Bug 116401
Summary: | Internet & FTP refused. (The connection was refused when attempting...) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | william Church <wchurch1> |
Component: | system-config-network | Assignee: | Harald Hoyer <harald> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | rawhide | CC: | cove |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i586 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2004-03-05 10:37:27 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
william Church
2004-02-20 19:09:40 UTC
do you have a firewall installed? No firewall, Iptables off. All outside traffic is refused when connecting. I am behind comapany firewall and proxy. This issue dosen't exist behind other locations, only at work. (works with 2.4 kernel) but not 2.6. Kernel module or driver config.?? err... neither kernel nor network configuration changed this much... are you sure, intranet works? have you set the default gateway (default route) ??? Yes the default route is correct. I can ping external websites. It just seems to me like their is some kind of security in the kernel putting a little extra garbage on the packets and our firewall is stopping the traffic (but its letting icmp packets through)??? Here is a sample tcpdump trying to connect to mozilla.org. Don't know if this will help or not, but you can see where it fails. 14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49055+ PTR? 70.3.26.10.in-addr.arpa. (41) 14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com 14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9 14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 49055* 1/0/0 PTR[|domain] 14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49056+ PTR? 128.2.26.10.in-addr.arpa. (42) 14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49057+ PTR? 60.2.26.10.in-addr.arpa. (41) 14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 49057* 1/0/0 PTR[|domain] 14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49058+ PTR? 59.3.26.10.in-addr.arpa. (41) 14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns > 10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86: 10.26.3.59 udp port netbios-ns unreachable 14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86: 10.26.3.59 udp port netbios-ns unreachable 14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 34359+ AAAA? www.mozilla.org. (33) 14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 34360+ A? www.mozilla.org. (33) 14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 48848+ PTR? 202.111.126.207.in-addr.arpa. (46) 14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49059+ PTR? 255.3.26.10.in-addr.arpa. (42) 14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49059 ServFail* 0/0/0 (42) 14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49059+ PTR? 255.3.26.10.in-addr.arpa. (42) 14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49059 ServFail* 0/0/0 (42) 14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49060+ PTR? 39.3.26.10.in-addr.arpa. (41) 14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49061+ PTR? 97.34.236.64.in-addr.arpa. (43) 14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49061 NXDomain 0/1/0 (109) 14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49062+ PTR? 10.0.0.224.in-addr.arpa. (41) 14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49062 1/0/0 PTR[|domain] Yes the default route is correct. I can ping external websites. It just seems to me like their is some kind of security in the kernel putting a little extra garbage on the packets and our firewall is stopping the traffic (but its letting icmp packets through)??? Here is a sample tcpdump trying to connect to mozilla.org. Don't know if this will help or not, but you can see where it fails. 14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49055+ PTR? 70.3.26.10.in-addr.arpa. (41) 14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com 14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9 14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 49055* 1/0/0 PTR[|domain] 14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49056+ PTR? 128.2.26.10.in-addr.arpa. (42) 14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49057+ PTR? 60.2.26.10.in-addr.arpa. (41) 14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 49057* 1/0/0 PTR[|domain] 14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 49058+ PTR? 59.3.26.10.in-addr.arpa. (41) 14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns > 10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST 14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86: 10.26.3.59 udp port netbios-ns unreachable 14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86: 10.26.3.59 udp port netbios-ns unreachable 14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 34359+ AAAA? www.mozilla.org. (33) 14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 34360+ A? www.mozilla.org. (33) 14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 48848+ PTR? 202.111.126.207.in-addr.arpa. (46) 14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49059+ PTR? 255.3.26.10.in-addr.arpa. (42) 14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49059 ServFail* 0/0/0 (42) 14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49059+ PTR? 255.3.26.10.in-addr.arpa. (42) 14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49059 ServFail* 0/0/0 (42) 14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49060+ PTR? 39.3.26.10.in-addr.arpa. (41) 14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49061+ PTR? 97.34.236.64.in-addr.arpa. (43) 14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49061 NXDomain 0/1/0 (109) 14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49062+ PTR? 10.0.0.224.in-addr.arpa. (41) 14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 49062 1/0/0 PTR[|domain] Sorry, no extra security... you get the IP of www.mozilla.org 14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 34360+ A? www.mozilla.org. (33) 14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 48848+ PTR? 202.111.126.207.in-addr.arpa. (46) 14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 49059+ PTR? 255.3.26.10.in-addr.arpa. (42) But, in your tcpdump there is no attempt to contact the webserver... Please discuss this on the fedora-test list... this must be some kind of misconfiguration... not a bug of system-config-network... http://www.redhat.com/mailman/listinfo/fedora-test-list I seem to be having the same problem. Here's a better trace: 16:43:03.027281 IP (tos 0x0, ttl 64, id 39006, offset 0, flags [DF], length: 60) wrks-10 -4-3-229.ofs..32809 > www.redhat.com.http: SWE [tcp sum ok] 824911537: 824911537(0) win 5840 <mss 1460,sackOK,timestamp 900847 0,nop,wscale 0> 16:43:03.027677 IP (tos 0x0, ttl 64, id 59245, offset 0, flags [none], length: 40) www.redhat.com.http > wrks-10-4-3-229.ofs..32809: R [tcp sum ok] 0:0(0) ack 824911538 win 016:43:03.052581 IP (tos 0x0, ttl 64, id 25164, offset 0, flags [DF], length: 60) wrks-10-4-3-229.ofs..32810 > www.redhat.com.http: SWE [tcp sum ok] 819322181:819322181(0) win 5840 <mss 1460,sackOK,timestamp 900873 0,nop,wscale 0>16:43:03.052797 IP (tos 0x0, ttl 64, id 43759, offset 0, flags [none], length: 40) www.redhat.com.http > wrks-10-4-3-229.ofs..32810: R [tcp sum ok] 0:0(0) ack 819322182 win 0 I'm not sure why the remote host is sending back an RST. I wonder if it has something to do with the DF bit being set on the initial tcp connection for some reason. This fixed it for me. http://marc.theaimsgroup.com/?l=fedora-list&m=107869404102862&w=2 [...] Cavin, I am very sure it is the know thing with ECN, which is by default active with the 2.6er Fedora kernels. Set echo 0 > /proc/sys/net/ipv4/tcp_ecn and i bet immediately all will work again. To set that fix just edit /etc/sysctl.conf. To be clear, this is no fault by Linux/Fedora! this is an issue with badly configured firewalls/routers. [...] Yes, this fixed it!!! NICE |