[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Stalled connections [LONG]



Hello!
  Firstly, I'm sorry for this long post.
  Secondly, I'm looking at these packets and don't know how
to move forward to get this fixed. Every help would be great.
Thank you for your time.
  If I try to scp (or ftp) something from computer2 to computer1
connection get stalled. From computer2 to computer1 everything works
well.
  Side question, how can I filter on enc0?
    tcpdump -i enc0 icmp, for example, isn't working. Probably with
-E option... ?
  Computer2 mtu - 1500, Computer1 mtu - 1500
 
  Computer2 command line:
    # scp /etc/pf.conf [email protected]:
      [email protected] password:
      pf.conf                  100% 6375     6.2KB/s   00:00
  and stalled.
  Tcpdump on computer2 - 10.109.131.194 (to computer1 - 10.109.131.193):
    # tcpdump -ttt -vv -n -e -i enc0
tcpdump: WARNING: enc0: no IPv4 address assigned
tcpdump: listening on enc0
Sep 30 10:32:33.519552 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: S [tcp sum ok] 4085587986:4085587986(0) win 16384
<mss 1440,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 1954608808 0>
(ttl 64, id 44747) (ttl 64, id 47067, bad cksum 0! differs by a66d)
Sep 30 10:32:33.529868 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: S [tcp sum ok] 2764859505:2764859505(0) ack
4085587987 win 16384 <mss 1440,nop,nop,sackOK,nop,wscale
0,nop,nop,timestamp 547992565 1954608808> (ttl 64, id 14267) (ttl 64, id
53689)
Sep 30 10:32:33.530082 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . [tcp sum ok] 1:1(0) ack 1 win 16384
<nop,nop,timestamp 1954608808 547992565> (ttl 64, id 37922) (ttl 64, id
52308, bad cksum 0! differs by 9200)
Sep 30 10:32:33.879754 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1:22(21) ack 1 win 17136 <nop,nop,timestamp
547992565 1954608808> (ttl 64, id 53709) (ttl 64, id 50377)
Sep 30 10:32:33.880625 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 1:21(20) ack 22 win 16384 <nop,nop,timestamp
1954608808 547992565> (ttl 64, id 48208) (ttl 64, id 34138, bad cksum 0!
differs by d8e6)
Sep 30 10:32:33.889197 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 22:662(640) ack 21 win 17136 <nop,nop,timestamp
547992565 1954608808> (ttl 64, id 8441) (ttl 64, id 58860)
Sep 30 10:32:33.889399 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 21:661(640) ack 662 win 15744 <nop,nop,timestamp
1954608808 547992565> (ttl 64, id 37050) (ttl 64, id 50894, bad cksum 0!
differs by 9506)
Sep 30 10:32:34.107238 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: . [tcp sum ok] 662:662(0) ack 661 win 17136
<nop,nop,timestamp 547992566 1954608808> (ttl 64, id 32663) (ttl 64, id
2034)
Sep 30 10:32:34.107423 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 661:685(24) ack 662 win 16384 <nop,nop,timestamp
1954608809 547992566> (ttl 64, id 44206) (ttl 64, id 39997, bad cksum 0!
differs by c1ff)
Sep 30 10:32:34.183149 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 662:814(152) ack 685 win 17136
<nop,nop,timestamp 547992566 1954608809> (ttl 64, id 33781) (ttl 64, id
11005)
Sep 30 10:32:34.203622 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 685:829(144) ack 814 win 16384 <nop,nop,timestamp
1954608809 547992566> (ttl 64, id 55168) (ttl 64, id 63095, bad cksum 0!
differs by 674d)
Sep 30 10:32:34.252847 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 814:1278(464) ack 829 win 17136
<nop,nop,timestamp 547992566 1954608809> (ttl 64, id 2287) (ttl 64, id
29385)
Sep 30 10:32:34.276753 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 829:845(16) ack 1278 win 16384 <nop,nop,timestamp
1954608809 547992566> (ttl 64, id 56166) (ttl 64, id 46068, bad cksum 0!
differs by aa50)
Sep 30 10:32:34.479556 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: . [tcp sum ok] 1278:1278(0) ack 845 win 17136
<nop,nop,timestamp 547992566 1954608809> (ttl 64, id 22490) (ttl 64, id
41918)
Sep 30 10:32:34.479734 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 845:893(48) ack 1278 win 16384 <nop,nop,timestamp
1954608810 547992566> (ttl 64, id 55410) (ttl 64, id 36939, bad cksum 0!
