Date: Thu, 22 May 2008 13:40:03 GMT From: "yes298 yes298" <yes298@gmail.com> To: freebsd-net@FreeBSD.org Subject: Re: amd64/123603: tcp_do_segment and Received duplicate SYN Message-ID: <200805221340.m4MDe3YA092563@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/123603; it has been noted by GNATS. From: "yes298 yes298" <yes298@gmail.com> To: andre@freebsd.org Cc: "John Baldwin" <jhb@freebsd.org>, freebsd-gnats-submit@freebsd.org Subject: Re: amd64/123603: tcp_do_segment and Received duplicate SYN Date: Thu, 22 May 2008 21:31:34 +0800 ------=_Part_11255_10246163.1211463094510 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Dear Sir, Thank you so much for your reply. My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server *directly connects* to ISP's Cisco 3400 Switch with a 100M broadband line, After ISP technician creating a ARP static mapping rule on the switch to map the IP and MAC of My web server NIC, the problem of 5 seconds delay to view homepage has been solved, now , it is quit normal , no any delay. But, my web server sill has received repeatly below log messages, May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:45979 to [11.22.33.44]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data after socket was closed, sending RST and removing tcpcb May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:21 to [11.22.33.44]:55007 tcpflags 0x18<PUSH>; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data after socket was closed, sending RST and removing tcpcb May 21 22:26:16 mail kernel: TCP: [55.66.77.88]:23439 to [11.22.33.44]:80 tcpflags 0x18<PUSH>; syncache_expand: SEQ 2071739782 != IRS+1 2071738353, segment rejected May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80 tcpflags 0x10<ACK>; syncache_expand: ACK 1544143634 != ISS+1 4145431138, segment rejected May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed) May 22 11:33:20 mail kernel: TCP: [55.66.77.88]:32345 to [11.22.33.44]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK I sure to you that there no one to hack my server, because 55.66.77.88 is my client computer IP. I would like to know that the above messages will cause any problem? and how to solve this problem? Thank you so much! Best regards, Victor ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Victor, Please try two things: 1. Make sure that you don't have a problem with MTU sizes. Some ADSL customers with PPPoE have slightly smaller MTU sizes than normal ethernet. Make sure that ICMP unreach packets are not firewalled or filtered on your side. 2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was giving problems with a smaller number of CPE devices for ADSL and Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading the kernel is sufficient. I hope this helps. If not, please provide some tcpdumps so we can see the packets that are exchanged. -- Andre ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Dear Sir, Thank you so much for your reply. My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line, after testing many times, I found that, when first time to view my website, it needed to take almost 5~8 seconds to completely open the homepage which is only a static HTML file with content "coming soon", and there are some error log about TCP connection found on our web server, it seems that my FreeBSD 7.0 web server has problem to establish TCP connection. Before the web server idle time (30s), there are no any delay to re-view the homepage (Press F5), but after 30 seconds, it needed to take another 5~8 seconds to re-view, and the log messages will be repeated. May 15 15:18:21 mail kernel: TCP: [203.186.95.8]:12728 to [58.177.222.113]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK May 15 15:19:03 mail kernel: TCP: [221.127.88.188]:5128 to [58.177.222.113]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK I know how to disable these log messages, but I would like to know that the delay is because of receiving duplicate SYN? is it normal message? Please help me to solve the problem, thanks !!!! Thank you so much! Best regards, Victor ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- On Monday 12 May 2008 03:45:16 am John wrote: > >Number: 123603 > >Category: amd64 > >Synopsis: tcp_do_segment and Received duplicate SYN > >Confidential: no > >Severity: critical > >Priority: high > >Responsible: freebsd-amd64 > >State: open > >Quarter: > >Keywords: > >Date-Required: > >Class: sw-bug > >Submitter-Id: current-users > >Arrival-Date: Mon May 12 07:50:01 UTC 2008 > >Closed-Date: > >Last-Modified: > >Originator: John > >Release: FB7.0 (x64) > >Organization: > > NULL > > >Environment: > > FreeBSD mail.mydomain.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar 6 > 12:04:57 HKT 2008 root@mydomain.com:/usr/src/sys/amd64/compile/FB7NEW > amd64 > > >Description: > > A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and patchs. > when a client connect and view a static HTML file, At the first time > (before web server idle time), it needs to wait a long time to establish a > connection, OR when this server try to download file from Internet, there > are lots of logs messages just like below: > > May 12 11:57:54 mail kernel: TCP: [55.66.77.88]:41792 to [11.22.33.44]:80 > tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer > and retransmitting SYN|ACK > May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:45979 to > [11.22.33.44]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: > Received 1448 bytes of data after socket was closed, sending RST and > removing tcpcb May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:21 to > [11.22.33.44]:55007 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2: > Received 13 bytes of data after socket was closed, sending RST and removing > tcpcb > > >How-To-Repeat: > > any type of connection will generate above log messages. You can either comment out all the log(LOG_DEBUG, ...) calls in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send kern.debug messages to the console. I think these messages should probably be conditional on a kernel option FWIW. -- John Baldwin ------=_Part_11255_10246163.1211463094510 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Dear Sir,<br> <br>Thank you so much for your reply.