Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 22 May 2008 13:40:03 GMT
From:      "yes298 yes298" <yes298@gmail.com>
To:        freebsd-net@FreeBSD.org
Subject:   Re: amd64/123603: tcp_do_segment and Received duplicate SYN
Message-ID:  <200805221340.m4MDe3YA092563@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help
The following reply was made to PR kern/123603; it has been noted by GNATS.

From: "yes298 yes298" <yes298@gmail.com>
To: andre@freebsd.org
Cc: "John Baldwin" <jhb@freebsd.org>, freebsd-gnats-submit@freebsd.org
Subject: Re: amd64/123603: tcp_do_segment and Received duplicate SYN
Date: Thu, 22 May 2008 21:31:34 +0800

 ------=_Part_11255_10246163.1211463094510
 Content-Type: text/plain; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Dear Sir,
 
 Thank you so much for your reply.
 
 My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server *directly connects* to
 ISP's Cisco 3400 Switch with a 100M broadband line,
 After ISP technician creating a ARP static mapping rule on the switch to map
 the IP and MAC of My web server NIC,
 the problem of 5 seconds delay to view homepage has been solved, now , it is
 quit normal , no any delay.
 But, my web server sill has received repeatly below log messages,
 
 May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:45979 to [11.22.33.44]:63372
 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data
 after socket was closed, sending RST and removing tcpcb
 May 21 15:17:53 mail kernel: TCP: [55.66.77.88]:21 to [11.22.33.44]:55007
 tcpflags 0x18<PUSH>; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data
 after socket was closed, sending RST and removing tcpcb
 May 21 22:26:16 mail kernel: TCP: [55.66.77.88]:23439 to [11.22.33.44]:80
 tcpflags 0x18<PUSH>; syncache_expand: SEQ 2071739782 != IRS+1 2071738353,
 segment rejected
 May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
 tcpflags 0x10<ACK>; syncache_expand: ACK 1544143634 != ISS+1 4145431138,
 segment rejected
 May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
 tcpflags 0x18<PUSH,ACK>; syncache_expand: Segment failed SYNCOOKIE
 authentication, segment rejected (probably spoofed)
 May 22 11:31:22 mail kernel: TCP: [55.66.77.88]:2988 to [11.22.33.44]:80
 tcpflags 0x10<ACK>; syncache_expand: Segment failed SYNCOOKIE
 authentication, segment rejected (probably spoofed)
 May 22 11:33:20 mail kernel: TCP: [55.66.77.88]:32345 to [11.22.33.44]:80
 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
 retransmitting SYN|ACK
 
 I sure to you that there no one to hack my server, because 55.66.77.88 is my
 client computer IP.
 I would like to know that the above messages will cause any problem? and how
 to solve this problem?
 
 Thank you so much!
 
 Best regards,
 Victor
 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Victor,
 
 Please try two things:
 
  1. Make sure that you don't have a problem with MTU sizes. Some ADSL
    customers with PPPoE have slightly smaller MTU sizes than normal
    ethernet. Make sure that ICMP unreach packets are not firewalled
    or filtered on your side.
 
  2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was
    giving problems with a smaller number of CPE devices for ADSL and
    Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading
    the kernel is sufficient.
 
 I hope this helps.  If not, please provide some tcpdumps so we can see
 the packets that are exchanged.
 
 -- 
 Andre
 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 Dear Sir,
 
 Thank you so much for your reply.
 
 My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line,
 after testing many times, I found that, when first time to view my website,
 it needed to take almost 5~8 seconds to completely open the homepage which
 is only a static HTML file with content "coming soon", and there are some
 error log about TCP connection found on our web server, it seems that my
 FreeBSD 7.0 web server has problem to establish TCP connection. Before the
 web server idle time (30s), there are no any delay to re-view the homepage
 (Press F5), but after 30 seconds, it needed to take another 5~8 seconds to
 re-view, and the log messages will be repeated.
 
 May 15 15:18:21 mail kernel: TCP: [203.186.95.8]:12728 to [58.177.222.113]:80
 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
 retransmitting SYN|ACK
 May 15 15:19:03 mail kernel: TCP: [221.127.88.188]:5128 to [58.177.222.113]:80
 tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer and
 retransmitting SYN|ACK
 
 I know how to disable these log messages, but I would like to know that the
 delay is because
 of receiving duplicate SYN? is it normal message? Please help me to solve
 the problem, thanks !!!!
 Thank you so much!
 