differs by cdd9)
Sep 30 10:32:34.483795 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1278:1326(48) ack 893 win 17136
<nop,nop,timestamp 547992566 1954608810> (ttl 64, id 1755) (ttl 64, id
50889)
Sep 30 10:32:34.484616 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 893:957(64) ack 1326 win 16384 <nop,nop,timestamp
1954608810 547992566> (ttl 64, id 46490) (ttl 64, id 47763, bad cksum 0!
differs by a381)
Sep 30 10:32:34.545318 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1326:1406(80) ack 957 win 17136
<nop,nop,timestamp 547992567 1954608810> (ttl 64, id 52939) (ttl 64, id
40370)
Sep 30 10:32:34.545963 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 957:1053(96) ack 1406 win 16384 <nop,nop,timestamp
1954608810 547992567> (ttl 64, id 33319) (ttl 64, id 44792, bad cksum 0!
differs by aefc)
Sep 30 10:32:34.583024 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1406:1486(80) ack 1053 win 17136
<nop,nop,timestamp 547992567 1954608810> (ttl 64, id 60876) (ttl 64, id
37838)
Sep 30 10:32:34.775096 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . [tcp sum ok] 1053:1053(0) ack 1486 win 16384
<nop,nop,timestamp 1954608810 547992567> (ttl 64, id 58106) (ttl 64, id
39955, bad cksum 0! differs by c241)
Sep 30 10:32:36.449957 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 1053:1197(144) ack 1486 win 16384
<nop,nop,timestamp 1954608814 547992567> (ttl 64, id 45861) (ttl 64, id
38638, bad cksum 0! differs by c6d6)
Sep 30 10:32:36.513397 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1486:1518(32) ack 1197 win 17136
<nop,nop,timestamp 547992570 1954608814> (ttl 64, id 12743) (ttl 64, id
54148)
Sep 30 10:32:36.514338 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 1197:1261(64) ack 1518 win 16384 <nop,nop,timestamp
1954608814 547992570> (ttl 64, id 37169) (ttl 64, id 43232, bad cksum 0!
differs by b534)
Sep 30 10:32:36.555156 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1518:1566(48) ack 1261 win 17136
<nop,nop,timestamp 547992571 1954608814> (ttl 64, id 64413) (ttl 64, id
59359)
Sep 30 10:32:36.555884 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 1261:1325(64) ack 1566 win 16384 <nop,nop,timestamp
1954608814 547992571> [tos 0x8] (ttl 64, id 53639) [tos 0x8] (ttl 64, id
41599, bad cksum 0! differs by bb8d)
Sep 30 10:32:36.564305 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1566:1614(48) ack 1325 win 17136
<nop,nop,timestamp 547992571 1954608814> [tos 0x8] (ttl 64, id 15502)
[tos 0x8] (ttl 64, id 61069)
Sep 30 10:32:36.755095 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . [tcp sum ok] 1325:1325(0) ack 1614 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 52882)
[tos 0x8] (ttl 64, id 62656, bad cksum 0! differs by 698c)
Sep 30 10:32:36.760057 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1614:1662(48) ack 1325 win 17136
<nop,nop,timestamp 547992571 1954608814> [tos 0x8] (ttl 64, id 20437)
[tos 0x8] (ttl 64, id 48361)
Sep 30 10:32:36.761331 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 1325:1389(64) ack 1662 win 16384 <nop,nop,timestamp
1954608814 547992571> [tos 0x8] (ttl 64, id 38087) [tos 0x8] (ttl 64, id
36060, bad cksum 0! differs by d130)
Sep 30 10:32:36.803354 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: P 1662:1710(48) ack 1389 win 17136
<nop,nop,timestamp 547992571 1954608814> [tos 0x8] (ttl 64, id 20177)
[tos 0x8] (ttl 64, id 48536)
Sep 30 10:32:36.825672 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 1389:2817(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 60913)
[tos 0x8] (ttl 64, id 50719, bad cksum 0! differs by 9299)
Sep 30 10:32:36.825843 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 2817:4245(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 54092)
[tos 0x8] (ttl 64, id 48662, bad cksum 0! differs by 9aa2)
Sep 30 10:32:36.825983 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 4245:5673(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 50803)
[tos 0x8] (ttl 64, id 57590, bad cksum 0! differs by 77c2)
