<HTML>
<HEAD>
<TITLE>TIME_WAIT / LAST_ACK Problem</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>Hi<BR>
<BR>
I am experiencing an intermittent but quite frequent problem when load testing a transparent proxy (squid) (with 100’s of connections).<BR>
I would welcome any advice on what I might be doing wrong.<BR>
<BR>
The end result is that there are lot of:<BR>
</SPAN></FONT><UL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>server-side connections left in TIME_WAIT state
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>client-side connections left in LAST_ACK state<BR>
</SPAN></FONT></UL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
I am using Iptables to:<BR>
</SPAN></FONT><UL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>redirect/tproxy incoming port 80 traffic to port 3129
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>set a mark on outgoing port 80 traffic (for routing)<BR>
</SPAN></FONT></UL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
I also use the TRACE target in the raw table to log the packet paths.<BR>
<BR>
The problem seems to arise when the server initiates the close of the connection.<BR>
In that case, the trace output shows:<BR>
</SPAN></FONT><OL><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>the FIN from the server passing through the mangle:OUTPUT, filter:OUTPUT and filter:POSTROUTING tables
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>a FIN/ACK from the client arriving and passing through mangle:PREROUTING, mangle:INPUT and filter:INPUT tables
</SPAN></FONT><LI><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>a final ACK from the server passing through the mangle:OUTPUT tables but getting no further.<BR>
</SPAN></FONT></OL><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'><BR>
Steps 2 & 3 are repeated as the client resends its unacknowledged FIN.<BR>
I am attaching the packet trace for one instance of this problem, extracted from /var/log/messages.<BR>
<BR>
I have used tcpdump on both client and server and confirmed that the final ACK never leaves the server.<BR>
<BR>
I have enabled logging of invalid packets, but am not seeing any reports.<BR>
<BR>
This problem is happening on Fedora 14 - 2.6.35.14-103.fc14.x86_64, with iptables v1.4.9.<BR>
<BR>
I don’t see the problem with non-transparent connections.<BR>
<BR>
I am also attaching iptables rules for the mangle table and tcp-related sysctl settings.<BR>
<BR>
Regards<BR>
<BR>
Simon<BR>
<BR>
<BR>
</SPAN></FONT>
</BODY>
</HTML>