From owner-freebsd-questions@FreeBSD.ORG Wed Mar 31 15:46:30 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A18716A4CE for ; Wed, 31 Mar 2004 15:46:30 -0800 (PST) Received: from krweb.net (krweb.net [69.41.249.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id EBC0D43D2D for ; Wed, 31 Mar 2004 15:46:29 -0800 (PST) (envelope-from roddie@krweb.net) Received: from krweb.net (roddie@localhost [127.0.0.1]) by krweb.net (8.12.11/8.12.11) with ESMTP id i2VNkUUv015151 for ; Wed, 31 Mar 2004 17:46:30 -0600 (CST) (envelope-from roddie@krweb.net) Received: from localhost (roddie@localhost) by krweb.net (8.12.11/8.12.11/Submit) with ESMTP id i2VNkQgA015148 for ; Wed, 31 Mar 2004 17:46:30 -0600 (CST) (envelope-from roddie@krweb.net) Date: Wed, 31 Mar 2004 17:46:26 -0600 (CST) From: Roddie Hasan To: freebsd-questions@freebsd.org Message-ID: <20040331113553.O81846@krweb.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Strange TCP Issue X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2004 23:46:30 -0000 Background ---------- Running FreeBSD 4.9-STABLE updated this week (though the problem goes back at least two weeks). This isn't a new server and has been running its current install since the 4.1 days. There aren't any sysctl or tuning customizations, not really running any special or oddball services. It's a dual-homed server running ipf/ipnat, apache, bind, mysql, and sendmail. Again, nothing out of the ordinary. The ipf rules are very relaxed, and I'm not running stateful. The Issue --------- Every few hours (I can't get more specific, it varies), I am unable to establish *new* outgoing tcp connections via the outside interface (ed0). The problem goes away after a few minutes (again, it varies), and everything works fine. The weird part is that existing tcp sessions remain operational and the really weird part is that I *can* establish tcp sessions from NAT clients going through the server. New outbound sessions just hang - I've been using telnet to test to various ports on servers that are up. New inbound sessions to the server work just fine, outbound sessions through the other nic (xl0) work fine. Pings in all directions work. I've eliminated DNS and mbufs as the issue, netstat -f doesn't look abnormal, and there aren't a whole lot of open connections. The routing table is simple and sane (again, NAT connections work). I don't believe ipf or ipnat to be the problem since the configuration is very simple and looking at ipnat -l and ipfstat, everything seems normal. Again, NAT connections through the server work just fine. As I said, the problem started about two weeks ago, I *believe* after a buildworld, but I wouldn't bet my life on it. There were no other changes made to the server that I can recall that would cause this, but I'm open to any ideas at this point. Thanks for any help! Roddie