Date: Mon, 13 Feb 2006 16:45:55 -0500 From: Charles Swiger <cswiger@mac.com> To: Jerry Bell <jbell@stelesys.com> Cc: freebsd-questions@freebsd.org Subject: Re: Help with strange web server problem Message-ID: <1DFDCA44-74AC-475A-96A9-0E3AD5B492C4@mac.com> In-Reply-To: <4026.209.134.164.18.1139861525.squirrel@www.stelesys.com> References: <1716.209.134.164.18.1139835495.squirrel@www.stelesys.com> <9CB4E9E3-EE93-4E65-AD74-0ACC9B3C64FF@mac.com> <4026.209.134.164.18.1139861525.squirrel@www.stelesys.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Feb 13, 2006, at 3:12 PM, Jerry Bell wrote: > I didn't want to spam the link out, but it's www.musiclodge.com. I > will > gather the capture data from working and non working sessions and > send it > out. Well, I can confirm the behavior you've described. It looks somewhat like a stateful firewall or is in the way and is generating an RST, even while your webserver tries to generate a response. However, once the firewall sees the outbound traffic, it seems to create a dynamic rule which lets the traffic from subsequent connections through: 5-pan# tcpdump -tnXs 0 host www.musiclodge.com tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en0, link-type EN10MB (Ethernet), capture size 65535 bytes IP 199.103.21.238.50740 > 63.175.100.44.80: S 2282569549:2282569549 (0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 1159441862 0> 0x0000: 4510 003c 4653 4000 4006 7328 c767 15ee E..<FS@.@.s (.g.. 0x0010: 3faf 642c c634 0050 880d 3f4d 0000 0000 ?.d,.4.P..? M.... 0x0020: a002 ffff 815f 0000 0204 05b4 0103 0300 ....._.......... 0x0030: 0101 080a 451b adc6 0000 0000 ....E....... IP 63.175.100.44.80 > 199.103.21.238.50740: S 2634350592:2634350592 (0) ack 2282569550 win 65535 0x0000: 4500 0028 0000 4000 2506 d49f 3faf 642c E..(..@. %...?.d, 0x0010: c767 15ee 0050 c634 9d05 0000 880d 3f4e .g...P. 4......?N 0x0020: 5012 ffff 03bc 0000 0000 0000 0000 1b60 P..............` 0x0030: 2678 &x IP 199.103.21.238.50740 > 63.175.100.44.80: . ack 1 win 65535 0x0000: 4510 0028 4655 4000 4006 733a c767 15ee E.. (FU@.@.s:.g.. 0x0010: 3faf 642c c634 0050 880d 3f4e 9d05 0001 ?.d,.4.P..? N.... 0x0020: 5010 ffff 03bd 0000 P....... 3-way handshake is completed here, next traffic should be from my machine making the "GET /", request, but instead your machine sends another ACK: IP 63.175.100.44.80 > 199.103.21.238.50740: S 2238145710:2238145710 (0) ack 2282569550 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1453026167 1159441862> 0x0000: 4500 003c 57fa 4000 3206 6f91 3faf 642c E..<W.@. 2.o.?.d, 0x0010: c767 15ee 0050 c634 8567 64ae 880d 3f4e .g...P. 4.gd...?N 0x0020: a012 ffff 9cdb 0000 0204 05b4 0103 0301 ................ 0x0030: 0101 080a 569b 6b77 451b adc6 9345 1153 ....V.kwE....E.S Interesting that the previous ack had no TCP options set, whereas this one does include a timestamp in response. IP 199.103.21.238.50740 > 63.175.100.44.80: . ack 396204883 win 65535 <nop,nop,timestamp 1159441863 1453026167> 0x0000: 4510 0034 4656 4000 4006 732d c767 15ee E.. 4FV@.@.s-.g.. 0x0010: 3faf 642c c634 0050 880d 3f4e 9d05 0001 ?.d,.4.P..? N.... 0x0020: 8010 ffff 8157 0000 0101 080a 451b adc7 .....W......E... 0x0030: 569b 6b77 V.kw Where did sequence # 396204883 come from? And your side follows up with a pair of connection resets, and a normal ACK packet, too. IP 63.175.100.44.80 > 199.103.21.238.50740: R 2634350593:2634350593 (0) win 0 0x0000: 4500 0028 b6f6 4000 3206 10a9 3faf 642c E..(..@. 2...?.d, 0x0010: c767 15ee 0050 c634 9d05 0001 0000 0000 .g...P. 4........ 0x0020: 5004 0000 cb24 0000 0000 0000 0000 f3fa P.... $.......... 0x0030: 5489 T. IP 63.175.100.44.80 > 199.103.21.238.50740: R 2634350593:2634350593 (0) win 0 0x0000: 4500 0028 4bfc 4000 3206 7ba3 3faf 642c E..(K.@.2. {.?.d, 0x0010: c767 15ee 0050 c634 9d05 0001 0000 0000 .g...P. 4........ 0x0020: 5004 0000 cb24 0000 0000 0000 0000 abb8 P.... $.......... 