 Best regards,
 Victor
 -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
 On Monday 12 May 2008 03:45:16 am John wrote:
 > >Number:         123603
 > >Category:       amd64
 > >Synopsis:       tcp_do_segment and Received duplicate SYN
 > >Confidential:   no
 > >Severity:       critical
 > >Priority:       high
 > >Responsible:    freebsd-amd64
 > >State:          open
 > >Quarter:
 > >Keywords:
 > >Date-Required:
 > >Class:          sw-bug
 > >Submitter-Id:   current-users
 > >Arrival-Date:   Mon May 12 07:50:01 UTC 2008
 > >Closed-Date:
 > >Last-Modified:
 > >Originator:     John
 > >Release:        FB7.0 (x64)
 > >Organization:
 >
 > NULL
 >
 > >Environment:
 >
 > FreeBSD mail.mydomain.com 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar  6
 > 12:04:57 HKT 2008     root@mydomain.com:/usr/src/sys/amd64/compile/FB7NEW
 > amd64
 >
 > >Description:
 >
 > A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and
 patchs.
 > when a client connect and view a static HTML file, At the first time
 > (before web server idle time), it needs to wait a long time to establish a
 > connection, OR when this server try to download file from Internet, there
 > are lots of logs messages just like below:
 >
 > May 12 11:57:54 mail kernel: TCP: [55.66.77.88]:41792 to [11.22.33.44]:80
 > tcpflags 0x2<SYN>; syncache_add: Received duplicate SYN, resetting timer
 > and retransmitting SYN|ACK
 > May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:45979 to
 > [11.22.33.44]:63372 tcpflags 0x10<ACK>; tcp_do_segment: FIN_WAIT_1:
 > Received 1448 bytes of data after socket was closed, sending RST and
 > removing tcpcb May 12 15:17:53 mail kernel: TCP: [193.166.3.2]:21 to
 > [11.22.33.44]:55007 tcpflags 0x18<PUSH,ACK>; tcp_do_segment: FIN_WAIT_2:
 > Received 13 bytes of data after socket was closed, sending RST and
 removing
 > tcpcb
 >
 > >How-To-Repeat:
 >
 > any type of  connection will generate above log messages.
 
 You can either comment out all the log(LOG_DEBUG, ...) calls
 in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send
 kern.debug
 messages to the console.
 
 I think these messages should probably be conditional on a kernel option
 FWIW.
 
 --
 John Baldwin
 
 ------=_Part_11255_10246163.1211463094510
 Content-Type: text/html; charset=ISO-8859-1
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline
 
