Bug 116401 - Internet & FTP refused. (The connection was refused when attempting...)
Internet & FTP refused. (The connection was refused when attempting...)
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: system-config-network (Show other bugs)
rawhide
i586 Linux
high Severity medium
: ---
: ---
Assigned To: Harald Hoyer
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-20 14:09 EST by william Church
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-03-05 05:37:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description william Church 2004-02-20 14:09:40 EST
Description of problem:
Intranet works, can ping outside internet, but refused when trying
with browser.  Issue with 2.6 kernel, did  have Core 1 installed, no
problem...upgraded to 2.6 kernel--internet browsing, no work, same
issue having now with Core 2 installed.

Version-Release number of selected component (if applicable):
Fedora Core 2

How reproducible:
Every instance.

Steps to Reproduce:
1. 
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Harald Hoyer 2004-03-04 09:04:02 EST
do you have a firewall installed?
Comment 2 william Church 2004-03-04 09:49:30 EST
No firewall, Iptables off.  All outside traffic is refused when
connecting.   I am behind comapany firewall and proxy.  This issue
dosen't exist behind other locations, only at work.  (works with 2.4
kernel) but not 2.6.  Kernel module or driver config.?? 
Comment 3 Harald Hoyer 2004-03-04 10:57:04 EST
err... neither kernel nor network configuration changed this much...
are you sure, intranet works? have you set the default gateway
(default route) ???
Comment 4 william Church 2004-03-04 14:56:55 EST
Yes the default route is correct.  I can ping external websites.  It
just seems to me like their is some kind of security in the kernel
putting a little extra garbage on the packets and our firewall is
stopping the traffic (but its letting icmp packets through)???  


Here is a sample tcpdump trying to connect to mozilla.org. Don't know
if this will help or not, but you can see where it fails. 

14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49055+ PTR? 70.3.26.10.in-addr.arpa. (41)
14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com
14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9
14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49055* 1/0/0 PTR[|domain]
14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49056+ PTR? 128.2.26.10.in-addr.arpa. (42)
14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49057+ PTR? 60.2.26.10.in-addr.arpa. (41)
14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49057* 1/0/0 PTR[|domain]
14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49058+ PTR? 59.3.26.10.in-addr.arpa. (41)
14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns >
10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34359+ AAAA? www.mozilla.org. (33)
14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49060+ PTR? 39.3.26.10.in-addr.arpa. (41)
14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49061+ PTR? 97.34.236.64.in-addr.arpa. (43)
14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49061 NXDomain 0/1/0 (109)
14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49062+ PTR? 10.0.0.224.in-addr.arpa. (41)
14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49062 1/0/0 PTR[|domain]
Comment 5 william Church 2004-03-04 15:23:36 EST
Yes the default route is correct.  I can ping external websites.  It
just seems to me like their is some kind of security in the kernel
putting a little extra garbage on the packets and our firewall is
stopping the traffic (but its letting icmp packets through)???  


Here is a sample tcpdump trying to connect to mozilla.org. Don't know
if this will help or not, but you can see where it fails. 

