NATed computer can't access certain websites
Chris Linton-Ford
chris.lintonford at firebox.com
Wed Jul 5 14:21:42 UTC 2006
On Wed, 2006-07-05 at 14:17 +0200, Roberto Ragusa wrote:
> Chris Linton-Ford wrote:
> > Hi,
> >
> > I've had a recurring problem on our office network where some computers
> > suddenly stop being able to access certain websites. We're currently
> > using a mixture of FC3-5 behind an OpenBSD gateway, which performs
> > firewalling and NAT; however we had the same problem when using an FC5
> > gateway.
> >
> > The computer in question at the moment is running FC4, has no problems
> > resolving the IP address of the website, and its routing tables are
> > fine. It doesn't have a firewall, and can access all other websites no
> > problems, as far as we can tell. Doing a tcpdump shows that the http
> > packets are going out and ack packets are coming back, but no http data
> > comes back from the website.
> >
> > I've tried accessing the website using Firefox, elinks and using telnet
> > to do the basic GET /index.htm etc. They all hang after the sending the
> > request.
>
> Can you sniff the packets on the external interface of the gateway to
> understand if something is blocked by the firewall on the gateway?
>
> Some things I'd check:
>
> 1) "ifconfig eth0 mtu 1000" on the FC4 box to use smaller packets
>
> 2) "cat /proc/sys/net/ipv4/tcp_window_scaling"; if it is enabled,
> try disabling it
>
> 3) "cat /proc/sys/net/ipv4/tcp_ecn" to see if ECN is enabled (better
> if disabled, but it should be 0 by default)
>
> Best regards.
>
> --
> Roberto Ragusa mail at robertoragusa.it
>
Hi Roberto,
Changing the MTU size didn't help, but disabling tcp_window_scaling did
the trick. Having looked around various groups, it sounds like this is a
problem with the 2.6.17-1.2139 kernel; is it a better idea for me to
permanently disable window scaling on our machines or wait until a fix
comes out for the kernel? Is window scaling a Good Thing?
Thanks for your help,
Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.fedoraproject.org/pipermail/users/attachments/20060705/f2f4c847/attachment-0002.html
More information about the users
mailing list