correct), 3523370477:3523370477(0) ack
2204170859 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp
625760391 603480222>
17:49:27.497260 IP (tos 0x0, ttl 64, id 8522, offset 0, flags [DF],
proto TCP (6), length 52) 199.212.134.2.65013 > 199.212.134.9.25: .,
cksum 0x0c4c (correct), 1:1(0) ack 1 win 8326 <nop,no
p,timestamp 603480222 625760391>
17:49:27.497268 IP (tos 0x0, ttl 64, id 42948, offset 0, flags [DF],
proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R,
cksum 0xe62b (correct), 3523370478:3523370478(0) win
0
17:49:27.497270 IP (tos 0x0, ttl 64, id 8523, offset 0, flags [DF],
proto TCP (6), length 63) 199.212.134.2.65013 > 199.212.134.9.25: P,
cksum 0xb803 (correct), 1:12(11) ack 1 win 8326 <nop,
nop,timestamp 603480222 625760391>
17:49:27.497277 IP (tos 0x0, ttl 64, id 42949, offset 0, flags [DF],
proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R,
cksum 0xe62b (correct), 3523370478:3523370478(0) win
0
17:49:34.690828 IP (tos 0x0, ttl 64, id 45325, offset 0, flags [DF],
proto TCP (6), length 60) 199.212.134.9.65077 > 199.212.134.2.25: S,
cksum 0x3e26 (correct), 2116235846:2116235846(0) win
65535 <mss 1460,nop,wscale 3,sackOK,timestamp 14139033 0>
I dont ever see this on RELENG_6, only on RELENG_7. It doesnt seem to
be load related as I will see it at various times of the day both
busy and quiet and sendmail is not complaining about too many
connections which it will when there are.
192.168.1.2 is the monitoring host running bb and 192.168.1.9 is the
smtp server being tested. I do have pf on the box, but pf isnt set to
send RSTs and I think if there is a state mismatch, it will just drop
the packet and not send the RST. I have tried with and without scrub
but no obvious difference
Rules are simple
set skip on lo0
scrub in all
block in log on {em0,em1}
pass in on {em0,em1} proto {tcp,udp} from <TRUSTED>
pass in on {em0,em1,lo0} proto tcp from any to any port {25,53,587}
pass in on {em0,em1,lo0} proto udp from any to any port {53}
pass in on {em0,em1} proto icmp from any to any
pass out on {em0,em1} proto {icmp,tcp,udp} from any to any
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200808221719.m7MHJY25090566>