Sep 30 10:32:36.826106 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 5673:7101(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 45102)
[tos 0x8] (ttl 64, id 38837, bad cksum 0! differs by c103)
Sep 30 10:32:36.826217 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: P 7101:7821(720) ack 1710 win 16384
<nop,nop,timestamp 1954608814 547992571> [tos 0x8] (ttl 64, id 60453)
[tos 0x8] (ttl 64, id 40150, bad cksum 0! differs by bea6)
Sep 30 10:32:36.849066 (authentic,confidential): SPI 0xc9ad4d06:
10.109.131.193 > 10.109.131.194: 10.109.131.193.22 >
10.109.131.194.44860: . [tcp sum ok] 1710:1710(0) ack 1389 win 17136
<nop,nop,timestamp 547992571 1954608814,nop,nop,sack 1 {7101:7821} >
[tos 0x8] (ttl 64, id 20907) [tos 0x8] (ttl 64, id 54478)
--- begin of problem(?) ---
Sep 30 10:32:37.825114 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 1389:2817(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608816 547992571> [tos 0x8] (ttl 64, id 33936)
[tos 0x8] (ttl 64, id 58729, bad cksum 0! differs by 734f)
Sep 30 10:32:39.825115 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 1389:2817(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608820 547992571> [tos 0x8] (ttl 64, id 53241)
[tos 0x8] (ttl 64, id 49811, bad cksum 0! differs by 9625)
Sep 30 10:32:43.825129 (authentic,confidential): SPI 0x1ce0bb63:
10.109.131.194 > 10.109.131.193: 10.109.131.194.44860 >
10.109.131.193.22: . 1389:2817(1428) ack 1710 win 16384
<nop,nop,timestamp 1954608828 547992571> [tos 0x8] (ttl 64, id 61720)
[tos 0x8] (ttl 64, id 37424, bad cksum 0! differs by c688)
^C
40 packets received by filter
0 packets dropped by kernel
  <computer1 OpenBSD 3.6 snapshot (probably 2 weeks old)>
       |  wi0
       |       |  IPsec
       |       |  wi0
  <computer2 OpenBSD current (probably 1 week old)>
  computer1
  ---------
    pf.conf:
set loginterface wi2
set optimization aggressive
scrub in all no-df
scrub out all no-df random-id max-mss 1440
pass all
pass quick on enc0
block in log on wi1 from wi1:network
pass in on wi1 from { 10.109.131.65 }
block in log on wi3 from wi3:network
pass in on wi3 from { 10.109.131.136, 10.109.131.131, 10.109.131.132 }
block quick on { wi0, wi1, wi2, wi3, wi4 } proto { tcp, udp } from any
to any port { 137, 138, 139, 445, 135, 111 }
  computer2
  ---------
    pf.conf:
ext_if="wi0"
int_if="rl0"
set loginterface wi0
set optimization normal
# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.# scrub in all
scrub in on $ext_if all no-df
scrub out on $ext_if all no-df random-id max-mss 1440
scrub in on enc0 all no-df
scrub out on enc0 all no-df
scrub in on $int_if all no-df
scrub out on $int_if all no-df random-id
# Queueing: rule-based bandwidth control.
# WI-FI
altq on $ext_if priq bandwidth 3.5Mb queue { ext0_std, ext0_web,
ext0_dns, \
        ext0_ftp, ext0_jabber, ext0_tcp_ack }
queue ext0_std priq(default)
queue ext0_ftp priority 6
queue ext0_web priority 7
queue ext0_jabber priority 8
queue ext0_dns priority 9
queue ext0_tcp_ack priority 10
# ETHERNET
altq on $int_if cbq bandwidth 100Mb queue { int0_dae, int0_mis,
int0_wil, \
        int0_sch, int0_and, int0_others }
queue int0_dae bandwidth 500Kb cbq(borrow)
queue int0_mis bandwidth 500Kb cbq(borrow)
queue int0_wil bandwidth 500Kb cbq(borrow)
queue int0_sch bandwidth 500Kb cbq(borrow)
queue int0_and bandwidth 500Kb cbq(borrow)
queue int0_others bandwidth 97.5Mb cbq(default)
rdr pass on $int_if proto tcp from 10.109.0.0/16 to 10.109.0.0/16 port
ftp -> 127.0.0.1 port 8021
rdr pass on enc0 proto tcp from 10.109.0.0/16 to 10.109.0.0/16 port ftp
-> 127.0.0.1 port 8021
# Standardni blokovani vsech packetu
block log all
block quick on $ext_if proto { tcp, udp } from any to any \
        port { 111, 135, 137, 138, 139, 445 }
block quick on $int_if proto { tcp, udp } from { 10.109.131.40, \
        10.109.131.43 } to { ($int_if), ($int_if:broadcast), \
        10.109.131.33, 10.109.131.34, 10.109.131.35 } \
        port { 111, 135, 137, 138, 139, 445 }
pass quick on lo0 all