 Dear Sir,<br>&nbsp;<br>Thank you so much for your reply.<br>&nbsp;<br>My FreeBSD 7.0-Release-p1 (x64) Lighttpd web server <b>directly connects</b> to ISP&#39;s Cisco 3400 Switch with a 100M broadband line, <br>After ISP technician creating a ARP static mapping rule on the switch to map the IP and MAC of My web server NIC,<br>
 the problem of 5 seconds delay to view homepage has been solved, now , it is quit normal , no any delay. <br>But, my web server sill has received repeatly below log messages,<br><br>May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:45979 to [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10&lt;ACK&gt;; tcp_do_segment: FIN_WAIT_1: Received 1448 bytes of data after socket was closed, sending RST and removing tcpcb <br>
 May 21 15:17:53 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:21 to [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18&lt;PUSH&gt;; tcp_do_segment: FIN_WAIT_2: Received 13 bytes of data after socket was closed, sending RST and removing tcpcb <br>
 May 21 22:26:16 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:23439 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18&lt;PUSH&gt;; syncache_expand: SEQ 2071739782 != IRS+1 2071738353, <br>
 segment rejected <br>May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10&lt;ACK&gt;; syncache_expand: ACK 1544143634 != ISS+1 4145431138, segment rejected<br>
 May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x18&lt;PUSH,ACK&gt;; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br>
 May 22 11:31:22 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:2988 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x10&lt;ACK&gt;; syncache_expand: Segment failed SYNCOOKIE authentication, segment rejected (probably spoofed)<br>
 May 22 11:33:20 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:32345 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80 tcpflags 0x2&lt;SYN&gt;; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
 <br>I sure to you that there no one to hack my server, because <a href="http://55.66.77.88">55.66.77.88</a>; is my client computer IP.<br>I would like to know that the above messages will cause any problem? and how to solve this problem?<br>
 <br>Thank you so much!<br>&nbsp;<br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
 Victor,<br><br>Please try two things:<br><br>&nbsp;1. Make sure that you don&#39;t have a problem with MTU sizes. Some ADSL<br>&nbsp;&nbsp; customers with PPPoE have slightly smaller MTU sizes than normal<br>&nbsp;&nbsp; ethernet. Make sure that ICMP unreach packets are not firewalled<br>
 &nbsp;&nbsp; or filtered on your side.<br><br>&nbsp;2. There was a bug in the TCP options in FreeBSD 7.0-RELEASE that was<br>&nbsp;&nbsp; giving problems with a smaller number of CPE devices for ADSL and<br>&nbsp;&nbsp; Cablemodem customers. The problem is fixed in 7-STABLE. Only upgrading<br>
 &nbsp;&nbsp; the kernel is sufficient.<br><br>I hope this helps.&nbsp; If not, please provide some tcpdumps so we can see<br>the packets that are exchanged.<br><br>-- <br>Andre<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>
 Dear Sir,<br>&nbsp;<br>Thank you so much for your reply.<br>&nbsp;<br>My FreeBSD 7.0(x64) Lighttpd web server connects to a 100M broadband line, after testing many times, I found that, when first time to view my website, it needed to take almost 5~8 seconds to completely open the homepage which is only a static HTML file with content &quot;coming soon&quot;, and there are some&nbsp; error log about TCP connection found on our web server, it seems that my FreeBSD 7.0 web server has problem to establish TCP  connection. Before the web server idle time (30s), there are no any delay to re-view the homepage (Press F5), but after 30 seconds, it needed to take another 5~8 seconds to re-view, and the log messages will be repeated.<br>
 &nbsp;<br>May 15 15:18:21 mail kernel: TCP: [<a href="http://203.186.95.8">203.186.95.8</a>]:12728 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2&lt;SYN&gt;; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
 May 15 15:19:03 mail kernel: TCP: [<a href="http://221.127.88.188">221.127.88.188</a>]:5128 to [<a href="http://58.177.222.113">58.177.222.113</a>]:80 tcpflags 0x2&lt;SYN&gt;; syncache_add: Received duplicate SYN, resetting timer and retransmitting SYN|ACK<br>
 &nbsp;<br>I know how to disable these log messages, but I would like to know that the delay is because<br>of receiving duplicate SYN? is it normal message? Please help me to solve the problem, thanks !!!!<br>Thank you so much!<br>
 &nbsp;<br>Best regards,<br>Victor<br>-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>On Monday 12 May 2008 03:45:16 am John wrote:<br>
 &gt; &gt;Number:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 123603<br>&gt; &gt;Category:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; amd64<br>&gt; &gt;Synopsis:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tcp_do_segment and Received duplicate SYN<br>&gt; &gt;Confidential:&nbsp;&nbsp; no<br>&gt; &gt;Severity:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; critical<br>&gt; &gt;Priority:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; high<br>
 &gt; &gt;Responsible:&nbsp;&nbsp;&nbsp; freebsd-amd64<br>&gt; &gt;State:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; open<br>&gt; &gt;Quarter:<br>&gt; &gt;Keywords:<br>&gt; &gt;Date-Required:<br>&gt; &gt;Class:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; sw-bug<br>&gt; &gt;Submitter-Id:&nbsp;&nbsp; current-users<br>
 &gt; &gt;Arrival-Date:&nbsp;&nbsp; Mon May 12 07:50:01 UTC 2008<br>&gt; &gt;Closed-Date:<br>&gt; &gt;Last-Modified:<br>&gt; &gt;Originator:&nbsp;&nbsp;&nbsp;&nbsp; John<br>&gt; &gt;Release:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; FB7.0 (x64)<br>&gt; &gt;Organization:<br>&gt;<br>&gt; NULL<br>
 &gt;<br>&gt; &gt;Environment:<br>&gt;<br>&gt; FreeBSD <a href="http://mail.mydomain.com">mail.mydomain.com</a>; 7.0-RELEASE FreeBSD 7.0-RELEASE #0: Thu Mar&nbsp; 6<br>&gt; 12:04:57 HKT 2008&nbsp;&nbsp;&nbsp;&nbsp; root@mydomain.com:/usr/src/sys/amd64/compile/FB7NEW<br>
 &gt; amd64<br>&gt;<br>&gt; &gt;Description:<br>&gt;<br>&gt; A FreeBSD 7.0 (x64) Lighttpd Web Server with most-updated ports and patchs.<br>&gt; when a client connect and view a static HTML file, At the first time<br>&gt; (before web server idle time), it needs to wait a long time to establish a<br>
 &gt; connection, OR when this server try to download file from Internet, there<br>&gt; are lots of logs messages just like below:<br>&gt;<br>&gt; May 12 11:57:54 mail kernel: TCP: [<a href="http://55.66.77.88">55.66.77.88</a>]:41792 to [<a href="http://11.22.33.44">11.22.33.44</a>]:80<br>;
 &gt; tcpflags 0x2&lt;SYN&gt;; syncache_add: Received duplicate SYN, resetting timer<br>&gt; and retransmitting SYN|ACK<br>&gt; May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:45979 to<br>&gt; [<a href="http://11.22.33.44">11.22.33.44</a>]:63372 tcpflags 0x10&lt;ACK&gt;; tcp_do_segment: FIN_WAIT_1:<br>
 &gt; Received 1448 bytes of data after socket was closed, sending RST and<br>&gt; removing tcpcb May 12 15:17:53 mail kernel: TCP: [<a href="http://193.166.3.2">193.166.3.2</a>]:21 to<br>&gt; [<a href="http://11.22.33.44">11.22.33.44</a>]:55007 tcpflags 0x18&lt;PUSH,ACK&gt;; tcp_do_segment: FIN_WAIT_2:<br>
 &gt; Received 13 bytes of data after socket was closed, sending RST and removing<br>&gt; tcpcb<br>&gt;<br>&gt; &gt;How-To-Repeat:<br>&gt;<br>&gt; any type of&nbsp; connection will generate above log messages.<br><br>You can either comment out all the log(LOG_DEBUG, ...) calls<br>
 in /sys/netinet/tcp*.c or change your /etc/syslog.conf to not send kern.debug<br>messages to the console.<br><br>I think these messages should probably be conditional on a kernel option FWIW.<br><br>--<br>John Baldwin
 
 ------=_Part_11255_10246163.1211463094510--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200805221340.m4MDe3YA092563>