Hello, we are having a problem with syslog-ng ver. 1.6.2. On one RedHat Linux ES 3, I've seen that it sends SYN, receives ACK and immediately sends RST. Anybody seen this behaviour? 20:26:34.610520 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 885631 0,nop,wscale 0> (DF) 20:26:34.610660 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022214670 497333> (DF) 20:26:34.610711 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF) 20:27:22.610006 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 890431 0,nop,wscale 0> (DF) 20:27:22.610152 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022239252 497333> (DF) 20:27:22.610195 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF) When I try eg telnet, it works just fine. 20:30:56.617785 192.168.30.28.32908 > 192.168.30.162.5140: S 2089428237:2089428237(0) win 5840 <mss 1460,sackOK,timestamp 911833 0,nop,wscale 0> (DF) [tos 0x10] 20:30:56.617995 192.168.30.162.5140 > 192.168.30.28.32908: S 1997864569:1997864569(0) ack 2089428238 win 5792 <mss 1380,sackOK,timestamp 1022348859 911833,nop,wscale 0> (DF) 20:30:56.618051 192.168.30.28.32908 > 192.168.30.162.5140: . ack 1 win 5840 <nop,nop,timestamp 911833 1022348859> (DF) [tos 0x10] 20:31:01.079466 192.168.30.28.32908 > 192.168.30.162.5140: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 912279 1022348859> (DF) [tos 0x10] 20:31:01.079677 192.168.30.162.5140 > 192.168.30.28.32908: F 1:1(0) ack 2 win 5792 <nop,nop,timestamp 1022351145 912279> (DF) 20:31:01.079717 192.168.30.28.32908 > 192.168.30.162.5140: . ack 2 win 5840 <nop,nop,timestamp 912279 1022351145> (DF) [tos 0x10] -- *********************************************************************** Pavel Urban (pavel.urban@imaginet.cz) IOL system disaster Internet OnLine, owned by Cesky Telecom, a.s. (www.ct.cz) *********************************************************************** Vegetables should not operate electronic equipment. Computer Stupidities, http://rinkworks.com/stupid/ ***********************************************************************
Sorry, I was already pretty asleep while I was sending this. The problem refers to TCP remote logging, when client is set with source port 5140. I can see error messages in client's system log - it complains that AF_INET connection to central logging system cannot be established. Pavel Urban wrote:
Hello,
we are having a problem with syslog-ng ver. 1.6.2. On one RedHat Linux ES 3, I've seen that it sends SYN, receives ACK and immediately sends RST. Anybody seen this behaviour?
20:26:34.610520 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 885631 0,nop,wscale 0> (DF) 20:26:34.610660 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022214670 497333> (DF) 20:26:34.610711 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF) 20:27:22.610006 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 890431 0,nop,wscale 0> (DF) 20:27:22.610152 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022239252 497333> (DF) 20:27:22.610195 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF)
When I try eg telnet, it works just fine.