<br> <br>My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server <b>directly connects</b> to ISP's Cisco 3400 Switch with a 100M broadband line, <br>After ISP technician creating a ARP static mapping rule on the switch to map the IP and MAC of My web server NIC,<br> the problem of 5 seconds delay to view homepage has been solved, now , it is quit normal , no any delay. <br>But, my web server sill has received repeatly below log messages,<br><br>May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:45979 to [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data after socket was closed, sending RST and removing tcpcb <br> May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:21 to [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18<PUSH>; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data after socket was closed, sending RST and removing tcpcb <br> May 21 22:26:16 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:23439 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18<PUSH>; syncache_expand: SEQ 2071739782 != IRS+1 2071738353, <br> segment rejected <br>May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10<ACK>; syncache_expand: ACK 1544143634 != ISS+1 4145431138, segment rejected<br> May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br> May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br> May 22 11:33:20 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:32345 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br> <br>I sure to you that there no one to hack my server, because <a href="http://55.66.77.88">55.66.77.88</a> is my client computer IP.<br>I would like to know that the above messages will cause any problem? and how to solve this problem?<br> <br>Thank you so much!<br> <br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> Victor,<br><br>Please try two things:<br><br> 1. Make sure that you don't have a problem with MTU sizes. Some ADSL<br> customers with PPPoE have slightly smaller MTU sizes than normal<br> ethernet. Make sure that ICMP unreach packets are not firewalled<br> or filtered on your side.<br><br> 2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was<br> giving problems with a smaller number of CPE devices for ADSL and<br> Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading<br> the kernel is sufficient.<br><br>I hope this helps. If not, please provide some tcpdumps so we can see<br>the packets that are exchanged.<br><br>-- <br>Andre<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br> Dear Sir,<br> <br>Thank you so much for your reply.<br> <br>My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line, after testing many times, I found that, when first time to view my website, it needed to take almost 5~8 seconds to completely open the homepage which is only a static HTML file with content "coming soon", and there are some error log about TCP connection found on our web server, it seems that my FreeBSD 7.0 web server has problem to establish TCP connection. Before the web server idle time (30s), there are no any delay to re-view the homepage (Press F5), but after 30 seconds, it needed to take another 5~8 seconds to re-view, and the log messages will be repeated.<br> <br>May 15 15:18:21 mail kernel: TCP: [<a href="http://203.186.95.8">203.186.95.8</a>]:12728 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br> May 15 15:19:03 mail kernel: TCP: [<a href="http://221.127.88.188">221.127.88.188</a>]:5128 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br> <br>I know how to disable these log messages, but I would like to know that the delay is because<br>of receiving duplicate SYN? is it normal message? Please help me to solve the problem, thanks !!!!<br>Thank you so much!<br> <br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>On Monday 12 May 2008 03:45:16 am John wrote:<br> > >Number: 123603<br>> >Category: amd64<br>> >Synopsis: tcp_do_segment and Received duplicate SYN<br>> >Confidential: no<br>> >Severity: critical<br>> >Priority: high<br> > >Responsible: freebsd-amd64<br>> >State: open<br>> >Quarter:<br>> >Keywords:<br>> >Date-Required:<br>> >Class: sw-bug<br>> >Submitter-Id: current-users<br> > >Arrival-Date: Mon May 12 07:50:01 UTC 2008<br>> >Closed-Date:<br>> >Last-Modified:<br>> >Originator: John<br>> >Release: FB7.0 (x64)<br>> >Organization:<br>><br>> NULL<br> ><br>> >Environment:<br>><br>> FreeBSD <a href="http://mail.mydomain.com">mail.mydomain.com</a> 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar 6<br>> 12:04:57 HKT 2008 root@mydomain.com:/usr/src/sys/amd64/compile/FB7NEW<br> > amd64<br>><br>> >Description:<br>><br>> A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and patchs.<br>> when a client connect and view a static HTML file, At the first time<br>> (before web server idle time), it needs to wait a long time to establish a<br> > connection, OR when this server try to download file from Internet, there<br>> are lots of logs messages just like below:<br>><br>> May 12 11:57:54 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:41792 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80<br> > tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer<br>> and retransmitting SYN|ACK<br>> May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:45979 to<br>> [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1:<br> > Received 1448 bytes of data after socket was closed, sending RST and<br>> removing tcpcb May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:21 to<br>> [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2:<br> > Received 13 bytes of data after socket was closed, sending RST and removing<br>> tcpcb<br>><br>> >How-To-Repeat:<br>><br>> any type of connection will generate above log messages.<br><br>You can either comment out all the log(LOG_DEBUG, ...) calls<br> in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send kern.debug<br>messages to the console.<br><br>I think these messages should probably be conditional on a kernel option FWIW.<br><br>--<br>John Baldwin ------=_Part_11255_10246163.1211463094510--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805221340.m4MDe3YA092563>