[CLUE-Tech] SOLVED: Connectivity Issues
Keith Hellman
kehellman at yahoo.com
Fri Oct 25 08:56:10 MDT 2002
Some of you may recall an issue I described concerning a particular
machine in our office that could not use fetchmail agains a remote pop
server, but could nmap against it.
SOLUTION: The problematic machine had a new install of RH 8.0. RH 8.0
turns ON ECN (Explicit Congestion Notification). Some router/firewall
between us and our POP server doesn't support ECN, so SYN packets we're
simply be dropped. We turned it off with echo 0
>/proc/sys/net/ipv4/tcp_ecn and everything worked.
As an aside, I would only say that I've learned my lesson w/r to not
reading diagnostic output meticulously:
- The nmap that 'worked' didn't really work - it reported the service as
"filtered", not closed. This is status nmap assigns ports that don't
respond with either a SYN+ACK or an ICMP unused port message.
- We performed multiple tcpdumps along the network path in our office,
convinced that something internally was doing some packet filtering.
The result of all the dumps was that a working machine was able to
establish a connection, while the problematic machine kept sending
SYNs without any response. It wasn't until we had gone as far
upstream (our side of our DSL modem) without any resolution that (and
I would love to say 'we' here but in truth it was a co-worker) the
dump logs were inspected CAREFULLY, and the SWE flag was noticed as a
distinct difference. Had I REALLY looked at the tcpdump output on our
first tap, the problem would have been solved hours eariler.
--
Keith Hellman #include <disclaimer.h>
kehellman at yahoo.com from disclaimer import standard
More information about the clue-tech
mailing list