Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 28 May 2007 17:29:43 +0200
From:      Andre Oppermann <andre@freebsd.org>
To:        Abdullah Ibn Hamad Al-Marri <almarrie@gmail.com>
Cc:        freebsd-current@freebsd.org, Steve Kargl <sgk@troutmask.apl.washington.edu>
Subject:   Re: Segment failed SYNCOOKIE?
Message-ID:  <465AF567.6020708@freebsd.org>
In-Reply-To: <499c70c0705261245k6679a12k5a0237fce786ab68@mail.gmail.com>
References:  <20070525234115.GA48789@troutmask.apl.washington.edu> <499c70c0705261245k6679a12k5a0237fce786ab68@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Abdullah Ibn Hamad Al-Marri wrote:
> On 5/26/07, Steve Kargl <sgk@troutmask.apl.washington.edu> wrote:
> 
>> Anyone have ideas on how to cure
>>
>> May 25 16:20:03 node13 kernel: TCP: [192.168.0.15]:53815 to
>> [192.168.0.13]:50992 tcpflags 0x11<FIN,ACK>; syncache_expand:
>> Segment failed SYNCOOKIE authentication
>>
>> The hardware and kernel on 192.168.0.15 and 192.168.0.13
>> are identical.
>>
>> -- 
>> Steve
> 
> 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Sat May 26 04:25:29 GMT 2007
> 
> I got the same problem and my sever paniced today.

Please provide the panic message and if available a backtrace for the
panic.  We have to track down the exact cause of it (which may not
necessarily be the syncache).

> TCP: [70.162.96.41]:54686 to [IP removed for security reasons]:59999
> tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
> authentication

Logging of TCP segment validation failure has recently been enabled
to aid debugging of TCP (interoperability) issues.

This particular message means that a SYN was received on a listen
socket but no matching syncache entry was found.  The second test
for a syncookie also failed.  Normally this means a spoofed packet
or port scan is hitting your machine.  To make this certain you should
answer a couple of questions:  a) What daemon is running on your port
59999?  b) Do you know [70.162.96.41] and does it have any business
in contacting your daemon on 59999?

I agree that the log message should be made more clear to avoid
unnecessary confusion.  Nothing is broken and syncache is doing its
job just fine.

-- 
Andre

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?465AF567.6020708>