strange TCP issue on RELENG_7

Mike Tancsa mike at sentex.net
Fri Aug 22 17:43:17 UTC 2008 

On one of our sendmail boxes that we are running RELENG_7, we have 
noticed an odd issue triggered or noticed by our monitoring system 
(bigbrother in this case).  The seems to have been happening ever 
since we installed it, so its not a recent commit issue.

Every 5 min, one of our monitoring stations connects to the box on port 25

The connection process is pretty simple. It connects and sends a QUIT 
and if that works, all is "ok".

Here is a normal exchange
17:44:27.966100 IP 192.168.1.2.59586 > 192.168.1.9.25: S 
1590561033:1590561033(0) win 65535 <mss 1460,nop,wscale 3,sackOK,time
stamp 603180718 0>
17:44:27.966119 IP 192.168.1.9.25 > 192.168.1.2.59586: S 
2644498016:2644498016(0) ack 1590561034 win 65535 <mss 1460,nop,wscal
e 3,sackOK,timestamp 1701504477 603180718>
17:44:27.966649 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 1 win 
8326 <nop,nop,timestamp 603180719 1701504477>
17:44:27.966664 IP 192.168.1.2.59586 > 192.168.1.9.25: P 1:12(11) ack 
1 win 8326 <nop,nop,timestamp 603180719 1701504477>
17:44:27.969087 IP 192.168.1.9.25 > 192.168.1.2.59586: P 1:186(185) 
ack 12 win 8326 <nop,nop,timestamp 1701504480 603180719>
17:44:27.969119 IP 192.168.1.9.25 > 192.168.1.2.59586: F 186:186(0) 
ack 12 win 8326 <nop,nop,timestamp 1701504480 603180719>
17:44:27.969642 IP 192.168.1.2.59586 > 192.168.1.9.25: . ack 187 win 
8326 <nop,nop,timestamp 603180722 1701504480>
17:44:27.969657 IP 192.168.1.2.59586 > 192.168.1.9.25: F 12:12(0) ack 
187 win 8326 <nop,nop,timestamp 603180722 1701504480>
17:44:27.969668 IP 192.168.1.9.25 > 192.168.1.2.59586: . ack 13 win 
8325 <nop,nop,timestamp 1701504481 603180722>


But, perhaps twice a day, or once every 2 days, I will see an RST 
from the host being monitored for some reason?!
It looks like

17:49:27.496803 IP (tos 0x0, ttl 64, id 8521, offset 0, flags [DF], 
proto TCP (6), length 60) 199.212.134.2.65013 > 199.212.134.9.25: S, 
cksum 0xabde (correct), 2204170858:2204170858(0) win
65535 <mss 1460,nop,wscale 3,sackOK,timestamp 603480222 0>
17:49:27.496829 IP (tos 0x0, ttl 64, id 42946, offset 0, flags [DF], 
proto TCP (6), length 60) 199.212.134.9.25 > 199.212.134.2.65013: S, 
cksum 0xfe09 (correct), 3523370477:3523370477(0) ack
  2204170859 win 65535 <mss 1460,nop,wscale 3,sackOK,timestamp 
625760391 603480222>
17:49:27.497260 IP (tos 0x0, ttl 64, id 8522, offset 0, flags [DF], 
proto TCP (6), length 52) 199.212.134.2.65013 > 199.212.134.9.25: ., 
cksum 0x0c4c (correct), 1:1(0) ack 1 win 8326 <nop,no
p,timestamp 603480222 625760391>
17:49:27.497268 IP (tos 0x0, ttl 64, id 42948, offset 0, flags [DF], 
proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R, 
cksum 0xe62b (correct), 3523370478:3523370478(0) win
  0
17:49:27.497270 IP (tos 0x0, ttl 64, id 8523, offset 0, flags [DF], 
proto TCP (6), length 63) 199.212.134.2.65013 > 199.212.134.9.25: P, 
cksum 0xb803 (correct), 1:12(11) ack 1 win 8326 <nop,
nop,timestamp 603480222 625760391>
17:49:27.497277 IP (tos 0x0, ttl 64, id 42949, offset 0, flags [DF], 
proto TCP (6), length 40) 199.212.134.9.25 > 199.212.134.2.65013: R, 
cksum 0xe62b (correct), 3523370478:3523370478(0) win
  0
17:49:34.690828 IP (tos 0x0, ttl 64, id 45325, offset 0, flags [DF], 
proto TCP (6), length 60) 199.212.134.9.65077 > 199.212.134.2.25: S, 
cksum 0x3e26 (correct), 2116235846:2116235846(0) win
  65535 <mss 1460,nop,wscale 3,sackOK,timestamp 14139033 0>



I dont ever see this on RELENG_6, only on RELENG_7. It doesnt seem to 
be load related as I will see it at various times of the day both 
busy and quiet and sendmail is not complaining about too many 
connections which it will when there are.

192.168.1.2 is the monitoring host running bb and 192.168.1.9 is the 
smtp server being tested. I do have pf on the box, but pf isnt set to 
send RSTs and I think if there is a state mismatch, it will just drop 
the packet and not send the RST.  I have tried with and without scrub 
but no obvious difference

Rules are simple


set skip on lo0
scrub in all

block in log on {em0,em1}
pass in on {em0,em1} proto {tcp,udp} from <TRUSTED>
pass in on {em0,em1,lo0} proto tcp from any to any port {25,53,587}
pass in on {em0,em1,lo0} proto udp from any to any port {53}
pass in on {em0,em1} proto icmp from any to any
pass out on {em0,em1} proto {icmp,tcp,udp} from any to any




--------------------------------------------------------------------
Mike Tancsa,                                      tel +1 519 651 3400
Sentex Communications,                            mike at sentex.net
Providing Internet since 1994                    www.sentex.net
Cambridge, Ontario Canada                         www.sentex.net/mike

More information about the freebsd-net mailing list