Bug 116401

Summary:	Internet & FTP refused. (The connection was refused when attempting...)
Product:	[Fedora] Fedora	Reporter:	william Church <wchurch1>
Component:	system-config-network	Assignee:	Harald Hoyer <harald>
Status:	CLOSED NOTABUG	QA Contact:
Severity:	medium	Docs Contact:
Priority:	high
Version:	rawhide	CC:	cove
Target Milestone:	---
Target Release:	---
Hardware:	i586
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2004-03-05 10:37:27 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description william Church 2004-02-20 19:09:40 UTC

Description of problem:
Intranet works, can ping outside internet, but refused when trying
with browser.  Issue with 2.6 kernel, did  have Core 1 installed, no
problem...upgraded to 2.6 kernel--internet browsing, no work, same
issue having now with Core 2 installed.

Version-Release number of selected component (if applicable):
Fedora Core 2

How reproducible:
Every instance.

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Harald Hoyer 2004-03-04 14:04:02 UTC

do you have a firewall installed?

Comment 2 william Church 2004-03-04 14:49:30 UTC

No firewall, Iptables off.  All outside traffic is refused when
connecting.   I am behind comapany firewall and proxy.  This issue
dosen't exist behind other locations, only at work.  (works with 2.4
kernel) but not 2.6.  Kernel module or driver config.??

Comment 3 Harald Hoyer 2004-03-04 15:57:04 UTC

err... neither kernel nor network configuration changed this much...
are you sure, intranet works? have you set the default gateway
(default route) ???

Comment 4 william Church 2004-03-04 19:56:55 UTC

Yes the default route is correct.  I can ping external websites.  It
just seems to me like their is some kind of security in the kernel
putting a little extra garbage on the packets and our firewall is
stopping the traffic (but its letting icmp packets through)???  


Here is a sample tcpdump trying to connect to mozilla.org. Don't know
if this will help or not, but you can see where it fails. 

14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49055+ PTR? 70.3.26.10.in-addr.arpa. (41)
14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com
14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9
14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49055* 1/0/0 PTR[|domain]
14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49056+ PTR? 128.2.26.10.in-addr.arpa. (42)
14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49057+ PTR? 60.2.26.10.in-addr.arpa. (41)
14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49057* 1/0/0 PTR[|domain]
14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49058+ PTR? 59.3.26.10.in-addr.arpa. (41)
14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns >
10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34359+ AAAA? www.mozilla.org. (33)
14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49060+ PTR? 39.3.26.10.in-addr.arpa. (41)
14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49061+ PTR? 97.34.236.64.in-addr.arpa. (43)
14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49061 NXDomain 0/1/0 (109)
14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49062+ PTR? 10.0.0.224.in-addr.arpa. (41)
14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49062 1/0/0 PTR[|domain]

Comment 5 william Church 2004-03-04 20:23:36 UTC

Yes the default route is correct.  I can ping external websites.  It
just seems to me like their is some kind of security in the kernel
putting a little extra garbage on the packets and our firewall is
stopping the traffic (but its letting icmp packets through)???  


Here is a sample tcpdump trying to connect to mozilla.org. Don't know
if this will help or not, but you can see where it fails. 

14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49055+ PTR? 70.3.26.10.in-addr.arpa. (41)
14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com
14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9
14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49055* 1/0/0 PTR[|domain]
14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49056+ PTR? 128.2.26.10.in-addr.arpa. (42)
14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49057+ PTR? 60.2.26.10.in-addr.arpa. (41)
14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49057* 1/0/0 PTR[|domain]
14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49058+ PTR? 59.3.26.10.in-addr.arpa. (41)
14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns >
10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34359+ AAAA? www.mozilla.org. (33)
14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49060+ PTR? 39.3.26.10.in-addr.arpa. (41)
14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49061+ PTR? 97.34.236.64.in-addr.arpa. (43)
14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49061 NXDomain 0/1/0 (109)
14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49062+ PTR? 10.0.0.224.in-addr.arpa. (41)
14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49062 1/0/0 PTR[|domain]

Comment 6 Harald Hoyer 2004-03-05 10:36:06 UTC

Sorry, no extra security... you get the IP of www.mozilla.org

14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)

But, in your tcpdump there is no attempt to contact the webserver...

Comment 7 Harald Hoyer 2004-03-05 10:37:27 UTC

Please discuss this on the fedora-test list... this must be some kind
of misconfiguration... not a bug of system-config-network...

http://www.redhat.com/mailman/listinfo/fedora-test-list

Comment 8 Cove Schneider 2004-03-10 00:53:06 UTC

I seem to be having the same problem. Here's a better trace:

16:43:03.027281 IP (tos 0x0, ttl  64, id 39006, offset 0, flags [DF], length: 60) wrks-10
-4-3-229.ofs..32809 > www.redhat.com.http: SWE [tcp sum ok] 824911537:
824911537(0) win 5840 <mss 1460,sackOK,timestamp 900847 0,nop,wscale 0>
16:43:03.027677 IP (tos 0x0, ttl  64, id 59245, offset 0, flags [none], length: 40) 
www.redhat.com.http > wrks-10-4-3-229.ofs..32809: R [tcp sum ok] 0:0(0) ack 
824911538 win 016:43:03.052581 IP (tos 0x0, ttl  64, id 25164, offset 0, flags [DF], 
length: 60) wrks-10-4-3-229.ofs..32810 > www.redhat.com.http: SWE [tcp sum 
ok] 819322181:819322181(0) win 5840 <mss 1460,sackOK,timestamp 
900873 0,nop,wscale 0>16:43:03.052797 IP (tos 0x0, ttl  64, id 43759, offset 0, flags 
[none], length: 40) www.redhat.com.http > wrks-10-4-3-229.ofs..32810: R [tcp sum 
ok] 0:0(0) ack 819322182 win 0

I'm not sure why the remote host is sending back an RST. I wonder if it has something to 
do with the DF bit being set on the initial tcp connection for some reason.

Comment 9 Cove Schneider 2004-03-10 03:36:41 UTC

This fixed it for me.

http://marc.theaimsgroup.com/?l=fedora-list&m=107869404102862&w=2

[...]
Cavin, I am very sure it is the know thing with ECN, which is by default
active with the 2.6er Fedora kernels. Set

echo 0 > /proc/sys/net/ipv4/tcp_ecn

and i bet immediately all will work again. To set that fix just edit
/etc/sysctl.conf. To be clear, this is no fault by Linux/Fedora! this is
an issue with badly configured firewalls/routers.
[...]

Comment 10 william Church 2004-03-10 16:43:20 UTC

Yes, this fixed it!!!  NICE