Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 3 product line. The current stable release is 3.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 243315

Summary: xinetd connection failures at high rates across firewalls
Product: Red Hat Enterprise Linux 3 Reporter: Need Real Name <wbetts>
Component: xinetdAssignee: Jan Safranek <jsafrane>
Status: CLOSED WONTFIX QA Contact: Brock Organ <borgan>
Severity: high Docs Contact:
Priority: low    
Version: 3.8   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-19 18:36:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2007-06-08 15:10:48 UTC 
Description of problem:

The xinetd for RHEL 3 and RHEL 4 has a bug that causes some connections across
firewalls to be broken.  Two conditions seem to be required for this bug to
actually be noticed:

1.  Opening ~10 or more connections very quickly from a single client to a
single service behind xinetd.  (A delay of ~0.2 seconds between connections
seems to be enough to avoid the problem.)
2.  The client system and xinetd system are separated by (in our case) Cisco
Firewall Service Modules.

We believe this is a xinetd bug primarily because we built xinetd 2.3.14 from
source (with loadavg and libwrap) keeping everything else constant, and our
connection failures stopped.  This "fix" was successful on two servers that
we've upgraded in this way.


Version-Release number of selected component (if applicable):

xinetd-2.3.12-6.3E.2 (on RHEL 3)  (we also saw the problem in xinetd-2.3.12-6.3E
on one node before upgrading to E.2)
xinetd-2.3.13-4.4E.1 (on RHEL 4)


How reproducible:

Very reproducible, but with variable failure rates.

Steps to Reproduce:
1.  Put a Cisco firewall between a client host and a server with a service such
as telnet behind xinetd.  Unfortunately, I don't enough about Cisco firewall
configurations to know if there are specific configurations that are necessary
to observe this problem.
2.  Script a series of ~20 connections from the client to the server to occur as
rapidly as possible within the script.
3.  Watch as a handful of those connections fail (though sometimes they will all
succeed).
4.  The broken connections are especially easy to note in tcpdumps on the
server, in which there will be an exchange of TCP retransmissions and duplicate
ACKs.  The first sign of trouble is a when the server sends a second SYN,ACK
packet.  At this point the connection is for all intents and purposes broken.
   
Actual results:

100% successful connections

Expected results:

Several failed connections (variable between ~50% and 100% successful connections.)

Additional info: 

a question:  is there any reason for Redhat not to build an updated xinetd
package from version 2.3.14?
Comment 1 RHEL Program Management 2007-10-19 18:36:27 UTC 
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.