# ETHERNET #
# -------- #
pass in on $int_if from any to any \
        flags S/SA keep state queue int0_others
pass in on $int_if from 10.109.131.33 to any \
        flags S/SA keep state queue int0_dae
pass in on $int_if from 10.109.131.34 to any \
        flags S/SA keep state queue int0_mis
pass in on $int_if from 10.109.131.35 to any \
        flags S/SA keep state queue int0_wil
pass in on $int_if from 10.109.131.40 to any \
        flags S/SA keep state queue int0_sch
pass in on $int_if from 10.109.131.43 to any \
        flags S/SA keep state queue int0_and
pass out on $int_if from any to any \
        flags S/SA keep state queue int0_others
pass out on $int_if from any to 10.109.131.33 \
        flags S/SA keep state queue int0_dae
pass out on $int_if from any to 10.109.131.34 \
        flags S/SA keep state queue int0_mis
pass out on $int_if from any to 10.109.131.35 \
        flags S/SA keep state queue int0_wil
pass out on $int_if from any to 10.109.131.40 \
        flags S/SA keep state queue int0_sch
pass out on $int_if from any to 10.109.131.43 \
        flags S/SA keep state queue int0_and
# WI-FI #
# ----- #
# SSH
pass in quick on $ext_if proto { tcp, udp } from any to ($ext_if) port
22 \
        flags S/SA keep state
# ISAKMPd
pass in quick on $ext_if inet proto udp from 10.109.131.193 \
        to 10.109.131.194 port 500 keep state
pass out quick on $ext_if inet proto udp from 10.109.131.194 \
        to 10.109.131.193 port 500 keep state
pass out quick on $ext_if proto esp from 10.109.131.194 \
        to 10.109.131.193 keep state
pass in quick on $ext_if proto esp from 10.109.131.193 \
        to 10.109.131.194 keep state
pass in on enc0 proto ipencap from 10.109.131.193 to 10.109.131.194 keep
state
# ICMP
pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
# Kryptovany trafik
pass in on enc0 proto tcp from any to any flags S/SA keep state \
        queue(ext0_std, ext0_tcp_ack) label wi0_std_l
pass in on enc0 proto { udp, icmp } from any to any \
        keep state queue ext0_udp_icmp_l label wi0_udp_icmp_l
pass in on enc0 proto tcp from any to any port 80 flags S/SA \
        keep state queue ext0_web label wi0_web_l
pass in on enc0 proto tcp from any port 80 to any flags S/SA \
        keep state queue ext0_web label wi0_web_l
pass in on enc0 proto tcp from any to any port { 20, 21, >49151 } \
        flags S/SA keep state queue ext0_ftp label wi0_ftp_l
pass in on enc0 proto tcp from any port { 20, 21, >49151 } to any \
        flags S/SA keep state queue ext0_ftp label wi0_ftp_l
pass in on enc0 proto tcp from any to any user proxy flags S/SA \
        keep state queue ext0_ftp label wi0_ftp_l
pass in on enc0 proto { tcp, udp } from any to any port domain \
        flags S/SA keep state queue ext0_dns label wi0_dns_l
pass in on enc0 proto tcp from any to any port { 5222, 5223 } \
        flags S/SA keep state queue ext0_jabber label wi0_jabber_l
pass out on enc0 proto tcp from any to any flags S/SA keep state \
        queue(ext0_std, ext0_tcp_ack) label wi0_std_l
pass out on enc0 proto { udp, icmp } from any to any \
        keep state queue ext0_udp_icmp_l label wi0_udp_icmp_l
pass out on enc0 proto tcp from any to any port 80 flags S/SA \
        keep state queue ext0_web label wi0_web_l
pass out on enc0 proto tcp from any port 80 to any flags S/SA \
        keep state queue ext0_web label wi0_web_l
pass out on enc0 proto tcp from any to any port { 20, 21, >49151 } \
        flags S/SA keep state queue ext0_ftp label wi0_ftp_l
pass out on enc0 proto tcp from any port { 20, 21, >49151 } to any \
        flags S/SA keep state queue ext0_ftp label wi0_ftp_l
pass out on enc0 proto tcp from any to any user proxy flags S/SA \
        keep state queue ext0_ftp label wi0_ftp_l
pass out on enc0 proto { tcp, udp } from any to any port domain \
        flags S/SA keep state queue ext0_dns label wi0_dns_l
pass out on enc0 proto tcp from any to any port { 5222, 5223 } \
        flags S/SA keep state queue ext0_jabber label wi0_jabber_l