0x0030: c9be .. IP 63.175.100.44.80 > 199.103.21.238.50740: S 2238145710:2238145710 (0) ack 2282569550 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1453026467 1159441862> 0x0000: 4500 003c 3a9d 4000 3206 8cee 3faf 642c E..<:.@. 2...?.d, 0x0010: c767 15ee 0050 c634 8567 64ae 880d 3f4e .g...P. 4.gd...?N 0x0020: a012 ffff 9baf 0000 0204 05b4 0103 0301 ................ 0x0030: 0101 080a 569b 6ca3 451b adc6 bdd6 d7c9 ....V.l.E....... ...and my side closes, too. Something is badly confused. IP 199.103.21.238.50740 > 63.175.100.44.80: R 2282569550:2282569550 (0) win 0 0x0000: 4500 0028 465a 4000 4006 7345 c767 15ee E.. (FZ@.@.sE.g.. 0x0010: 3faf 642c c634 0050 880d 3f4e 0000 0000 ?.d,.4.P..? N.... 0x0020: 5004 0000 a0cf 0000 P....... ------------------- When I repeat the connection attempt a few seconds later: IP 199.103.21.238.50743 > 63.175.100.44.80: S 262625798:262625798(0) win 65535 <mss 1460,nop,wscale 0,nop,nop,timestamp 1159442517 0> 0x0000: 4510 003c 46c8 4000 4006 72b3 c767 15ee E..<F.@.@.r..g.. 0x0010: 3faf 642c c637 0050 0fa7 5a06 0000 0000 ?.d,. 7.P..Z..... 0x0020: a002 ffff 815f 0000 0204 05b4 0103 0300 ....._.......... 0x0030: 0101 080a 451b b055 0000 0000 ....E..U.... IP 63.175.100.44.80 > 199.103.21.238.50743: S 362624500:362624500(0) ack 262625799 win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 1453058903 1159442517> 0x0000: 4500 003c e034 4000 3206 e756 3faf 642c E..<.4@. 2..V?.d, 0x0010: c767 15ee 0050 c637 159d 35f4 0fa7 5a07 .g...P. 7..5...Z. 0x0020: a012 ffff 169b 0000 0204 05b4 0103 0301 ................ 0x0030: 0101 080a 569b eb57 451b b055 55d6 9ceb ....V..WE..UU... IP 199.103.21.238.50743 > 63.175.100.44.80: . ack 1 win 65535 <nop,nop,timestamp 1159442517 1453058903> 0x0000: 4510 0034 46c9 4000 4006 72ba c767 15ee E.. 4F.@.@.r..g.. 0x0010: 3faf 642c c637 0050 0fa7 5a07 159d 35f5 ?.d,. 7.P..Z...5. 0x0020: 8010 ffff 8157 0000 0101 080a 451b b055 .....W......E..U 0x0030: 569b eb57 V..W 3-way handshake finishes OK, this time your initial ACK is OK and includes a timestamp back. IP 199.103.21.238.50743 > 63.175.100.44.80: P 1:17(16) ack 1 win 65535 <nop,nop,timestamp 1159442525 1453058903> 0x0000: 4510 0044 46cd 4000 4006 72a6 c767 15ee E..DF.@.@.r..g.. 0x0010: 3faf 642c c637 0050 0fa7 5a07 159d 35f5 ?.d,. 7.P..Z...5. 0x0020: 8018 ffff 8167 0000 0101 080a 451b b05d .....g......E..] 0x0030: 569b eb57 4745 5420 2f20 4854 5450 2f31 V..WGET./.HTTP/1 0x0040: 2e30 0d0a .0.. Here was my GET, which you then ACK.... IP 63.175.100.44.80 > 199.103.21.238.50743: . ack 17 win 33304 <nop,nop,timestamp 1453059309 1159442525> 0x0000: 4500 0034 052a 4000 3206 c269 3faf 642c E..4.*@. 2..i?.d, 0x0010: c767 15ee 0050 c637 159d 35f5 0fa7 5a17 .g...P. 7..5...Z. 0x0020: 8010 8218 be99 0000 0101 080a 569b eced ............V... 0x0030: 451b b05d db4e 4827 E..].NH' IP 199.103.21.238.50743 > 63.175.100.44.80: P 17:19(2) ack 1 win 65535 <nop,nop,timestamp 1159442526 1453059309> 0x0000: 4510 0036 46ce 4000 4006 72b3 c767 15ee E.. 6F.@.@.r..g.. 0x0010: 3faf 642c c637 0050 0fa7 5a17 159d 35f5 ?.d,. 7.P..Z...5. 0x0020: 8018 ffff 8159 0000 0101 080a 451b b05e .....Y......E..^ 0x0030: 569b eced 0d0a V..... ...followed by a correct data response. IP 63.175.100.44.80 > 199.103.21.238.50743: . 1:1449(1448) ack 19 win 33304 <nop,nop,timestamp 1453059329 1159442526> 0x0000: 4500 05dc c865 4000 3206 f985 3faf 642c E....e@. 2...?.d, 0x0010: c767 15ee 0050 c637 159d 35f5 0fa7 5a19 .g...P. 7..5...Z. 0x0020: 8010 8218 2e5f 0000 0101 080a 569b ed01 ....._......V... 0x0030: 451b b05e 4854 5450 2f31 2e31 2032 3030 E..^HTTP/ 1.1.200 0x0040: 204f 4b0d 0a44 6174 653a 204d 6f6e 2c20 .OK..Date:.Mon,. [ ... ] Check your firewall, or see whether your ISP or whoever has put a HTTP reverse proxy in place which is breaking these connections. -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1DFDCA44-74AC-475A-96A9-0E3AD5B492C4>