20:30:56.617785 192.168.30.28.32908 > 192.168.30.162.5140: S 2089428237:2089428237(0) win 5840 <mss 1460,sackOK,timestamp 911833 0,nop,wscale 0> (DF) [tos 0x10] 20:30:56.617995 192.168.30.162.5140 > 192.168.30.28.32908: S 1997864569:1997864569(0) ack 2089428238 win 5792 <mss 1380,sackOK,timestamp 1022348859 911833,nop,wscale 0> (DF) 20:30:56.618051 192.168.30.28.32908 > 192.168.30.162.5140: . ack 1 win 5840 <nop,nop,timestamp 911833 1022348859> (DF) [tos 0x10] 20:31:01.079466 192.168.30.28.32908 > 192.168.30.162.5140: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 912279 1022348859> (DF) [tos 0x10] 20:31:01.079677 192.168.30.162.5140 > 192.168.30.28.32908: F 1:1(0) ack 2 win 5792 <nop,nop,timestamp 1022351145 912279> (DF) 20:31:01.079717 192.168.30.28.32908 > 192.168.30.162.5140: . ack 2 win 5840 <nop,nop,timestamp 912279 1022351145> (DF) [tos 0x10]
-- *********************************************************************** Pavel Urban (pavel.urban@imaginet.cz) IOL system disaster Internet OnLine, owned by Cesky Telecom, a.s. (www.ct.cz) *********************************************************************** Vegetables should not operate electronic equipment. Computer Stupidities, http://rinkworks.com/stupid/ ***********************************************************************
I've found out what was causing the problem. Just for the record: if you use static source port ('localport' directive), you can encounter problem with PIX firewall. what happend here? 1. central syslog had the connection in ESTABLISHED state 2. client had syslog-ng shut down; after restart it tried to connect 3. SYN packet was received by central syslog for the connection that it thought should be already established 4. central syslog responded with ACK 5. client was confused by ACK because it expected SYN-ACK, so it sent RST 6. PIX firewall treats SYN followed by RST as attack, so it blocked the packet 7. central syslog still keeps the connection in ESTABLISHED state, client in SYN_SENT state 8. after some time, client sends SYN again... and we're in the loop. not very nice. so, be careful when setting localport! Pavel Urban wrote:
Hello,
we are having a problem with syslog-ng ver. 1.6.2. On one RedHat Linux ES 3, I've seen that it sends SYN, receives ACK and immediately sends RST. Anybody seen this behaviour?
20:26:34.610520 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 885631 0,nop,wscale 0> (DF) 20:26:34.610660 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022214670 497333> (DF) 20:26:34.610711 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF) 20:27:22.610006 192.168.30.28.5140 > 192.168.30.162.5140: S 1768598228:1768598228(0) win 5840 <mss 1460,sackOK,timestamp 890431 0,nop,wscale 0> (DF) 20:27:22.610152 192.168.30.162.5140 > 192.168.30.28.5140: . ack 1 win 62928 <nop,nop,timestamp 1022239252 497333> (DF) 20:27:22.610195 192.168.30.28.5140 > 192.168.30.162.5140: R 611445588:611445588(0) win 0 (DF)
When I try eg telnet, it works just fine.
20:30:56.617785 192.168.30.28.32908 > 192.168.30.162.5140: S 2089428237:2089428237(0) win 5840 <mss 1460,sackOK,timestamp 911833 0,nop,wscale 0> (DF) [tos 0x10] 20:30:56.617995 192.168.30.162.5140 > 192.168.30.28.32908: S 1997864569:1997864569(0) ack 2089428238 win 5792 <mss 1380,sackOK,timestamp 1022348859 911833,nop,wscale 0> (DF) 20:30:56.618051 192.168.30.28.32908 > 192.168.30.162.5140: . ack 1 win 5840 <nop,nop,timestamp 911833 1022348859> (DF) [tos 0x10] 20:31:01.079466 192.168.30.28.32908 > 192.168.30.162.5140: F 1:1(0) ack 1 win 5840 <nop,nop,timestamp 912279 1022348859> (DF) [tos 0x10] 20:31:01.079677 192.168.30.162.5140 > 192.168.30.28.32908: F 1:1(0) ack 2 win 5792 <nop,nop,timestamp 1022351145 912279> (DF) 20:31:01.079717 192.168.30.28.32908 > 192.168.30.162.5140: . ack 2 win 5840 <nop,nop,timestamp 912279 1022351145> (DF) [tos 0x10]
-- *********************************************************************** Pavel Urban (pavel.urban@imaginet.cz) IOL system disaster Internet OnLine, owned by Cesky Telecom, a.s. (www.ct.cz) *********************************************************************** Vegetables should not operate electronic equipment. Computer Stupidities, http://rinkworks.com/stupid/ ***********************************************************************
participants (1)
-
Pavel Urban