Netstat says connection in SYN_SENT but tcpdump captures no data

netstattcpdump

I'm debugging a ldap problem after ldap client machine upgraded to ubuntu 18.04. Trying to figure out where the problem is, and I noticed the outbound connection is in SYN_SENT, but when I use tcpdump to capture the problem, both server and client machine's tcpdump has no data about that specific connection, just like it stuck in the kernel's tcp stack. Is there any possible problem that caused this symptom?

Some background:

LDAP server ubuntu 16.04.5, LDAP client 18.04.1

ldap client program: pam_ldap and systemd-logind(which uses nss-ldap)

pam_ldap can connect to ldap server and bind without problem and tcpdump captures the packet.

systemd-logind always complain about do_start_tls failed: stat=-1, netstat shows SYN_SENT and tcpdump captures no outbound packet.

Same configuration on 16.04 works without any problem.

Best Answer

Disable Apparmor completely and this problem solved. It seems that Appamor blocked systemd-logind outbound connection.

Related Solutions

Linux – Fixing Huge Amount of TIME_WAIT Connections

EDIT: tcp_fin_timeout DOES NOT control TIME_WAIT duration, it is hardcoded at 60s

As mentioned by others, having some connections in TIME_WAIT is a normal part of the TCP connection. You can see the interval by examining /proc/sys/net/ipv4/tcp_fin_timeout:

[root@host ~]# cat /proc/sys/net/ipv4/tcp_fin_timeout
60

And change it by modifying that value:

[root@dev admin]# echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

Or permanently by adding it to /etc/sysctl.conf

net.ipv4.tcp_fin_timeout=30

Also, if you don't use the RPC service or NFS, you can just turn it off:

/etc/init.d/nfsd stop

And turn it off completely

chkconfig nfsd off

Netstat Issue – Netstat Shows a Listening Port with No PID but lsof Does Not

From data you provided I'd say it's related to some NFS mounts or something using RPC.

you can check with rpcinfo -p for ports that might be used by some of RPC related services.

Here is how it looks on my system

# netstat -nlp | awk '{if ($NF == "-")print $0}'
tcp        0      0 0.0.0.0:55349           0.0.0.0:*               LISTEN      -               
udp        0      0 0.0.0.0:18049           0.0.0.0:*                           - 

# rpcinfo -p
   program vers proto   port
    100000    2   tcp    111  portmapper
    100000    2   udp    111  portmapper
    100024    1   udp  10249  status
    100024    1   tcp  10249  status
    100021    1   udp  18049  nlockmgr
    100021    3   udp  18049  nlockmgr
    100021    4   udp  18049  nlockmgr
    100021    1   tcp  55349  nlockmgr
    100021    3   tcp  55349  nlockmgr
    100021    4   tcp  55349  nlockmgr

Best Answer

Related Solutions

Linux – Fixing Huge Amount of TIME_WAIT Connections

Netstat Issue – Netstat Shows a Listening Port with No PID but lsof Does Not

Related Topic