Linux, ECN and old firewalls
Hello all, Bumped into a problem where my firewall was refusing connections from a linux machine, found the reason and thought I would share: ============================== CONFIG_INET_ECN: Explicit Congestion Notification (ECN) allows routers to notify clients about network congestion, resulting in fewer dropped packets and increased network performance. This option adds ECN support to the Linux kernel, as well as a sysctl (/proc/sys/net/ipv4/tcp_ecn) which allows ECN support to be disabled at runtime. Note that, on the Internet, there are many broken firewalls which refuse connections from ECN-enabled machines, and it may be a while before these firewalls are fixed. Until then, to access a site behind such a firewall (some of which are major sites, at the time of this writing) you will have to disable this option, either by saying N now or by using the sysctl.
Bumped into a problem where my firewall was refusing connections from a linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing connections from one of my linux boxes. a bit of research showed me the following: : :http://www.cisco.com/cgi-bin/Support/Bugtool/onebug.pl?bugid=CSCds23698) : : Bud ID: CSCds23698 : : Headline: PIX sends RSET in response to tcp connections with ECN : : bits set : : Product: PIX : : Component: fw : : Severity: 2 Status: R [Resolved] : : Version Found: 5.1(1) : : Fixed-in Version: 5.1(2.206) 5.1(2.207) 5.2(1.200) : : fixes have been incorporated for a number of different release trains for : the pix. : : Fixed-In Version now covers releases: : 5.1(2.206), 5.1(2.207), 5.2(1.200), 6.0(0.100), 5.2(3.210) : : NB. it has been posted that Raptor filewalls will also apparently fail to : allow connections with ECN bits set. the workaround i was using was: echo "0" >/proc/sys/net/ipv4/tcp_ecn (though i was kind of pissed i had to even use a workaround and those sites were being too stubborn to fix their gear). cheers. -ken harris.
Several other higher profile sites (yahoo comes to mind) were doing the same thing until I also turned that option off. I have a feeling it's not only the pix that is broken in this respect. Jason -- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows On Sun, 29 Apr 2001, ken harris. wrote:
Bumped into a problem where my firewall was refusing connections from a linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing connections from one of my linux boxes. a bit of research showed me the following:
the workaround i was using was: echo "0" >/proc/sys/net/ipv4/tcp_ecn
(though i was kind of pissed i had to even use a workaround and those sites were being too stubborn to fix their gear).
The PIX isn't 'broken'. It was fixed some time ago. It's just that some folks don't want to take the time to upgrde their devices. This same issue applies to older releases of LocalDirector code, as well. Again, Cisco fixed the problem with alacrity; again, some folks just don't perform timely upgrades. Jason Slagle wrote:
Several other higher profile sites (yahoo comes to mind) were doing the same thing until I also turned that option off.
I have a feeling it's not only the pix that is broken in this respect.
Jason
-- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
On Sun, 29 Apr 2001, ken harris. wrote:
Bumped into a problem where my firewall was refusing connections from a linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing connections from one of my linux boxes. a bit of research showed me the following:
the workaround i was using was: echo "0" >/proc/sys/net/ipv4/tcp_ecn
(though i was kind of pissed i had to even use a workaround and those sites were being too stubborn to fix their gear).
-- ------------------------------------------------------------ Roland Dobbins <rdobbins@netmore.net> // 408.859.4137 voice
Also, turning off ECN for 2.4.x kernels is quite simple: echo "0" >/proc/sys/net/ipv4/tcp_ecn Roland Dobbins wrote:
The PIX isn't 'broken'. It was fixed some time ago. It's just that some folks don't want to take the time to upgrde their devices.
This same issue applies to older releases of LocalDirector code, as well. Again, Cisco fixed the problem with alacrity; again, some folks just don't perform timely upgrades.
Jason Slagle wrote:
Several other higher profile sites (yahoo comes to mind) were doing the same thing until I also turned that option off.
I have a feeling it's not only the pix that is broken in this respect.
Jason
-- Jason Slagle - CCNP - CCDP Network Administrator - Toledo Internet Access - Toledo Ohio - raistlin@tacorp.net - jslagle@toledolink.com - WHOIS JS10172 /"\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . \ / ASCII Ribbon Campaign . If dreams are like movies then memories X - NO HTML/RTF in e-mail . are films about ghosts.. / \ - NO Word docs in e-mail . - Adam Duritz - Counting Crows
On Sun, 29 Apr 2001, ken harris. wrote:
Bumped into a problem where my firewall was refusing connections from a linux machine, found the reason and thought I would share:
saw similar problems around last august (i think) .. hotmail was refusing connections from one of my linux boxes. a bit of research showed me the following:
the workaround i was using was: echo "0" >/proc/sys/net/ipv4/tcp_ecn
(though i was kind of pissed i had to even use a workaround and those sites were being too stubborn to fix their gear).
-- ------------------------------------------------------------ Roland Dobbins <rdobbins@netmore.net> // 408.859.4137 voice
-- ------------------------------------------------------------ Roland Dobbins <mordant@gothik.org> // 408.859.4137 voice
participants (4)
-
Jason Slagle -
ken harris. -
Lee Watterworth -
Roland Dobbins