Tcptrack shows SYN_SENT connections, does that mean the SYN package reached the server

connectiontcptimeout

our server suffered a serious connection timeout problem, so we track tcp connection with tcptrack

we found out that, if the client started to connect to the server, tcptrack shows the connection, but in SYN_SENT status, and netstat -nat shows nothing. (tcptrack & netstat all runs on the server)

does this mean the syn request reached the server? and no syn/ack was sent back?
why the tcptrack could report this connection but netstat could not?
what could be the problem that a general apache could not establish a connection with the client?

i did a bench test using ab in the same intranet, to the specified NIC, it handled 10000 concurrent connection and 400000 requests ok

ps: this doesn't happen every time, but did happened a lot

pps: is there any good tools to trace where the tcp connection was lost?

Best Answer

It means the SYN was sent by the client and either didn't reach the server, the server didn't reply to it, or the server opted to reply to it without keeping track of it. The server does not need to keep track of every SYN reply it sends (and can use SYN cookies) because they may be spoofed and doing so creates a risk of denial of service attacks.

Related Solutions

Linux – Why would a server not send a SYN/ACK packet in response to a SYN packet

We had this exact same problem. Just disabling TCP timestamps solved the problem.

sysctl -w net.ipv4.tcp_timestamps=0

To make this change permanent, make an entry in /etc/sysctl.conf.

Be very careful about disabling the TCP Window Scale option. This option is important for providing maximum performance over the internet. Someone with a 10 megabit/sec connection will have a suboptimal transfer if the round trip time (basically same as ping) is more than 55 ms.

We really noticed this problem when there were multiple devices behind the same NAT. I suspect that the server might have been confused seeing timestamps from Android devices and OSX machines at the same time since they put completely different values in the timestamp fields.

No TCP connections to hosts behind VPN server (SYN, SYN-ACK, but no ACK), UDP, ICMP works

I would start by taking a look at your masking. If the general hosts are in 172.17.0.0/16 and your VPN subnet is in 172.17.7.0/24 then it's entirely possible for there to be some uncertain connectivity situations.

A general host in 172.17.0.0/16 when sending a packet to a VPN host in 172.17.7.0/24 will attempt to ARP for the VPN host's address (rather than sending it to a gateway).

The VPN host, in turn, tries to send a frame to a host in the general subnet. It's going to send via its gateway. If this gateway is a member of both the /24 and the /16 then you've got a similar problem - either it's an illegal configuration or the packet is actually being bridged rather than routed.

It's possible you have proxy-arp configured - that would cause a routing device to answer ARP requests in the larger subnet for a host it has a route to, but this isn't clear from your posted materials.

It's also possible that you have bridging set up somewhere in the mix. This could yield some strange situations as a standard ARP would work in one direction but in the other some sort of gateway would be called upon to forward a nominally routed frame back out the receiving interface - which, again, might work in some circumstances but isn't good (nb - this could be a source of duplicate ACK's).

Can you put your VPN hosts in a non-overlapping subnet? Say give it a 172.18.x.x address and then configure routing between the gateway for this new subnet and the default gateway for 172.17.0.0/16? At a minimum this would make the whole thing simpler to troubleshoot and it very well might fix things.

Best Answer

Related Solutions

Linux – Why would a server not send a SYN/ACK packet in response to a SYN packet

No TCP connections to hosts behind VPN server (SYN, SYN-ACK, but no ACK), UDP, ICMP works

Related Topic