From owner-freebsd-net@FreeBSD.ORG Fri Aug 22 17:43:17 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8788D106568D for ; Fri, 22 Aug 2008 17:43:17 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.freebsd.org (Postfix) with ESMTP id 3DCC28FC08 for ; Fri, 22 Aug 2008 17:43:17 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.2/8.14.2) with ESMTP id m7MHJYXO053199 for ; Fri, 22 Aug 2008 13:19:34 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m7MHJY25090566 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 22 Aug 2008 13:19:34 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <200808221719.m7MHJY25090566@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Fri, 22 Aug 2008 13:19:36 -0400 To: freebsd-net@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Scanned-By: MIMEDefang 2.64 on 64.7.153.18 Subject: strange TCP issue on RELENG_7 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Aug 2008 17:43:17 -0000 On one of our sendmail boxes that we are running RELENG_7, we have noticed an odd issue triggered or noticed by our monitoring system (bigbrother in this case). The seems to have been happening ever since we installed it, so its not a recent commit issue. Every 5 min, one of our monitoring stations connects to the box on port 25 The connection process is pretty simple. It connects and sends a QUIT and if that works, all is "ok". Here is a normal exchange 17:44:27.966100 IP 192.168.1.2.59586 > 192.168.1.9.25: S 1590561033:1590561033(0) win 65535 17:44:27.966119 IP 192.168.1.9.25 > 192.168.1.2.59586: S 2644498016:2644498016(0) ack 1590561034 win 65535 17:44:27.966649 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 1 win 8326 17:44:27.966664 IP 192.168.1.2.59586 > 192.168.1.9.25: P 1:12(11) ack 1 win 8326 17:44:27.969087 IP 192.168.1.9.25 > 192.168.1.2.59586: P 1:186(185) ack 12 win 8326 17:44:27.969119 IP 192.168.1.9.25 > 192.168.1.2.59586: F 186:186(0) ack 12 win 8326 17:44:27.969642 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 187 win 8326 17:44:27.969657 IP 192.168.1.2.59586 > 192.168.1.9.25: F 12:12(0) ack 187 win 8326 17:44:27.969668 IP 192.168.1.9.25 > 192.168.1.2.59586: . ack 13 win 8325 But, perhaps twice a day, or once every 2 days, I will see an RST from the host being monitored for some reason?! It looks like 17:49:27.496803 IP (tos 0x0, ttl 64, id 8521, offset 0, flags [DF], proto TCP (6), length 60) 199.212.134.2.65013 > 199.212.134.9.25: S, cksum 0xabde (correct), 2204170858:2204170858(0) win 65535 17:49:27.496829 IP (tos 0x0, ttl 64, id 42946, offset 0, flags [DF], proto TCP (6), length 60) 199.212.134.9.25 > 199.212.134.2.65013: S, cksum 0xfe09 (correct), 3523370477:3523370477(0) ack 2204170859 win 65535 17:49:27.497260 IP (tos 0x0, ttl 64, id 8522, offset 0, flags [DF], proto TCP (6), length 52) 199.212.134.2.65013 > 199.212.134.9.25: ., cksum 0x0c4c (correct), 1:1(0) ack 1 win 8326 17:49:27.497268 IP (tos 0x0, ttl 64, id 42948, offset 0, flags [DF], proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R, cksum 0xe62b (correct), 3523370478:3523370478(0) win 0 17:49:27.497270 IP (tos 0x0, ttl 64, id 8523, offset 0, flags [DF], proto TCP (6), length 63) 199.212.134.2.65013 > 199.212.134.9.25: P, cksum 0xb803 (correct), 1:12(11) ack 1 win 8326 17:49:27.497277 IP (tos 0x0, ttl 64, id 42949, offset 0, flags [DF], proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R, cksum 0xe62b (correct), 3523370478:3523370478(0) win 0 17:49:34.690828 IP (tos 0x0, ttl 64, id 45325, offset 0, flags [DF], proto TCP (6), length 60) 199.212.134.9.65077 > 199.212.134.2.25: S, cksum 0x3e26 (correct), 2116235846:2116235846(0) win 65535 I dont ever see this on RELENG_6, only on RELENG_7. It doesnt seem to be load related as I will see it at various times of the day both busy and quiet and sendmail is not complaining about too many connections which it will when there are. 192.168.1.2 is the monitoring host running bb and 192.168.1.9 is the smtp server being tested. I do have pf on the box, but pf isnt set to send RSTs and I think if there is a state mismatch, it will just drop the packet and not send the RST. I have tried with and without scrub but no obvious difference Rules are simple set skip on lo0 scrub in all block in log on {em0,em1} pass in on {em0,em1} proto {tcp,udp} from pass in on {em0,em1,lo0} proto tcp from any to any port {25,53,587} pass in on {em0,em1,lo0} proto udp from any to any port {53} pass in on {em0,em1} proto icmp from any to any pass out on {em0,em1} proto {icmp,tcp,udp} from any to any -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike