Failing TCP connections



  • Hi.
    I'm using pfSense 2.1RC, and I experience some weird behaviour. For some TCP connections (mostly SMTP and SSH) I experience errors or delays in establishing connection.
    I.e. for ssh, if I try connecting to a remote host the first time I get a timeout, next time I try the shell is opened in a matter of seconds.
    Same for SMTP, the server fails to send to the first mx, then the second goes perfectly.
    I tried changing MTU from the default to 1492 but I had no change.

    What else can I check?
    thanks



  • I'm attaching here a tcpdump of a failing ssh attempt to a remote host.
    The dump has been captured from within pfsense's VM, lan_host is a client on the lan and remote_host is the ip i'm trying to ssh to.

    Apparently at 13:54:06.552208 the remote host replies with ACK, but the connection is not established.

    What could be the problem?

    tcpdump -nn -v host remote_host 
    tcpdump: listening on em0, link-type EN10MB (Ethernet), capture size 96 bytes
    13:54:04.355722 IP (tos 0x0, ttl 64, id 43641, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x9517 (correct), seq 1051905475, ack 4183675913, win 115, options [nop,nop,TS val 2397103 ecr 1808805240], length 0
    13:54:04.865743 IP (tos 0x0, ttl 64, id 48162, offset 0, flags [DF], proto TCP (6), length 60)
        lan_host.51231 > remote_host.30022: Flags [s], cksum 0x1d11 (correct), seq 1526999052, win 14600, options [mss 1460,sackOK,TS val 2397230 ecr 0,nop,wscale 7], length 0
    13:54:05.863110 IP (tos 0x0, ttl 64, id 48163, offset 0, flags [DF], proto TCP (6), length 60)
        lan_host.51231 > remote_host.30022: Flags [s], cksum 0x1c17 (correct), seq 1526999052, win 14600, options [mss 1460,sackOK,TS val 2397480 ecr 0,nop,wscale 7], length 0
    13:54:05.992162 IP (tos 0x0, ttl 64, id 43642, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x937e (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2397512 ecr 1808805240], length 0
    13:54:06.550870 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
        remote_host.30022 > lan_host.51231: Flags [S.], cksum 0xa275 (correct), seq 1291086062, ack 1526999053, win 14480, options [mss 1412,sackOK,TS val 1808882048 ecr 2397230,nop,wscale 5], length 0
    13:54:06.552208 IP (tos 0x0, ttl 64, id 48164, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51231 > remote_host.30022: Flags [.], cksum 0x0787 (correct), ack 1, win 115, options [nop,nop,TS val 2397652 ecr 1808882048], length 0
    13:54:07.547636 IP (tos 0x0, ttl 53, id 0, offset 0, flags [DF], proto TCP (6), length 60)
        remote_host.30022 > lan_host.51231: Flags [S.], cksum 0xa17c (correct), seq 1291086062, ack 1526999053, win 14480, options [mss 1412,sackOK,TS val 1808882297 ecr 2397230,nop,wscale 5], length 0
    13:54:07.548634 IP (tos 0x0, ttl 64, id 48165, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51231 > remote_host.30022: Flags [.], cksum 0x068e (correct), ack 1, win 115, options [nop,nop,TS val 2397901 ecr 1808882048], length 0
    13:54:09.263836 IP (tos 0x0, ttl 64, id 43643, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x904c (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2398330 ecr 1808805240], length 0
    13:54:15.815396 IP (tos 0x0, ttl 64, id 43644, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x89e6 (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2399968 ecr 1808805240], length 0
    13:54:28.904119 IP (tos 0x0, ttl 64, id 43645, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x7d1e (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2403240 ecr 1808805240], length 0
    13:54:55.112219 IP (tos 0x0, ttl 64, id 43646, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x6386 (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2409792 ecr 1808805240], length 0
    13:55:47.465207 IP (tos 0x0, ttl 64, id 43647, offset 0, flags [DF], proto TCP (6), length 52)
        lan_host.51155 > remote_host.30022: Flags [F.], cksum 0x3066 (correct), seq 0, ack 1, win 115, options [nop,nop,TS val 2422880 ecr 1808805240], length 0
    [/s][/s]