Hi Marco: On Mon, Apr 24, 2006 at 09:23:00AM +0000, Marco Berizzi wrote: > > What should I do? Mangling MSS with iptables --set-mss ? > Altering MSS to 1440 did the trick. See: > http://marc.theaimsgroup.com/?l=linux-netdev&m=114373067423528&w=2
Yes that's enough, although proper PMTU would be better. > and here is snmp when the sapgui client has told me that the > connections has been reset: > > [EMAIL PROTECTED]:/var/log# cat SNMP-CONN-RESET > Ip: Forwarding DefaultTTL InReceives InHdrErrors InAddrErrors ForwDatagrams > InUnknownProtos InDiscards InDelivers OutRequests OutDiscards OutNoRoutes > ReasmTimeout ReasmReqds ReasmOKs ReasmFails FragOKs FragFails FragCreates > Ip: 1 64 79257 0 31 48139 0 0 38799 56650 2 0 2 182 90 2 90 0 124 OK, the number of reassemblies equals the number of FragOKs. So it does not look like there is a problem within mimosa, i.e., Linux. I've looked at your packet dumps again and in fact there is not qualitative difference between WITHTCPDUMP and WITHOUTTCPDUMP. What is different is that the latter seems to have experienced a higher packet loss rate at an early stage and therefore the sender has already backed off to a very long retry period. The fact that tcpdump makes a difference could simply be that it changes the timing of the fragment tramissions on mimosa which has an impact on the loss rate between mimosa and pleiadi. We can say these things for certain: 1) The path between mimosa and pleiadi has a packet loss problem. A small burst of 10 or so fragments is enough to cause at least half of them to be lost. This problem may be specific to IPsec traffic (ISPs often discriminate against traffic with protocols other than TCP/UDP). 2) Fragmentation exacerbates the packet loss problem because it increases the number of packets and a packet is lost if only one of its fragments is lost. 3) The fact that the TCP connections are not using PMTU causes fragmentation in the presence of IPsec. >From what I've seen, there does not appear to be a bug in Linux that could explain the behaviour change that is seen when you run tcpdump. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} <[EMAIL PROTECTED]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