14:53:45.336435 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49055+ PTR? 70.3.26.10.in-addr.arpa. (41)
14:53:45.336703 arp who-has 10.26.3.59 tell cncdc1.jdedwards.com
14:53:45.336737 arp reply 10.26.3.59 is-at 00:03:47:b8:b1:a9
14:53:45.336893 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49055* 1/0/0 PTR[|domain]
14:53:45.349434 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49056+ PTR? 128.2.26.10.in-addr.arpa. (42)
14:53:49.848859 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49057+ PTR? 60.2.26.10.in-addr.arpa. (41)
14:53:49.849188 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32783: 
49057* 1/0/0 PTR[|domain]
14:53:49.849524 IP 10.26.3.59.32783 > cncdc1.jdedwards.com.domain: 
49058+ PTR? 59.3.26.10.in-addr.arpa. (41)
14:53:49.849813 IP cncdc1.jdedwards.com.netbios-ns >
10.26.3.59.netbios-ns: NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
14:53:49.849854 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.347484 IP 10.26.3.59 > cncdc1.jdedwards.com: icmp 86:
10.26.3.59 udp port netbios-ns unreachable
14:53:51.468676 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34359+ AAAA? www.mozilla.org. (33)
14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352717 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.352841 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)
14:53:54.352927 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49059 ServFail* 0/0/0 (42)
14:53:54.353642 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49060+ PTR? 39.3.26.10.in-addr.arpa. (41)
14:53:54.354265 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49061+ PTR? 97.34.236.64.in-addr.arpa. (43)
14:53:54.354540 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49061 NXDomain 0/1/0 (109)
14:53:54.354948 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49062+ PTR? 10.0.0.224.in-addr.arpa. (41)
14:53:54.355049 IP cncdc1.jdedwards.com.domain > 10.26.3.59.32784: 
49062 1/0/0 PTR[|domain]
Comment 6 Harald Hoyer 2004-03-05 05:36:06 EST
Sorry, no extra security... you get the IP of www.mozilla.org

14:53:51.531028 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
34360+ A? www.mozilla.org. (33)
14:53:51.532100 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
48848+ PTR? 202.111.126.207.in-addr.arpa. (46)
14:53:54.352563 IP 10.26.3.59.32784 > cncdc1.jdedwards.com.domain: 
49059+ PTR? 255.3.26.10.in-addr.arpa. (42)

But, in your tcpdump there is no attempt to contact the webserver...
Comment 7 Harald Hoyer 2004-03-05 05:37:27 EST
Please discuss this on the fedora-test list... this must be some kind
of misconfiguration... not a bug of system-config-network...

http://www.redhat.com/mailman/listinfo/fedora-test-list
Comment 8 Cove Schneider 2004-03-09 19:53:06 EST
I seem to be having the same problem. Here's a better trace:

16:43:03.027281 IP (tos 0x0, ttl  64, id 39006, offset 0, flags [DF], length: 60) wrks-10
-4-3-229.ofs..32809 > www.redhat.com.http: SWE [tcp sum ok] 824911537:
824911537(0) win 5840 <mss 1460,sackOK,timestamp 900847 0,nop,wscale 0>
16:43:03.027677 IP (tos 0x0, ttl  64, id 59245, offset 0, flags [none], length: 40) 
www.redhat.com.http > wrks-10-4-3-229.ofs..32809: R [tcp sum ok] 0:0(0) ack 
824911538 win 016:43:03.052581 IP (tos 0x0, ttl  64, id 25164, offset 0, flags [DF], 
length: 60) wrks-10-4-3-229.ofs..32810 > www.redhat.com.http: SWE [tcp sum 
ok] 819322181:819322181(0) win 5840 <mss 1460,sackOK,timestamp 
900873 0,nop,wscale 0>16:43:03.052797 IP (tos 0x0, ttl  64, id 43759, offset 0, flags 
[none], length: 40) www.redhat.com.http > wrks-10-4-3-229.ofs..32810: R [tcp sum 
ok] 0:0(0) ack 819322182 win 0

I'm not sure why the remote host is sending back an RST. I wonder if it has something to 
do with the DF bit being set on the initial tcp connection for some reason.

Comment 9 Cove Schneider 2004-03-09 22:36:41 EST
This fixed it for me.

http://marc.theaimsgroup.com/?l=fedora-list&m=107869404102862&w=2

[...]
Cavin, I am very sure it is the know thing with ECN, which is by default
active with the 2.6er Fedora kernels. Set

echo 0 > /proc/sys/net/ipv4/tcp_ecn

and i bet immediately all will work again. To set that fix just edit
/etc/sysctl.conf. To be clear, this is no fault by Linux/Fedora! this is
an issue with badly configured firewalls/routers.
[...]
Comment 10 william Church 2004-03-10 11:43:20 EST
Yes, this fixed it!!!  NICE

Note You need to log in before you can comment on or make changes to this bug.