Re: dtrace to trace incoming connection not suceeding ?

Reply: Kurt Jaeger : "Workaround: Re: dtrace to trace incoming connection not suceeding ?"
In reply to: Andrey V. Elsukov: "Re: dtrace to trace incoming connection not suceeding ?"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kurt Jaeger <pi_at_freebsd.org>
Date: Sun, 14 Nov 2021 17:41:16 UTC

Hi!

> > There's one small diff between the two that I do not understand:
> > 
> > -       18040 times no signature provided by segment
> > +       18045 times no signature provided by segment
> 
> This means, that received TCP segment has not TCP-MD5 signature, but
> listen socket expects it. Such SYN segment will be dropped by syncache
> code. Probably your BGP daemon configured to use TCP-MD5 for connection,
> but remote side does not.

Thanks, that might be another possible cause.

This happened on iBGP sessions where I control both sides
or on eBGP sessions, where I also control both sides (and both
run on FreeBSD). I did not change the frr config during updates,
so I did not expect this to break.

Maybe frr on newer FreeBSD versions handles the tcp-md5 case in some
invalid way. That might be the case and this probably needs to
be analysed.

-- 
pi@FreeBSD.org         +49 171 3101372                  Now what ?